New-MgGroupAppRoleAssignment
Use this API to assign an app role to a security group. All direct members of the group will be considered assigned. Security groups with dynamic memberships are supported. To grant an app role assignment to a group, you need three identifiers: Additional licenses might be required to use a group to manage access to applications.
Note
To view the beta release of this cmdlet, view New-MgBetaGroupAppRoleAssignment
Syntax
New-MgGroupAppRoleAssignment
-GroupId <String>
[-ResponseHeadersVariable <String>]
[-AdditionalProperties <Hashtable>]
[-AppRoleId <String>]
[-CreatedDateTime <DateTime>]
[-DeletedDateTime <DateTime>]
[-Id <String>]
[-PrincipalDisplayName <String>]
[-PrincipalId <String>]
[-PrincipalType <String>]
[-ResourceDisplayName <String>]
[-ResourceId <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-MgGroupAppRoleAssignment
-GroupId <String>
-BodyParameter <IMicrosoftGraphAppRoleAssignment>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-MgGroupAppRoleAssignment
-InputObject <IApplicationsIdentity>
[-ResponseHeadersVariable <String>]
[-AdditionalProperties <Hashtable>]
[-AppRoleId <String>]
[-CreatedDateTime <DateTime>]
[-DeletedDateTime <DateTime>]
[-Id <String>]
[-PrincipalDisplayName <String>]
[-PrincipalId <String>]
[-PrincipalType <String>]
[-ResourceDisplayName <String>]
[-ResourceId <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-MgGroupAppRoleAssignment
-InputObject <IApplicationsIdentity>
-BodyParameter <IMicrosoftGraphAppRoleAssignment>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Use this API to assign an app role to a security group. All direct members of the group will be considered assigned. Security groups with dynamic memberships are supported. To grant an app role assignment to a group, you need three identifiers: Additional licenses might be required to use a group to manage access to applications.
Permissions
Permission type | Least privileged permissions | Higher privileged permissions |
---|---|---|
Delegated (work or school account) | AppRoleAssignment.ReadWrite.All | Not available. |
Delegated (personal Microsoft account) | Not supported. | Not supported. |
Application | AppRoleAssignment.ReadWrite.All | Not available. |
Examples
Example 1: Assign an app role to a group
$appRoleAssignment = @{
"principalId"= "f07a8d78-f18c-4c02-b339-9ebace025122"
"resourceId"= "1c48f923-4fbb-4d37-b772-4d577eefec9e"
"appRoleId"= "00000000-0000-0000-0000-000000000000"
}
New-MgGroupAppRoleAssignment -GroupId 'f07a8d78-f18c-4c02-b339-9ebace025122' -BodyParameter $appRoleAssignment |
Format-List
AppRoleId : 00000000-0000-0000-0000-000000000000
CreatedDateTime : 8/19/2021 11:25:25 AM
DeletedDateTime :
Id : eI168IzxAkyzOZ66zgJRIqVVeeA1CVFKmaBn-MGn0Bw
PrincipalDisplayName : All Employees
PrincipalId : f07a8d78-f18c-4c02-b339-9ebace025122
PrincipalType : Group
ResourceDisplayName : Office 365 SharePoint Online
ResourceId : 1c48f923-4fbb-4d37-b772-4d577eefec9e
AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#groups('f07a8d78-f18c-4c02-b339-9ebace025122')/appRoleAssignments/$entity], [@odata.id, https://graph.microsoft.com/v2/fb625e04-52aa-42da-
b10d-14f1195d665f/directoryObjects/$/Microsoft.DirectoryServices.Group('f07a8d78-f18c-4c02-b339-9ebace025122')/appRoleAssignments/eI168IzxAkyzOZ66zgJRIqVVeeA1CVFKmaBn-MGn0Bw]}
In this example, the first defines creates the $appRoleAssignment
variable that defines the following:
-principalId
: The id of the group to which you are assigning the app role.
-resourceId
: The id of the resource servicePrincipal which has defined the app role.
-appRoleId
: The id of the appRole (defined on the resource service principal) to assign to the group.
Learn more about the AppRoleAssignment resource.
The second command adds the role to the specified group.
Parameters
-AdditionalProperties
Additional Parameters
Type: | Hashtable |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AppRoleId
The identifier (id) for the app role that's assigned to the principal. This app role must be exposed in the appRoles property on the resource application's service principal (resourceId). If the resource application hasn't declared any app roles, a default app role ID of 00000000-0000-0000-0000-000000000000 can be specified to signal that the principal is assigned to the resource app without any specific app roles. Required on create.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-BodyParameter
appRoleAssignment To construct, see NOTES section for BODYPARAMETER properties and create a hash table.
Type: | IMicrosoftGraphAppRoleAssignment |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-CreatedDateTime
The time when the app role assignment was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only.
