New-AzureRmRoleAssignment

Assigns the specified RBAC role to the specified principal, at the specified scope.

Warning

The AzureRM PowerShell module has been officially deprecated as of February 29, 2024. Users are advised to migrate from AzureRM to the Az PowerShell module to ensure continued support and updates.

Although the AzureRM module may still function, it's no longer maintained or supported, placing any continued use at the user's discretion and risk. Please refer to our migration resources for guidance on transitioning to the Az module.

Syntax

New-AzureRmRoleAssignment
   -ObjectId <Guid>
   -Scope <String>
   -RoleDefinitionName <String>
   [-AllowDelegation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzureRmRoleAssignment
   -ObjectId <Guid>
   -ResourceGroupName <String>
   -RoleDefinitionName <String>
   [-AllowDelegation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzureRmRoleAssignment
   -ObjectId <Guid>
   -ResourceGroupName <String>
   -ResourceName <String>
   -ResourceType <String>
   [-ParentResource <String>]
   -RoleDefinitionName <String>
   [-AllowDelegation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzureRmRoleAssignment
   -ObjectId <Guid>
   [-Scope <String>]
   -RoleDefinitionName <String>
   [-AllowDelegation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzureRmRoleAssignment
   -ObjectId <Guid>
   -Scope <String>
   -RoleDefinitionId <Guid>
   [-AllowDelegation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzureRmRoleAssignment
   -SignInName <String>
   -ResourceGroupName <String>
   -RoleDefinitionName <String>
   [-AllowDelegation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzureRmRoleAssignment
   -SignInName <String>
   -ResourceGroupName <String>
   -ResourceName <String>
   -ResourceType <String>
   [-ParentResource <String>]
   -RoleDefinitionName <String>
   [-AllowDelegation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzureRmRoleAssignment
   -SignInName <String>
   [-Scope <String>]
   -RoleDefinitionName <String>
   [-AllowDelegation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzureRmRoleAssignment
   -ApplicationId <String>
   -ResourceGroupName <String>
   -RoleDefinitionName <String>
   [-AllowDelegation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzureRmRoleAssignment
   -ApplicationId <String>
   -ResourceGroupName <String>
   -ResourceName <String>
   -ResourceType <String>
   [-ParentResource <String>]
   -RoleDefinitionName <String>
   [-AllowDelegation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzureRmRoleAssignment
   -ApplicationId <String>
   [-Scope <String>]
   -RoleDefinitionName <String>
   [-AllowDelegation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Description

Use the New-AzureRMRoleAssignment command to grant access. Access is granted by assigning the appropriate RBAC role to them at the right scope. To grant access to the entire subscription, assign a role at the subscription scope. To grant access to a specific resource group within a subscription, assign a role at the resource group scope. The subject of the assignment must be specified. To specify a user, use SignInName or Microsoft Entra ObjectId parameters. To specify a security group, use Microsoft Entra ObjectId parameter. And to specify a Microsoft Entra application, use ApplicationId or ObjectId parameters. The role that is being assigned must be specified using the RoleDefinitionName parameter. The scope at which access is being granted may be specified. It defaults to the selected subscription. The scope of the assignment can be specified using one of the following parameter combinations a. Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId> b. ResourceGroupName - to grant access to the specified resource group. c. ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - to specify a particular resource within a resource group to grant access to.

Examples

Example 1

PS C:\> New-AzureRmRoleAssignment -ResourceGroupName rg1 -SignInName allen.young@live.com -RoleDefinitionName Reader -AllowDelegation

Grant Reader role access to a user at a resource group scope with the Role Assignment being available for delegation

Example 2

PS C:\> Get-AzureRMADGroup -SearchString "Christine Koch Team"

          DisplayName                    Type                           Id
          -----------                    ----                           --------
          Christine Koch Team                                           2f9d4375-cbf1-48e8-83c9-2a0be4cb33fb

PS C:\> New-AzureRmRoleAssignment -ObjectId 2f9d4375-cbf1-48e8-83c9-2a0be4cb33fb -RoleDefinitionName Contributor  -ResourceGroupName rg1

Grant access to a security group

Example 3

PS C:\> New-AzureRmRoleAssignment -SignInName john.doe@contoso.com -RoleDefinitionName Owner -Scope "/subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourcegroups/rg1/providers/Microsoft.Web/sites/site1"

Grant access to a user at a resource (website)

Example 4

PS C:\> New-AzureRMRoleAssignment -ObjectId 00001111-aaaa-2222-bbbb-3333cccc4444 -RoleDefinitionName "Virtual Machine Contributor" -ResourceName Devices-Engineering-ProjectRND -ResourceType Microsoft.Network/virtualNetworks/subnets -ParentResource virtualNetworks/VNET-EASTUS-01 -ResourceGroupName Network

Grant access to a group at a nested resource (subnet)

Example 5

PS C:\> $servicePrincipal = New-AzureRmADServicePrincipal -DisplayName "testServiceprincipal"
PS C:\> New-AzureRmRoleAssignment -RoleDefinitionName "Reader" -ApplicationId $servicePrincipal.ApplicationId

Grant reader access to a service principal

Parameters

-AllowDelegation

The delegation flag while creating a Role assignment.

Type:SwitchParameter
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ApplicationId

The Application ID of the ServicePrincipal

Type:String
Aliases:SPN, ServicePrincipalName
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:IAzureContextContainer
Aliases:AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ObjectId

Microsoft Entra Objectid of the user, group or service principal.

Type:Guid
Aliases:Id, PrincipalId
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ParentResource

The parent resource in the hierarchy(of the resource specified using ResourceName parameter). Should only be used in conjunction with ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ResourceGroupName

The resource group name. Creates an assignment that is effective at the specified resource group. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ResourceName

The resource name. For e.g. storageaccountprod. Should only be used in conjunction with ResourceGroupName, ResourceType and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ResourceType

The resource type. For e.g. Microsoft.Network/virtualNetworks. Should only be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-RoleDefinitionId

Id of the RBAC role that needs to be assigned to the principal.

Type:Guid
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-RoleDefinitionName

Name of the RBAC role that needs to be assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Scope

The Scope of the role assignment. In the format of relative URI. For e.g. "/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will create the role assignment at subscription level. If specified, it should start with "/subscriptions/{id}".

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-SignInName

The email address or the user principal name of the user.

Type:String
Aliases:Email, UserPrincipalName
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

Inputs

Guid

String

Outputs

PSRoleAssignment

Notes

Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment