Bearbeiten

Freigeben über


New-AzRoleAssignment

Assigns the specified RBAC role to the specified principal, at the specified scope.

The cmdlet may call below Microsoft Graph API according to input parameters:

  • GET /users/{id}
  • GET /servicePrincipals/{id}
  • GET /groups/{id}
  • GET /directoryObjects/{id}

Please notice that this cmdlet will mark ObjectType as Unknown in output if the object of role assignment is not found or current account has insufficient privileges to get object type.

Syntax

New-AzRoleAssignment
   -ObjectId <String>
   [-Scope <String>]
   -RoleDefinitionName <String>
   [-Description <String>]
   [-Condition <String>]
   [-ConditionVersion <String>]
   [-ObjectType <String>]
   [-AllowDelegation]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzRoleAssignment
   -ObjectId <String>
   -ResourceGroupName <String>
   -RoleDefinitionName <String>
   [-Description <String>]
   [-Condition <String>]
   [-ConditionVersion <String>]
   [-ObjectType <String>]
   [-AllowDelegation]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzRoleAssignment
   -ObjectId <String>
   -ResourceGroupName <String>
   -ResourceName <String>
   -ResourceType <String>
   [-ParentResource <String>]
   -RoleDefinitionName <String>
   [-Description <String>]
   [-Condition <String>]
   [-ConditionVersion <String>]
   [-ObjectType <String>]
   [-AllowDelegation]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzRoleAssignment
   -ObjectId <String>
   -Scope <String>
   [-Description <String>]
   [-Condition <String>]
   [-ConditionVersion <String>]
   [-ObjectType <String>]
   -RoleDefinitionId <Guid>
   [-AllowDelegation]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzRoleAssignment
   -SignInName <String>
   -ResourceGroupName <String>
   -RoleDefinitionName <String>
   [-Description <String>]
   [-Condition <String>]
   [-ConditionVersion <String>]
   [-ObjectType <String>]
   [-AllowDelegation]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzRoleAssignment
   -SignInName <String>
   -ResourceGroupName <String>
   -ResourceName <String>
   -ResourceType <String>
   [-ParentResource <String>]
   -RoleDefinitionName <String>
   [-Description <String>]
   [-Condition <String>]
   [-ConditionVersion <String>]
   [-ObjectType <String>]
   [-AllowDelegation]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzRoleAssignment
   -SignInName <String>
   [-Scope <String>]
   -RoleDefinitionName <String>
   [-Description <String>]
   [-Condition <String>]
   [-ConditionVersion <String>]
   [-ObjectType <String>]
   [-AllowDelegation]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzRoleAssignment
   -ApplicationId <String>
   -ResourceGroupName <String>
   -RoleDefinitionName <String>
   [-Description <String>]
   [-Condition <String>]
   [-ConditionVersion <String>]
   [-ObjectType <String>]
   [-AllowDelegation]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzRoleAssignment
   -ApplicationId <String>
   -ResourceGroupName <String>
   -ResourceName <String>
   -ResourceType <String>
   [-ParentResource <String>]
   -RoleDefinitionName <String>
   [-Description <String>]
   [-Condition <String>]
   [-ConditionVersion <String>]
   [-ObjectType <String>]
   [-AllowDelegation]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzRoleAssignment
   -ApplicationId <String>
   [-Scope <String>]
   -RoleDefinitionName <String>
   [-Description <String>]
   [-Condition <String>]
   [-ConditionVersion <String>]
   [-ObjectType <String>]
   [-AllowDelegation]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzRoleAssignment
   -InputFile <String>
   [-AllowDelegation]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Description

Use the New-AzRoleAssignment command to grant access. Access is granted by assigning the appropriate RBAC role to them at the right scope. To grant access to the entire subscription, assign a role at the subscription scope. To grant access to a specific resource group within a subscription, assign a role at the resource group scope. The subject of the assignment must be specified. To specify a user, use SignInName or Microsoft Entra ObjectId parameters. To specify a security group, use Microsoft Entra ObjectId parameter. And to specify a Microsoft Entra application, use ApplicationId or ObjectId parameters. The role that is being assigned must be specified using the RoleDefinitionName parameter. The scope at which access is being granted may be specified. It defaults to the selected subscription. The scope of the assignment can be specified using one of the following parameter combinations a. Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId> b. ResourceGroupName - to grant access to the specified resource group. c. ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - to specify a particular resource within a resource group to grant access to.