Type: | DateTime |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DeletedDateTime
Date and time when this object was deleted. Always null when the object hasn't been deleted.
Type: | DateTime |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-GroupId
The unique identifier of group
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Headers
Optional headers that will be added to the request.
Type: | IDictionary |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Id
The unique identifier for an entity. Read-only.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InputObject
Identity Parameter To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
Type: | IApplicationsIdentity |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-PrincipalDisplayName
The display name of the user, group, or service principal that was granted the app role assignment. Read-only. Supports $filter (eq and startswith).
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-PrincipalId
The unique identifier (id) for the user, security group, or service principal being granted the app role. Security groups with dynamic memberships are supported. Required on create.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-PrincipalType
The type of the assigned principal. This can either be User, Group, or ServicePrincipal. Read-only.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ProgressAction
{{ Fill ProgressAction Description }}
Type: | ActionPreference |
Aliases: | proga |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResourceDisplayName
The display name of the resource app's service principal to which the assignment is made.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResourceId
The unique identifier (id) for the resource service principal for which the assignment is made. Required on create. Supports $filter (eq only).
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResponseHeadersVariable
Optional Response Headers Variable.
Type: | String |
Aliases: | RHV |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Inputs
Microsoft.Graph.PowerShell.Models.IApplicationsIdentity
Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAppRoleAssignment
System.Collections.IDictionary
Outputs
Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAppRoleAssignment
Notes
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
BODYPARAMETER <IMicrosoftGraphAppRoleAssignment>
: appRoleAssignment
[(Any) <Object>]
: This indicates any property can be added to this object.[DeletedDateTime <DateTime?>]
: Date and time when this object was deleted. Always null when the object hasn't been deleted.[Id <String>]
: The unique identifier for an entity. Read-only.[AppRoleId <String>]
: The identifier (id) for the app role that's assigned to the principal. This app role must be exposed in the appRoles property on the resource application's service principal (resourceId). If the resource application hasn't declared any app roles, a default app role ID of 00000000-0000-0000-0000-000000000000 can be specified to signal that the principal is assigned to the resource app without any specific app roles. Required on create.[CreatedDateTime <DateTime?>]
: The time when the app role assignment was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only.[PrincipalDisplayName <String>]
: The display name of the user, group, or service principal that was granted the app role assignment. Read-only. Supports $filter (eq and startswith).[PrincipalId <String>]
: The unique identifier (id) for the user, security group, or service principal being granted the app role. Security groups with dynamic memberships are supported. Required on create.[PrincipalType <String>]
: The type of the assigned principal. This can either be User, Group, or ServicePrincipal. Read-only.[ResourceDisplayName <String>]
: The display name of the resource app's service principal to which the assignment is made.[ResourceId <String>]
: The unique identifier (id) for the resource service principal for which the assignment is made. Required on create. Supports $filter (eq only).
INPUTOBJECT <IApplicationsIdentity>
: Identity Parameter
[AppId <String>]
: Alternate key of application[AppManagementPolicyId <String>]
: The unique identifier of appManagementPolicy[AppRoleAssignmentId <String>]
: The unique identifier of appRoleAssignment[ApplicationId <String>]
: The unique identifier of application[ApplicationTemplateId <String>]
: The unique identifier of applicationTemplate[ClaimsMappingPolicyId <String>]
: The unique identifier of claimsMappingPolicy[DelegatedPermissionClassificationId <String>]
: The unique identifier of delegatedPermissionClassification[DirectoryDefinitionId <String>]
: The unique identifier of directoryDefinition[DirectoryObjectId <String>]
: The unique identifier of directoryObject[EndpointId <String>]
: The unique identifier of endpoint[ExtensionPropertyId <String>]
: The unique identifier of extensionProperty[FederatedIdentityCredentialId <String>]
: The unique identifier of federatedIdentityCredential[GroupId <String>]
: The unique identifier of group[HomeRealmDiscoveryPolicyId <String>]
: The unique identifier of homeRealmDiscoveryPolicy[Name <String>]
: Alternate key of federatedIdentityCredential[OAuth2PermissionGrantId <String>]
: The unique identifier of oAuth2PermissionGrant[ServicePrincipalId <String>]
: The unique identifier of servicePrincipal[SynchronizationJobId <String>]
: The unique identifier of synchronizationJob[SynchronizationTemplateId <String>]
: The unique identifier of synchronizationTemplate[TargetDeviceGroupId <String>]
: The unique identifier of targetDeviceGroup[TokenIssuancePolicyId <String>]
: The unique identifier of tokenIssuancePolicy[TokenLifetimePolicyId <String>]
: The unique identifier of tokenLifetimePolicy[UniqueName <String>]
: Alternate key of application[UserId <String>]
: The unique identifier of user