How to create role-assignable groups in Microsoft Entra ID?
+
Instead of assigning roles to individual users, create a role-assignable group and assign permissions to the group. For example, by assigning the 'Help Desk Admins' role to the 'Help Desk' role-assignable group, you can ensure consistent access for all members, streamline administrative tasks, and simplify auditing.
- Navigate to the All groups in the Microsoft Entra admin center
- Click New group and select the Group type. Then, enter a suitable name and description for your group.
- Switch the 'Microsoft Entra roles can be assigned to the group' toggle to Yes.
- Choose the Members and Owners for the group. You can add roles to the group via the 'Roles' option or assign them later once the group is created.
- Click Create to set up a role-assignable group in Microsoft Entra ID.
Creating a role-assignable group in Microsoft 365 through the admin portal involves navigating through multiple tabs and sections, which can be cumbersome. Using PowerShell, admins can streamline this process effectively.
Connect to the Microsoft Graph PowerShell with required permissions using the below cmdlet.
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
Once connected, you can create the desired type of role-assignable group. Below are the steps to create security and Microsoft 365 role-assignable groups.
Security Role-assignable Group
A security role-assignable group is used when you need to assign permissions without the need for collaboration tools. This type of group is ideal for managing access and roles in scenarios where communication features are not required.
Run the below cmdlet in PowerShell to create a security role-assignable group in Microsoft 365.
New-MgGroup -DisplayName "<GroupName>" -MailEnabled:$false -SecurityEnabled -MailNickName "<MailNickName>" -IsAssignableToRole:$true
Microsoft 365 Role-assignable Group
A Microsoft 365 role-assignable group is used when you need to assign roles with integration into collaboration tools such as email and Teams. This type of group is ideal for team-based projects and communication, where both access control and collaboration are necessary.
Execute the following PowerShell cmdlet to create a Microsoft 365 role-assignable group.
New-MgGroup -DisplayName "<GroupName>" -MailEnabled:$true -SecurityEnabled -MailNickName "<MailNickName>" -IsAssignableToRole:$true -GroupTypes "Unified"