Examples

Example 1

New-AzRoleAssignment -ResourceGroupName rg1 -SignInName allen.young@live.com -RoleDefinitionName Reader -AllowDelegation

Grant Reader role access to a user at a resource group scope with the Role Assignment being available for delegation

Example 2

Get-AzADGroup -SearchString "Christine Koch Team"

          DisplayName                    Type                           Id
          -----------                    ----                           --------
          Christine Koch Team                                           00001111-aaaa-2222-bbbb-3333cccc4444

New-AzRoleAssignment -ObjectId 00001111-aaaa-2222-bbbb-3333cccc4444 -RoleDefinitionName Contributor  -ResourceGroupName rg1

Grant access to a security group

Example 3

New-AzRoleAssignment -SignInName john.doe@contoso.com -RoleDefinitionName Owner -Scope "/subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourcegroups/rg1/providers/Microsoft.Web/sites/site1"

Grant access to a user at a resource (website)

Example 4

New-AzRoleAssignment -ObjectId 00001111-aaaa-2222-bbbb-3333cccc4444 -RoleDefinitionName "Virtual Machine Contributor" -ResourceName Devices-Engineering-ProjectRND -ResourceType Microsoft.Network/virtualNetworks/subnets -ParentResource virtualNetworks/VNET-EASTUS-01 -ResourceGroupName Network

Grant access to a group at a nested resource (subnet)

Example 5

$servicePrincipal = New-AzADServicePrincipal -DisplayName "testServiceprincipal"
New-AzRoleAssignment -RoleDefinitionName "Reader" -ApplicationId $servicePrincipal.ApplicationId

Grant reader access to a service principal

Parameters

-AllowDelegation

The delegation flag while creating a Role assignment.

Type:SwitchParameter
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ApplicationId

The Application ID of the ServicePrincipal

Type:String
Aliases:SPN, ServicePrincipalName
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Condition

Condition to be applied to the RoleAssignment.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ConditionVersion

Version of the condition.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Description

Brief description of the role assignment.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-InputFile

Path to role assignment json

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ObjectId

Microsoft Entra Objectid of the user, group or service principal.

Type:String
Aliases:Id, PrincipalId
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ObjectType

To be used with ObjectId. Specifies the type of the asignee object

Type:String
Aliases:PrincipalType
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ParentResource

The parent resource in the hierarchy(of the resource specified using ResourceName parameter). Should only be used in conjunction with ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ResourceGroupName

The resource group name. Creates an assignment that is effective at the specified resource group. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ResourceName

The resource name. For e.g. storageaccountprod. Should only be used in conjunction with ResourceGroupName, ResourceType and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ResourceType

The resource type. For e.g. Microsoft.Network/virtualNetworks. Should only be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-RoleDefinitionId

Id of the RBAC role that needs to be assigned to the principal.

Type:Guid
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-RoleDefinitionName

Name of the RBAC role that needs to be assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Scope

The Scope of the role assignment. In the format of relative URI. For e.g. "/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will create the role assignment at subscription level. If specified, it should start with "/subscriptions/{id}".

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-SignInName

The email address or the user principal name of the user.

Type:String
Aliases:Email, UserPrincipalName
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-SkipClientSideScopeValidation

If specified, skip client side scope validation.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

String

Guid

Outputs

PSRoleAssignment

Notes

Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment