Assign Azure AD roles to users

To grant access to users in Azure Active Directory (Azure AD), you assign Azure AD roles. A role is a collection of permissions. This article describes how to assign Azure AD roles using the Azure portal and PowerShell.

Prerequisites

  • Privileged Role Administrator or Global Administrator. To know who your Privileged Role Administrator or Global Administrator is, see List Azure AD role assignments
  • Azure AD Premium P2 license when using Privileged Identity Management (PIM)
  • AzureADPreview module when using PowerShell
  • Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal

Follow these steps to assign Azure AD roles using the Azure portal. Your experience will be different depending on whether you have Azure AD Privileged Identity Management (PIM) enabled.

Assign a role

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory > Roles and administrators to see the list of all available roles.

    Roles and administrators page in Azure Active Directory.

  3. Select a role to see its assignments.

    To help you find the role you need, use Add filters to filter the roles.

  4. Select Add assignments and then select the users you want to assign to this role.

    If you see something different from the following picture, you might have PIM enabled. See the next section.

    Add assignments pane for selected role.

  5. Select Add to assign the role.

Assign a role using PIM

If you have Azure AD Privileged Identity Management (PIM) enabled, you have additional role assignment capabilities. For example, you can make a user eligible for a role or set the duration. When PIM is enabled, there are two ways that you can assign roles using the Azure portal. You can use the Roles and administrators page or the PIM experience. Either way uses the same PIM service.

Follow these steps to assign roles using the Roles and administrators page. If you want to assign roles using the Privileged Identity Management page, see Assign Azure AD roles in Privileged Identity Management.

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory > Roles and administrators to see the list of all available roles.

    Roles and administrators page in Azure Active Directory when PIM enabled.

  3. Select a role to see its eligible, active, and expired role assignments.

    To help you find the role you need, use Add filters to filter the roles.

  4. Select Add assignments.

  5. Select No member selected and then select the users you want to assign to this role.

    Add assignments page and Select a member pane with PIM enabled.

  6. Select Next.

  7. On the Setting tab, select whether you wan to make this role assignment Eligible or Active.

    An eligible role assignment means that the user must perform one or more actions to use the role. An active role assignment means that the user doesn't have to perform any action to use the role. For more information about what these settings mean, see PIM terminology.

    Add assignments page and Setting tab with PIM enabled.

  8. Use the remaining options to set the duration for the assignment.

  9. Select Assign to assign the role.

PowerShell

Follow these steps to assign Azure AD roles using PowerShell.

Setup

  1. Open a PowerShell window and use Import-Module to import the AzureADPreview module. For more information, see Prerequisites to use PowerShell or Graph Explorer.

    Import-Module -Name AzureADPreview -Force
    
  2. In a PowerShell window, use Connect-AzureAD to sign in to your tenant.

    Connect-AzureAD
    
  3. Use Get-AzureADUser to get the user you want to assign a role to.

    $user = Get-AzureADUser -Filter "userPrincipalName eq 'user@contoso.com'"
    

Assign a role

  1. Use Get-AzureADMSRoleDefinition to get the role you want to assign.

    $roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Billing Administrator'"
    
  2. Use New-AzureADMSRoleAssignment to assign the role.

    $roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
    

Assign a role as eligible using PIM

If PIM is enabled, you have additional capabilities, such as making a user eligible for a role assignment or defining the start and end time for a role assignment. These capabilities use a different set of PowerShell commands. For more information about using PowerShell and PIM, see PowerShell for Azure AD roles in Privileged Identity Management.

  1. Use Get-AzureADMSRoleDefinition to get the role you want to assign.

    $roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Billing Administrator'"
    
  2. Use Get-AzureADMSPrivilegedResource to get the privileged resource. In this case, your tenant.

    $aadTenant = Get-AzureADMSPrivilegedResource -ProviderId aadRoles
    
  3. Use New-Object to create a new AzureADMSPrivilegedSchedule object to define the start and end time of the role assignment.

    $schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
    $schedule.Type = "Once"
    $schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
    $schedule.EndDateTime = "2021-07-25T20:00:00.000Z"
    
  4. Use Open-AzureADMSPrivilegedRoleAssignmentRequest to assign the role as eligible.

    $roleAssignmentEligible = Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -ResourceId $aadTenant.Id -RoleDefinitionId $roleDefinition.Id -SubjectId $user.objectId -Type 'AdminAdd' -AssignmentState 'Eligible' -schedule $schedule -reason "Review billing info"
    

Microsoft Graph API

Follow these instructions to assign a role using the Microsoft Graph API.

Assign a role

In this example, a security principal with objectID f8ca5a85-489a-49a0-b555-0a6d81e56f0d is assigned the Billing Administrator role (role definition ID b0f54661-2d74-4c50-afa3-1ec803f12efe) at tenant scope. To see the list of immutable role template IDs of all built-in roles, see Azure AD built-in roles.

POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
Content-type: application/json

{ 
    "@odata.type": "#microsoft.graph.unifiedRoleAssignment",
    "roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
    "principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
    "directoryScopeId": "/"
}

Assign a role using PIM

Assign a time-bound eligible role assignment

In this example, a security principal with objectID f8ca5a85-489a-49a0-b555-0a6d81e56f0d is assigned a time-bound eligible role assignment to Billing Administrator (role definition ID b0f54661-2d74-4c50-afa3-1ec803f12efe) for 180 days.

POST https://graph.microsoft.com/v1.0/rolemanagement/directory/roleEligibilityScheduleRequests
Content-type: application/json

{
    "action": "adminAssign",
    "justification": "for managing admin tasks",
    "directoryScopeId": "/",
    "principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
    "roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
    "scheduleInfo": {
        "startDateTime": "2021-07-15T19:15:08.941Z",
        "expiration": {
            "type": "afterDuration",
            "duration": "PT180D"
        }
    }
}

Assign a permanent eligible role assignment

In the following example, a security principal is assigned a permanent eligible role assignment to Billing Administrator.

POST https://graph.microsoft.com/v1.0/rolemanagement/directory/roleEligibilityScheduleRequests
Content-type: application/json

{
    "action": "adminAssign",
    "justification": "for managing admin tasks",
    "directoryScopeId": "/",
    "principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
    "roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
    "scheduleInfo": {
        "startDateTime": "2021-07-15T19:15:08.941Z",
        "expiration": {
            "type": "noExpiration"
        }
    }
}

Activate a role assignment

To activate the role assignment, use the Create roleAssignmentScheduleRequests API.

POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests
Content-type: application/json

{
    "action": "selfActivate",
    "justification": "activating role assignment for admin privileges",
    "roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
    "directoryScopeId": "/",
    "principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d"
}

For more information about managing Azure AD roles through the PIM API in Microsoft Graph, see Overview of role management through the privileged identity management (PIM) API.

Next steps