Assign Microsoft Entra roles at different scopes
In Microsoft Entra ID, roles are typically assigned to apply to the entire tenant. However, you can also assign Microsoft Entra roles for different resources, such as administrative units or application registrations. For example, you could assign the Helpdesk Administrator role so that it just applies to a particular administrative unit and not the entire tenant. The resources that a role assignment applies to is also called the scope. This article describes how to assign Microsoft Entra roles at tenant, administrative unit, and application registration scopes. For more information about scope, see Overview of role-based access control (RBAC) in Microsoft Entra ID.
Prerequisites
- Privileged Role Administrator.
- Microsoft Graph PowerShell SDK installed when using PowerShell.
For more information, see Prerequisites to use PowerShell.
Assign roles scoped to the tenant
This section describes how to assign roles at the tenant scope.
Microsoft Entra admin center
Tip
Steps in this article might vary slightly based on the portal you start from.
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity > Roles & admins > Roles & admins.
Select a role to see its assignments. To help you find the role you need, use Add filters to filter the roles.
Select Add assignments and then select the users you want to assign to this role.
Select Add to assign the role.
PowerShell
Follow these steps to assign Microsoft Entra roles using PowerShell.
Open a PowerShell window. If necessary, use Install-Module to install Microsoft Graph PowerShell. For more information, see Prerequisites to use PowerShell.
Install-Module Microsoft.Graph -Scope CurrentUser
In a PowerShell window, use Connect-MgGraph to sign in to your tenant.
Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes "RoleManagement.Read.Directory","User.Read.All","RoleManagement.ReadWrite.Directory"
Use Get-MgUser to get the user.
$user = Get-MgUser -Filter "userPrincipalName eq 'alice@contoso.com'"
Use Get-MgRoleManagementDirectoryRoleDefinition to get the role you want to assign.
$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Billing Administrator'"
Set tenant as scope of role assignment.
$directoryScope = '/'
Use New-MgRoleManagementDirectoryRoleAssignment to assign the role.
$roleAssignment = New-MgRoleManagementDirectoryRoleAssignment ` -DirectoryScopeId $directoryScope -PrincipalId $user.Id ` -RoleDefinitionId $roleDefinition.Id
Assign roles scoped to an administrative unit
This section describes how to assign roles at an administrative unit scope.
Microsoft Entra admin center
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity > Roles & admins > Admin units.
Select an administrative unit.
Select Roles and administrators from the left navigation menu to see the list of all roles available to be assigned over an administrative unit.
Select the desired role.
Select Add assignments and then select the users or group you want to assign this role to.
Select Add to assign the role scoped over the administrative unit.
Note
You will not see the entire list of Microsoft Entra built-in or custom roles here. This is expected. We show the roles which have permissions related to the objects that are supported within the administrative unit. To see the list of objects supported within an administrative unit, see Administrative units in Microsoft Entra ID.
PowerShell
Follow these steps to assign Microsoft Entra roles at administrative unit scope using PowerShell.
Open a PowerShell window. If necessary, use Install-Module to install Microsoft Graph PowerShell. For more information, see Prerequisites to use PowerShell.
Install-Module Microsoft.Graph -Scope CurrentUser
In a PowerShell window, use Connect-MgGraph to sign in to your tenant.
Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes "Directory.Read.All","RoleManagement.Read.Directory","User.Read.All","RoleManagement.ReadWrite.Directory"
Use Get-MgUser to get the user.
$user = Get-MgUser -Filter "userPrincipalName eq 'alice@contoso.com'"
Use Get-MgRoleManagementDirectoryRoleDefinition to get the role you want to assign.
$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition ` -Filter "displayName eq 'User Administrator'"
Use Get-MgDirectoryAdministrativeUnit to get the administrative unit you want the role assignment to be scoped to.
$adminUnit = Get-MgDirectoryAdministrativeUnit -Filter "displayName eq 'Seattle Admin Unit'" $directoryScope = '/administrativeUnits/' + $adminUnit.Id
Use New-MgRoleManagementDirectoryRoleAssignment to assign the role.
$roleAssignment = New-MgRoleManagementDirectoryRoleAssignment ` -DirectoryScopeId $directoryScope -PrincipalId $user.Id ` -RoleDefinitionId $roleDefinition.Id
Assign roles scoped to an app registration
This section describes how to assign roles at an application registration scope.
Microsoft Entra admin center
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity > Applications > App registrations.
Select an application. You can use search box to find the desired app.
Select Roles and administrators from the left navigation menu to see the list of all roles available to be assigned over the app registration.
Select the desired role.
Select Add assignments and then select the users or group you want to assign this role to.
Select Add to assign the role scoped over the app registration.
Note
You will not see the entire list of Microsoft Entra built-in or custom roles here. This is expected. We show the roles which have permissions related to managing app registrations only.
PowerShell
Follow these steps to assign Microsoft Entra roles at application scope using PowerShell.
Open a PowerShell window. If necessary, use Install-Module to install Microsoft Graph PowerShell. For more information, see Prerequisites to use PowerShell.
Install-Module Microsoft.Graph -Scope CurrentUser
In a PowerShell window, use Connect-MgGraph to sign in to your tenant.
Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes "Application.Read.All","RoleManagement.Read.Directory","User.Read.All","RoleManagement.ReadWrite.Directory"
Use Get-MgUser to get the user.
$user = Get-MgUser -Filter "userPrincipalName eq 'alice@contoso.com'"
Use Get-MgRoleManagementDirectoryRoleDefinition to get the role you want to assign.
$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition ` -Filter "displayName eq 'Application Administrator'"
Use Get-MgApplication to get the app registration you want the role assignment to be scoped to.
$appRegistration = Get-MgApplication -Filter "displayName eq 'f/128 Filter Photos'" $directoryScope = '/' + $appRegistration.Id
Use New-MgRoleManagementDirectoryRoleAssignment to assign the role.
$roleAssignment = New-MgRoleManagementDirectoryRoleAssignment ` -DirectoryScopeId $directoryScope -PrincipalId $user.Id ` -RoleDefinitionId $roleDefinition.Id