Assign Microsoft Entra roles to users

To grant access to users in Microsoft Entra ID, you assign Microsoft Entra roles. A role is a collection of permissions. This article describes how to assign Microsoft Entra roles using the Microsoft Entra admin center and PowerShell.

Prerequisites

For more information, see Prerequisites to use PowerShell.

Microsoft Entra admin center

Follow these steps to assign Microsoft Entra roles using the Microsoft Entra admin center. Your experience will be different depending on whether you have Microsoft Entra Privileged Identity Management (PIM) enabled.

Assign a role

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Identity > Roles & admins > Roles & admins.

    Screenshot of Roles and administrators page in Microsoft Entra ID.

  3. Find the role you need. You can use the search box or Add filters to filter the roles.

  4. Select the role name to open the role. Don't add a check mark next to the role.

    Screenshot that shows selecting a role.

  5. Select Add assignments and then select the users you want to assign to this role.

    If you see something different from the following picture, you might have PIM enabled. See the next section.

    Screenshot of Add assignments pane for selected role.

    Note

    If you assign a Microsoft Entra built-in role to a guest user, the guest user will be elevated to have the same permissions as a member user. For information about member and guest user default permissions, see What are the default user permissions in Microsoft Entra ID?

  6. Select Add to assign the role.

Assign a role using PIM

If you have Microsoft Entra Privileged Identity Management (PIM) enabled, you have additional role assignment capabilities. For example, you can make a user eligible for a role or set the duration. When PIM is enabled, there are two ways that you can assign roles using the Microsoft Entra admin center. You can use the Roles and administrators page or the PIM experience. Either way uses the same PIM service.

Follow these steps to assign roles using the Roles and administrators page. If you want to assign roles using Privileged Identity Management, see Assign Microsoft Entra roles in Privileged Identity Management.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Identity > Roles & admins > Roles & admins.

    Screenshot of Roles and administrators page in Microsoft Entra ID when PIM enabled.

  3. Find the role you need. You can use the search box or Add filters to filter the roles.

  4. Select the role name to open the role and see its eligible, active, and expired role assignments. Don't add a check mark next to the role.

    Screenshot that shows selecting a role.

  5. Select Add assignments.

  6. Select No member selected and then select the users you want to assign to this role.

    Screenshot of Add assignments page and Select a member pane with PIM enabled.

  7. Select Next.

  8. On the Setting tab, select whether you wan to make this role assignment Eligible or Active.

    An eligible role assignment means that the user must perform one or more actions to use the role. An active role assignment means that the user doesn't have to perform any action to use the role. For more information about what these settings mean, see PIM terminology.

    Screenshot of Add assignments page and Setting tab with PIM enabled.

  9. Use the remaining options to set the duration for the assignment.

  10. Select Assign to assign the role.

PowerShell

Follow these steps to assign Microsoft Entra roles using PowerShell.

Setup

  1. Open a PowerShell window and use Import-Module to import the Microsoft Graph PowerShell module. For more information, see Prerequisites to use PowerShell.

    Import-Module -Name Microsoft.Graph.Identity.Governance -Force
    
  2. In a PowerShell window, use Connect-MgGraph to sign in to your tenant.

    Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes "RoleManagement.ReadWrite.Directory"
    
  3. Use Get-MgUser to get the user you want to assign a role to.

    $user = Get-MgUser -Filter "userPrincipalName eq 'johndoe@contoso.com'"
    

Assign a role

  1. Use Get-MgRoleManagementDirectoryRoleDefinition to get the role you want to assign.

    $roledefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq 'Billing Administrator'"
    
  2. Use New-MgRoleManagementDirectoryRoleAssignment to assign the role.

    $roleassignment = New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId $roledefinition.Id -PrincipalId $user.Id
    

Assign a role as eligible using PIM

If PIM is enabled, you have additional capabilities, such as making a user eligible for a role assignment or defining the start and end time for a role assignment. These capabilities use a different set of PowerShell commands. For more information about using PowerShell and PIM, see PowerShell for Microsoft Entra roles in Privileged Identity Management.

