New-AzureRmRoleAssignment
Assigns the specified RBAC role to the specified principal, at the specified scope.
Warning
The AzureRM PowerShell module has been officially deprecated as of February 29, 2024. Users are advised to migrate from AzureRM to the Az PowerShell module to ensure continued support and updates.
Although the AzureRM module may still function, it's no longer maintained or supported, placing any continued use at the user's discretion and risk. Please refer to our migration resources for guidance on transitioning to the Az module.
Syntax
New-AzureRmRoleAssignment
-ObjectId <Guid>
-Scope <String>
-RoleDefinitionName <String>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
New-AzureRmRoleAssignment
-ObjectId <Guid>
-ResourceGroupName <String>
-RoleDefinitionName <String>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
New-AzureRmRoleAssignment
-ObjectId <Guid>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
-RoleDefinitionName <String>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
New-AzureRmRoleAssignment
-ObjectId <Guid>
[-Scope <String>]
-RoleDefinitionName <String>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
New-AzureRmRoleAssignment
-ObjectId <Guid>
-Scope <String>
-RoleDefinitionId <Guid>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
New-AzureRmRoleAssignment
-SignInName <String>
-ResourceGroupName <String>
-RoleDefinitionName <String>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
New-AzureRmRoleAssignment
-SignInName <String>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
-RoleDefinitionName <String>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
New-AzureRmRoleAssignment
-SignInName <String>
[-Scope <String>]
-RoleDefinitionName <String>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
New-AzureRmRoleAssignment
-ApplicationId <String>
-ResourceGroupName <String>
-RoleDefinitionName <String>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
New-AzureRmRoleAssignment
-ApplicationId <String>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
-RoleDefinitionName <String>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
New-AzureRmRoleAssignment
-ApplicationId <String>
[-Scope <String>]
-RoleDefinitionName <String>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
Description
Use the New-AzureRMRoleAssignment command to grant access. Access is granted by assigning the appropriate RBAC role to them at the right scope. To grant access to the entire subscription, assign a role at the subscription scope. To grant access to a specific resource group within a subscription, assign a role at the resource group scope. The subject of the assignment must be specified. To specify a user, use SignInName or Microsoft Entra ObjectId parameters. To specify a security group, use Microsoft Entra ObjectId parameter. And to specify a Microsoft Entra application, use ApplicationId or ObjectId parameters. The role that is being assigned must be specified using the RoleDefinitionName parameter. The scope at which access is being granted may be specified. It defaults to the selected subscription. The scope of the assignment can be specified using one of the following parameter combinations a. Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId> b. ResourceGroupName - to grant access to the specified resource group. c. ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - to specify a particular resource within a resource group to grant access to.
Examples
Example 1
PS C:\> New-AzureRmRoleAssignment -ResourceGroupName rg1 -SignInName allen.young@live.com -RoleDefinitionName Reader -AllowDelegation
Grant Reader role access to a user at a resource group scope with the Role Assignment being available for delegation
Example 2
PS C:\> Get-AzureRMADGroup -SearchString "Christine Koch Team"
DisplayName Type Id
----------- ---- --------
Christine Koch Team 2f9d4375-cbf1-48e8-83c9-2a0be4cb33fb
PS C:\> New-AzureRmRoleAssignment -ObjectId 2f9d4375-cbf1-48e8-83c9-2a0be4cb33fb -RoleDefinitionName Contributor -ResourceGroupName rg1
Grant access to a security group
Example 3
PS C:\> New-AzureRmRoleAssignment -SignInName john.doe@contoso.com -RoleDefinitionName Owner -Scope "/subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourcegroups/rg1/providers/Microsoft.Web/sites/site1"
Grant access to a user at a resource (website)
Example 4
PS C:\> New-AzureRMRoleAssignment -ObjectId 00001111-aaaa-2222-bbbb-3333cccc4444 -RoleDefinitionName "Virtual Machine Contributor" -ResourceName Devices-Engineering-ProjectRND -ResourceType Microsoft.Network/virtualNetworks/subnets -ParentResource virtualNetworks/VNET-EASTUS-01 -ResourceGroupName Network
Grant access to a group at a nested resource (subnet)
Example 5
PS C:\> $servicePrincipal = New-AzureRmADServicePrincipal -DisplayName "testServiceprincipal"
PS C:\> New-AzureRmRoleAssignment -RoleDefinitionName "Reader" -ApplicationId $servicePrincipal.ApplicationId
Grant reader access to a service principal
Parameters
-AllowDelegation
The delegation flag while creating a Role assignment.
Type: | SwitchParameter |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ApplicationId
The Application ID of the ServicePrincipal
Type: | String |
Aliases: | SPN, ServicePrincipalName |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with azure
Type: | IAzureContextContainer |
Aliases: | AzureRmContext, AzureCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ObjectId
Microsoft Entra Objectid of the user, group or service principal.
Type: | Guid |
Aliases: | Id, PrincipalId |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ParentResource
The parent resource in the hierarchy(of the resource specified using ResourceName parameter). Should only be used in conjunction with ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ResourceGroupName
The resource group name. Creates an assignment that is effective at the specified resource group. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ResourceName
The resource name. For e.g. storageaccountprod. Should only be used in conjunction with ResourceGroupName, ResourceType and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ResourceType
The resource type. For e.g. Microsoft.Network/virtualNetworks. Should only be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-RoleDefinitionId
Id of the RBAC role that needs to be assigned to the principal.
Type: | Guid |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-RoleDefinitionName
Name of the RBAC role that needs to be assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Scope
The Scope of the role assignment. In the format of relative URI. For e.g. "/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will create the role assignment at subscription level. If specified, it should start with "/subscriptions/{id}".
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-SignInName
The email address or the user principal name of the user.
Type: | String |
Aliases: | Email, UserPrincipalName |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Inputs
Outputs
Notes
Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment