Assign Microsoft Entra roles at different scopes

In Microsoft Entra ID, roles are typically assigned to apply to the entire tenant. However, you can also assign Microsoft Entra roles for different resources, such as administrative units or application registrations. For example, you could assign the Helpdesk Administrator role so that it just applies to a particular administrative unit and not the entire tenant. The resources that a role assignment applies to is also called the scope. This article describes how to assign Microsoft Entra roles at tenant, administrative unit, and application registration scopes. For more information about scope, see Overview of role-based access control (RBAC) in Microsoft Entra ID.

Prerequisites

  • Privileged Role Administrator.
  • Microsoft Graph PowerShell SDK installed when using PowerShell.

For more information, see Prerequisites to use PowerShell.

Assign roles scoped to the tenant

This section describes how to assign roles at the tenant scope.

Microsoft Entra admin center

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Identity > Roles & admins > Roles & admins.

    Roles and administrators page in Microsoft Entra ID.

  3. Select a role to see its assignments. To help you find the role you need, use Add filters to filter the roles.

  4. Select Add assignments and then select the users you want to assign to this role.

    Add assignments pane for selected role.

  5. Select Add to assign the role.

PowerShell

Follow these steps to assign Microsoft Entra roles using PowerShell.

  1. Open a PowerShell window. If necessary, use Install-Module to install Microsoft Graph PowerShell. For more information, see Prerequisites to use PowerShell.

    Install-Module Microsoft.Graph -Scope CurrentUser
    
  2. In a PowerShell window, use Connect-MgGraph to sign in to your tenant.

    Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes "RoleManagement.Read.Directory","User.Read.All","RoleManagement.ReadWrite.Directory"
    
  3. Use Get-MgUser to get the user.

    $user = Get-MgUser -Filter "userPrincipalName eq 'alice@contoso.com'"
    
  4. Use Get-MgRoleManagementDirectoryRoleDefinition to get the role you want to assign.

    $roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Billing Administrator'"
    
  5. Set tenant as scope of role assignment.

    $directoryScope = '/'
    
  6. Use New-MgRoleManagementDirectoryRoleAssignment to assign the role.

    $roleAssignment = New-MgRoleManagementDirectoryRoleAssignment `
       -DirectoryScopeId $directoryScope -PrincipalId $user.Id `
       -RoleDefinitionId $roleDefinition.Id
    

Assign roles scoped to an administrative unit

This section describes how to assign roles at an administrative unit scope.

Microsoft Entra admin center

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Identity > Roles & admins > Admin units.

  3. Select an administrative unit.

    Administrative Units in Microsoft Entra ID.

  4. Select Roles and administrators from the left navigation menu to see the list of all roles available to be assigned over an administrative unit.

    Roles and administrators menu under administrative Units in Microsoft Entra ID.

  5. Select the desired role.

  6. Select Add assignments and then select the users or group you want to assign this role to.

  7. Select Add to assign the role scoped over the administrative unit.

Note

You will not see the entire list of Microsoft Entra built-in or custom roles here. This is expected. We show the roles which have permissions related to the objects that are supported within the administrative unit. To see the list of objects supported within an administrative unit, see Administrative units in Microsoft Entra ID.

PowerShell

Follow these steps to assign Microsoft Entra roles at administrative unit scope using PowerShell.

  1. Open a PowerShell window. If necessary, use Install-Module to install Microsoft Graph PowerShell. For more information, see Prerequisites to use PowerShell.

    Install-Module Microsoft.Graph -Scope CurrentUser
    
  2. In a PowerShell window, use Connect-MgGraph to sign in to your tenant.

    Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes "Directory.Read.All","RoleManagement.Read.Directory","User.Read.All","RoleManagement.ReadWrite.Directory"
    
  3. Use Get-MgUser to get the user.

    $user = Get-MgUser -Filter "userPrincipalName eq 'alice@contoso.com'"
    
  4. Use Get-MgRoleManagementDirectoryRoleDefinition to get the role you want to assign.

    $roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition `
       -Filter "displayName eq 'User Administrator'"
    
  5. Use Get-MgDirectoryAdministrativeUnit to get the administrative unit you want the role assignment to be scoped to.

    $adminUnit = Get-MgDirectoryAdministrativeUnit -Filter "displayName eq 'Seattle Admin Unit'"
    $directoryScope = '/administrativeUnits/' + $adminUnit.Id
    
  6. Use New-MgRoleManagementDirectoryRoleAssignment to assign the role.

    $roleAssignment = New-MgRoleManagementDirectoryRoleAssignment `
       -DirectoryScopeId $directoryScope -PrincipalId $user.Id `
       -RoleDefinitionId $roleDefinition.Id
    

Assign roles scoped to an app registration

This section describes how to assign roles at an application registration scope.

Microsoft Entra admin center

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Identity > Applications > App registrations.

  3. Select an application. You can use search box to find the desired app.

    App registrations in Microsoft Entra ID.

  4. Select Roles and administrators from the left navigation menu to see the list of all roles available to be assigned over the app registration.

    Roles for an app registrations in Microsoft Entra ID.

  5. Select the desired role.

  6. Select Add assignments and then select the users or group you want to assign this role to.

    Add role assignment scoped to an app registrations in Microsoft Entra ID.

  7. Select Add to assign the role scoped over the app registration.

    Successfully added role assignment scoped to an app registrations in Microsoft Entra ID.

    Role assigned to the user scoped to an app registrations in Microsoft Entra ID.

Note

You will not see the entire list of Microsoft Entra built-in or custom roles here. This is expected. We show the roles which have permissions related to managing app registrations only.

PowerShell

Follow these steps to assign Microsoft Entra roles at application scope using PowerShell.

  1. Open a PowerShell window. If necessary, use Install-Module to install Microsoft Graph PowerShell. For more information, see Prerequisites to use PowerShell.

    Install-Module Microsoft.Graph -Scope CurrentUser
    
  2. In a PowerShell window, use Connect-MgGraph to sign in to your tenant.

    Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes "Application.Read.All","RoleManagement.Read.Directory","User.Read.All","RoleManagement.ReadWrite.Directory"
    
  3. Use Get-MgUser to get the user.

    $user = Get-MgUser -Filter "userPrincipalName eq 'alice@contoso.com'"
    
  4. Use Get-MgRoleManagementDirectoryRoleDefinition to get the role you want to assign.

    $roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition `
       -Filter "displayName eq 'Application Administrator'"
    
  5. Use Get-MgApplication to get the app registration you want the role assignment to be scoped to.

    $appRegistration = Get-MgApplication -Filter "displayName eq 'f/128 Filter Photos'"
    $directoryScope = '/' + $appRegistration.Id
    
  6. Use New-MgRoleManagementDirectoryRoleAssignment to assign the role.

    $roleAssignment = New-MgRoleManagementDirectoryRoleAssignment `
       -DirectoryScopeId $directoryScope -PrincipalId $user.Id `
       -RoleDefinitionId $roleDefinition.Id 
    

Next steps