Creating a New Azure AD Assignable Group Through PowerShell Error

Question

question

TahaAhmad-2788 asked Feb 3, '22 sikumars edited Feb 7, '22

Creating a New Azure AD Assignable Group Through PowerShell Error

The docs mention this method of creating AAD role assignable groups here https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-create-eligible and https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadmsgroup?view=azureadps-2.0
This was tested on Azure CloudShell utilizing PSVersion 7.2.1.
Global admin was also used.

I've created a PowerShell script in order to deploy groups consistently utilizing the Microsoft Documentation. I am able to create new groups that are not assignable to Azure AD roles through the "New-AzureADMSGroup":

$analystGroup = New-AzureADMSGroup -DisplayName $analystGroupName -Description $analystGroupDescription -MailEnabled $false -MailNickname $analystGroupMailNickname -SecurityEnabled $true

Returns a successfully created group, however if I attempt to add the parameter to enable AAD role assignment "IsAssignableToRole":

$analystGroup = New-AzureADMSGroup -DisplayName $analystGroupName -Description $analystGroupDescription -MailEnabled $false -MailNickname $analystGroupMailNickname -SecurityEnabled $true -IsAssignableToRole $false

I am met with the error :
"A parameter cannot be found that matches parameter name 'IsAssignableToRole' ".

To me this indicates that the cmdlet has been updated so it is not possible to create AAD role assignable groups through PowerShell anymore. Thus, I attempted to use older versions of the AzureAD module and the AzureADPreview module. In both cases, I was still left with the same error.

Is there a way to circumvent this error or another way to create AAD role assignable groups through PowerShell?

azure-ad-group-management

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars · Feb 07 at 08:17 AM

@TahaAhmad-2788,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

1 ·

Answer 1 · 2022-02-04T22:10:50.577Z

sikumars answered Feb 4, '22

Hello @TahaAhmad-2788,

Thanks for reaching out.

This is due to PowerShell limitations within Cloud Shell because currently AzureAD.Standard.Preview is the only supported module available, you can verify this by running Get-Module AzureAD* from cloud shell as shown below:

This preview module provides most of the functionality as AzureAD public module but not all of them due to which you may experience issue. Therefore, you can try using Microsoft.Graph module as an alternative approach in this scenario to create AAD group as explained below.

Steps:

1) Install Microsoft.Graph from Azure cloud shell

Install-Module -Name Microsoft.Graph

2) Login to Azure AD

Connect-MgGraph -Scopes Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All

Note: You must pass these API permissions in the scope parameter along with Connect-MgGraph command.

3) Create Security group:
New-MgGroup -DisplayName AdminGroup -Description AdminGroup -MailEnabled:$false -SecurityEnabled:$true -MailNickname AdminGroup -IsAssignableToRole

The following screenshot is from my test outcome:

For more details: https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.groups/new-mggroup?view=graph-powershell-beta

Hope this helps.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

image.png (11.5 KiB)

untitled.png (24.3 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

question