New-MgBetaRoleManagementDirectoryRoleDefinition
Create a new unifiedRoleDefinition object for an RBAC provider. This feature requires a Microsoft Entra ID P1 or P2 license. The following RBAC providers are currently supported:- Cloud PC- device management (Intune)- directory (Microsoft Entra ID)
Note
To view the v1.0 release of this cmdlet, view New-MgRoleManagementDirectoryRoleDefinition
Syntax
New-MgBetaRoleManagementDirectoryRoleDefinition
[-ResponseHeadersVariable <String>]
[-AdditionalProperties <Hashtable>]
[-AllowedPrincipalTypes <String>]
[-Description <String>]
[-DisplayName <String>]
[-Id <String>]
[-InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition[]>]
[-IsBuiltIn]
[-IsEnabled]
[-IsPrivileged]
[-ResourceScopes <String[]>]
[-RolePermissions <IMicrosoftGraphUnifiedRolePermission[]>]
[-TemplateId <String>]
[-Version <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] New-MgBetaRoleManagementDirectoryRoleDefinition
-BodyParameter <IMicrosoftGraphUnifiedRoleDefinition>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Description
Create a new unifiedRoleDefinition object for an RBAC provider. This feature requires a Microsoft Entra ID P1 or P2 license. The following RBAC providers are currently supported:- Cloud PC- device management (Intune)- directory (Microsoft Entra ID)
Parameters
-AdditionalProperties
Additional Parameters
| Type: | Hashtable |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AllowedPrincipalTypes
allowedRolePrincipalTypes
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-BodyParameter
unifiedRoleDefinition To construct, see NOTES section for BODYPARAMETER properties and create a hash table.
| Type: | IMicrosoftGraphUnifiedRoleDefinition |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Description
The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisplayName
The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq and startsWith).
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Headers
Optional headers that will be added to the request.
| Type: | IDictionary |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Id
The unique identifier for an entity. Read-only.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-InheritsPermissionsFrom
Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute. To construct, see NOTES section for INHERITSPERMISSIONSFROM properties and create a hash table.
| Type: | IMicrosoftGraphUnifiedRoleDefinition[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-IsBuiltIn
Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom. Read-only. Supports $filter (eq).
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-IsEnabled
Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-IsPrivileged
Flag indicating if the role is privileged. Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ProgressAction
{{ Fill ProgressAction Description }}
| Type: | ActionPreference |
| Aliases: | proga |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ResourceScopes
List of scopes permissions granted by the role definition apply to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ResponseHeadersVariable
Optional Response Headers Variable.
| Type: | String |
| Aliases: | RHV |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RolePermissions
List of permissions included in the role. Read-only when isBuiltIn is true. Required. To construct, see NOTES section for ROLEPERMISSIONS properties and create a hash table.
| Type: | IMicrosoftGraphUnifiedRolePermission[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TemplateId
Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Version
Indicates the version of the unifiedRoleDefinition object. Read-only when isBuiltIn is true.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphUnifiedRoleDefinition
System.Collections.IDictionary
Outputs
Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphUnifiedRoleDefinition
Notes
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
BODYPARAMETER <IMicrosoftGraphUnifiedRoleDefinition>: unifiedRoleDefinition
[(Any) <Object>]: This indicates any property can be added to this object.[Id <String>]: The unique identifier for an entity. Read-only.[AllowedPrincipalTypes <String>]: allowedRolePrincipalTypes[Description <String>]: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq and startsWith).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-[]>]: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute.[IsBuiltIn <Boolean?>]: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom. Read-only. Supports $filter (eq).[IsEnabled <Boolean?>]: Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[IsPrivileged <Boolean?>]: Flag indicating if the role is privileged. Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[ResourceScopes <String-[]>]: List of scopes permissions granted by the role definition apply to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-[]>]: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-[]>]: Set of tasks that can be performed on a resource.[Condition <String>]: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-[]>]:
[TemplateId <String>]: Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true.[Version <String>]: Indicates the version of the unifiedRoleDefinition object. Read-only when isBuiltIn is true.
INHERITSPERMISSIONSFROM <IMicrosoftGraphUnifiedRoleDefinition- []>: Read-only collection of role definitions that the given role definition inherits from.
Only Microsoft Entra built-in roles support this attribute.
[Id <String>]: The unique identifier for an entity. Read-only.[AllowedPrincipalTypes <String>]: allowedRolePrincipalTypes[Description <String>]: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq and startsWith).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-[]>]: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute.[IsBuiltIn <Boolean?>]: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom. Read-only. Supports $filter (eq).[IsEnabled <Boolean?>]: Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[IsPrivileged <Boolean?>]: Flag indicating if the role is privileged. Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[ResourceScopes <String-[]>]: List of scopes permissions granted by the role definition apply to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-[]>]: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-[]>]: Set of tasks that can be performed on a resource.[Condition <String>]: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-[]>]:
[TemplateId <String>]: Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true.[Version <String>]: Indicates the version of the unifiedRoleDefinition object. Read-only when isBuiltIn is true.
ROLEPERMISSIONS <IMicrosoftGraphUnifiedRolePermission- []>: List of permissions included in the role.
Read-only when isBuiltIn is true.
Required.
[AllowedResourceActions <String-[]>]: Set of tasks that can be performed on a resource.[Condition <String>]: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-[]>]: