New-MgGroupAppRoleAssignment

Use this API to assign an app role to a security group. All direct members of the group will be considered assigned. Security groups with dynamic memberships are supported. To grant an app role assignment to a group, you need three identifiers: Additional licenses might be required to use a group to manage access to applications.

Note

To view the beta release of this cmdlet, view New-MgBetaGroupAppRoleAssignment

Syntax

New-MgGroupAppRoleAssignment
   -GroupId <String>
   [-ResponseHeadersVariable <String>]
   [-AdditionalProperties <Hashtable>]
   [-AppRoleId <String>]
   [-CreatedDateTime <DateTime>]
   [-DeletedDateTime <DateTime>]
   [-Id <String>]
   [-PrincipalDisplayName <String>]
   [-PrincipalId <String>]
   [-PrincipalType <String>]
   [-ResourceDisplayName <String>]
   [-ResourceId <String>]
   [-Headers <IDictionary>]
   [-ProgressAction <ActionPreference>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-MgGroupAppRoleAssignment
   -GroupId <String>
   -BodyParameter <IMicrosoftGraphAppRoleAssignment>
   [-ResponseHeadersVariable <String>]
   [-Headers <IDictionary>]
   [-ProgressAction <ActionPreference>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-MgGroupAppRoleAssignment
   -InputObject <IApplicationsIdentity>
   [-ResponseHeadersVariable <String>]
   [-AdditionalProperties <Hashtable>]
   [-AppRoleId <String>]
   [-CreatedDateTime <DateTime>]
   [-DeletedDateTime <DateTime>]
   [-Id <String>]
   [-PrincipalDisplayName <String>]
   [-PrincipalId <String>]
   [-PrincipalType <String>]
   [-ResourceDisplayName <String>]
   [-ResourceId <String>]
   [-Headers <IDictionary>]
   [-ProgressAction <ActionPreference>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-MgGroupAppRoleAssignment
   -InputObject <IApplicationsIdentity>
   -BodyParameter <IMicrosoftGraphAppRoleAssignment>
   [-ResponseHeadersVariable <String>]
   [-Headers <IDictionary>]
   [-ProgressAction <ActionPreference>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

Use this API to assign an app role to a security group. All direct members of the group will be considered assigned. Security groups with dynamic memberships are supported. To grant an app role assignment to a group, you need three identifiers: Additional licenses might be required to use a group to manage access to applications.

Permissions

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) AppRoleAssignment.ReadWrite.All Not available.
Delegated (personal Microsoft account) Not supported. Not supported.
Application AppRoleAssignment.ReadWrite.All Not available.

Examples

Example 1: Assign an app role to a group

$appRoleAssignment = @{
  "principalId"= "f07a8d78-f18c-4c02-b339-9ebace025122"
  "resourceId"= "1c48f923-4fbb-4d37-b772-4d577eefec9e"
  "appRoleId"= "00000000-0000-0000-0000-000000000000"
  }

New-MgGroupAppRoleAssignment -GroupId 'f07a8d78-f18c-4c02-b339-9ebace025122' -BodyParameter $appRoleAssignment | 
  Format-List

AppRoleId            : 00000000-0000-0000-0000-000000000000
CreatedDateTime      : 8/19/2021 11:25:25 AM
DeletedDateTime      :
Id                   : eI168IzxAkyzOZ66zgJRIqVVeeA1CVFKmaBn-MGn0Bw
PrincipalDisplayName : All Employees
PrincipalId          : f07a8d78-f18c-4c02-b339-9ebace025122
PrincipalType        : Group
ResourceDisplayName  : Office 365 SharePoint Online
ResourceId           : 1c48f923-4fbb-4d37-b772-4d577eefec9e
AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#groups('f07a8d78-f18c-4c02-b339-9ebace025122')/appRoleAssignments/$entity], [@odata.id, https://graph.microsoft.com/v2/fb625e04-52aa-42da-
                       b10d-14f1195d665f/directoryObjects/$/Microsoft.DirectoryServices.Group('f07a8d78-f18c-4c02-b339-9ebace025122')/appRoleAssignments/eI168IzxAkyzOZ66zgJRIqVVeeA1CVFKmaBn-MGn0Bw]}

In this example, the first defines creates the $appRoleAssignment variable that defines the following:

-principalId: The id of the group to which you are assigning the app role.

-resourceId: The id of the resource servicePrincipal which has defined the app role.

-appRoleId: The id of the appRole (defined on the resource service principal) to assign to the group.

Learn more about the AppRoleAssignment resource.

The second command adds the role to the specified group.

Parameters

-AdditionalProperties

Additional Parameters

Type:Hashtable
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-AppRoleId

The identifier (id) for the app role that's assigned to the principal. This app role must be exposed in the appRoles property on the resource application's service principal (resourceId). If the resource application hasn't declared any app roles, a default app role ID of 00000000-0000-0000-0000-000000000000 can be specified to signal that the principal is assigned to the resource app without any specific app roles. Required on create.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-BodyParameter

appRoleAssignment To construct, see NOTES section for BODYPARAMETER properties and create a hash table.

Type:IMicrosoftGraphAppRoleAssignment
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-CreatedDateTime

The time when the app role assignment was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only.

Type:DateTime
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DeletedDateTime

Date and time when this object was deleted. Always null when the object hasn't been deleted.

Type:DateTime
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-GroupId

The unique identifier of group

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Headers

Optional headers that will be added to the request.

Type:IDictionary
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Id

The unique identifier for an entity. Read-only.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-InputObject

Identity Parameter To construct, see NOTES section for INPUTOBJECT properties and create a hash table.

Type:IApplicationsIdentity
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-PrincipalDisplayName

The display name of the user, group, or service principal that was granted the app role assignment. Read-only. Supports $filter (eq and startswith).

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-PrincipalId

The unique identifier (id) for the user, security group, or service principal being granted the app role. Security groups with dynamic memberships are supported. Required on create.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-PrincipalType

The type of the assigned principal. This can either be User, Group, or ServicePrincipal. Read-only.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ProgressAction

{{ Fill ProgressAction Description }}

Type:ActionPreference
Aliases:proga
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ResourceDisplayName

The display name of the resource app's service principal to which the assignment is made.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ResourceId

The unique identifier (id) for the resource service principal for which the assignment is made. Required on create. Supports $filter (eq only).

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ResponseHeadersVariable

Optional Response Headers Variable.

Type:String
Aliases:RHV
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

Microsoft.Graph.PowerShell.Models.IApplicationsIdentity

Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAppRoleAssignment

System.Collections.IDictionary

Outputs

Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAppRoleAssignment

Notes

COMPLEX PARAMETER PROPERTIES

To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.

BODYPARAMETER <IMicrosoftGraphAppRoleAssignment>: appRoleAssignment

  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [DeletedDateTime <DateTime?>]: Date and time when this object was deleted. Always null when the object hasn't been deleted.
  • [Id <String>]: The unique identifier for an entity. Read-only.
  • [AppRoleId <String>]: The identifier (id) for the app role that's assigned to the principal. This app role must be exposed in the appRoles property on the resource application's service principal (resourceId). If the resource application hasn't declared any app roles, a default app role ID of 00000000-0000-0000-0000-000000000000 can be specified to signal that the principal is assigned to the resource app without any specific app roles. Required on create.
  • [CreatedDateTime <DateTime?>]: The time when the app role assignment was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only.
  • [PrincipalDisplayName <String>]: The display name of the user, group, or service principal that was granted the app role assignment. Read-only. Supports $filter (eq and startswith).
  • [PrincipalId <String>]: The unique identifier (id) for the user, security group, or service principal being granted the app role. Security groups with dynamic memberships are supported. Required on create.
  • [PrincipalType <String>]: The type of the assigned principal. This can either be User, Group, or ServicePrincipal. Read-only.
  • [ResourceDisplayName <String>]: The display name of the resource app's service principal to which the assignment is made.
  • [ResourceId <String>]: The unique identifier (id) for the resource service principal for which the assignment is made. Required on create. Supports $filter (eq only).

INPUTOBJECT <IApplicationsIdentity>: Identity Parameter

  • [AppId <String>]: Alternate key of application
  • [AppManagementPolicyId <String>]: The unique identifier of appManagementPolicy
  • [AppRoleAssignmentId <String>]: The unique identifier of appRoleAssignment
  • [ApplicationId <String>]: The unique identifier of application
  • [ApplicationTemplateId <String>]: The unique identifier of applicationTemplate
  • [ClaimsMappingPolicyId <String>]: The unique identifier of claimsMappingPolicy
  • [DelegatedPermissionClassificationId <String>]: The unique identifier of delegatedPermissionClassification
  • [DirectoryDefinitionId <String>]: The unique identifier of directoryDefinition
  • [DirectoryObjectId <String>]: The unique identifier of directoryObject
  • [EndpointId <String>]: The unique identifier of endpoint
  • [ExtensionPropertyId <String>]: The unique identifier of extensionProperty
  • [FederatedIdentityCredentialId <String>]: The unique identifier of federatedIdentityCredential
  • [GroupId <String>]: The unique identifier of group
  • [HomeRealmDiscoveryPolicyId <String>]: The unique identifier of homeRealmDiscoveryPolicy
  • [Name <String>]: Alternate key of federatedIdentityCredential
  • [OAuth2PermissionGrantId <String>]: The unique identifier of oAuth2PermissionGrant
  • [ServicePrincipalId <String>]: The unique identifier of servicePrincipal
  • [SynchronizationJobId <String>]: The unique identifier of synchronizationJob
  • [SynchronizationTemplateId <String>]: The unique identifier of synchronizationTemplate
  • [TargetDeviceGroupId <String>]: The unique identifier of targetDeviceGroup
  • [TokenIssuancePolicyId <String>]: The unique identifier of tokenIssuancePolicy
  • [TokenLifetimePolicyId <String>]: The unique identifier of tokenLifetimePolicy
  • [UniqueName <String>]: Alternate key of application
  • [UserId <String>]: The unique identifier of user