  1. Use Get-MgRoleManagementDirectoryRoleDefinition to get the role you want to assign.

    $roledefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq 'Billing Administrator'"
    
  2. Use the following command to create a hash table to store all the necessary attributes required to assign the role to the user. The Principal ID will be the user ID to which you want to assign the role. In this example, the assignment will be valid only for 10 hours.

    $params = @{
      "PrincipalId" = "aaaaaaaa-bbbb-cccc-1111-222222222222"
      "RoleDefinitionId" = "b0f54661-2d74-4c50-afa3-1ec803f12efe"
      "Justification" = "Add eligible assignment"
      "DirectoryScopeId" = "/"
      "Action" = "AdminAssign"
      "ScheduleInfo" = @{
        "StartDateTime" = Get-Date
        "Expiration" = @{
          "Type" = "AfterDuration"
          "Duration" = "PT10H"
          }
        }
      }
    
  3. Use New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest to assign the role as eligible. Once the role has been assigned, it will reflect in the Microsoft Entra admin center under Identity governance > Privileged Identity Management > Microsoft Entra roles > Assignments > Eligible Assignments section.

    New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params | Format-List Id, Status, Action, AppScopeId, DirectoryScopeId, RoleDefinitionId, IsValidationOnly, Justification, PrincipalId, CompletedDateTime, CreatedDateTime
    

    Microsoft Graph API

    Follow these instructions to assign a role using the Microsoft Graph API.

    Assign a role

    In this example, a security principal with objectID aaaaaaaa-bbbb-cccc-1111-222222222222 is assigned the Billing Administrator role (role definition ID b0f54661-2d74-4c50-afa3-1ec803f12efe) at tenant scope. To see the list of immutable role template IDs of all built-in roles, see Microsoft Entra built-in roles.

    POST https://microsoftgraph.chinacloudapi.cn/v1.0/roleManagement/directory/roleAssignments
    Content-type: application/json
    
    { 
        "@odata.type": "#microsoft.graph.unifiedRoleAssignment",
        "roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
        "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
        "directoryScopeId": "/"
    }
    

    Assign a role using PIM

    Assign a time-bound eligible role assignment

    In this example, a security principal with objectID aaaaaaaa-bbbb-cccc-1111-222222222222 is assigned a time-bound eligible role assignment to Billing Administrator (role definition ID b0f54661-2d74-4c50-afa3-1ec803f12efe) for 180 days.

    POST https://microsoftgraph.chinacloudapi.cn/v1.0/rolemanagement/directory/roleEligibilityScheduleRequests
    Content-type: application/json
    
    {
        "action": "adminAssign",
        "justification": "for managing admin tasks",
        "directoryScopeId": "/",
        "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
        "roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
        "scheduleInfo": {
            "startDateTime": "2021-07-15T19:15:08.941Z",
            "expiration": {
                "type": "afterDuration",
                "duration": "PT180D"
            }
        }
    }
    

    Assign a permanent eligible role assignment

    In the following example, a security principal is assigned a permanent eligible role assignment to Billing Administrator.

    POST https://microsoftgraph.chinacloudapi.cn/v1.0/rolemanagement/directory/roleEligibilityScheduleRequests
    Content-type: application/json
    
    {
        "action": "adminAssign",
        "justification": "for managing admin tasks",
        "directoryScopeId": "/",
        "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
        "roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
        "scheduleInfo": {
            "startDateTime": "2021-07-15T19:15:08.941Z",
            "expiration": {
                "type": "noExpiration"
            }
        }
    }
    

    Activate a role assignment

    To activate the role assignment, use the Create roleAssignmentScheduleRequests API.

    POST https://microsoftgraph.chinacloudapi.cn/v1.0/roleManagement/directory/roleAssignmentScheduleRequests
    Content-type: application/json
    
    {
        "action": "selfActivate",
        "justification": "activating role assignment for admin privileges",
        "roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
        "directoryScopeId": "/",
        "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222"
    }
    

    For more information about managing Microsoft Entra roles through the PIM API in Microsoft Graph, see Overview of role management through the privileged identity management (PIM) API.