🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Azure AD

How to Get Role-assignable Groups in Microsoft 365

Role-assignable groups in Microsoft Entra ID provide a streamlined way to assign permissions to groups rather than assigning them individually to each user. However, this convenience comes with risks—if left unmonitored, these groups can lead to unauthorized access or privilege misuse. That’s why monitoring role-assignable groups is crucial. In this guide, we’ll show you how to retrieve all role-assignable groups in Microsoft 365, empowering you to strengthen access control and improve permissions oversight across your organization.

Using Microsoft Entra Admin Center

Microsoft 365 Permission Required
Groups Admin Least Privilege
Global Admin Most Privilege
  • Log in to the Microsoft Entra admin center.
  • Navigate to Identity»Groups»All groups.
  • On the All groups page, select 'Add filter', choose Role assignable groups.
  • Then, click Apply to view role-assignable groups in Microsoft Entra ID.
Using Microsoft Entra Admin Center

Using PowerShell

Microsoft 365 Permission Required
Groups Admin Least Privilege
Global Admin Most Privilege
  • Connect to the Microsoft Graph PowerShell module using the below cmdlet.
  • Windows PowerShell Windows PowerShell
     Connect-MgGraph -Scopes "Group.Read.All"
  • Run the below cmdlet to get a list of all role-assignable groups in Microsoft 365.
  • Windows PowerShell Windows PowerShell
     Get-MgGroup -Filter "isAssignableToRole eq true"
Using PowerShell
  • Here, you'll get all Microsoft Entra role-assignable groups with details such as group name, group ID, mail nick name, description, and group type.

Audit role-assignable groups with AdminDroid to investigate unintentional role assignments!

AdminDroid’s Microsoft 365 auditing tool offers detailed insights into role-assignable groups like group creations, modifications, deletions, group setting changes, and more. Effortlessly monitor member changes in role-assignable groups to detect any unintended role assignments and safeguard your organization’s security.

Stay Updated on Group Membership Changes with AdminDroid Alerts

Get notifications on membership changes in role-assignable groups with AdminDroid's alerting feature to ensure visibility over groups with privileged role assignments and prevent unauthorized role access.

Monitor the Role-assignable Groups with External Users Effectively

Utilize AdminDroid's groups with external users report to identify role-assignable groups with guest memberships and manage potential security risks.

Manage Empty Role Assignable Groups in Microsoft 365

Investigate empty groups in Microsoft 365 to identify role-assignable groups with no members and delete unnecessary ones to maintain only essential groups in your M365 environment.

Safeguard Against Unauthorized Deletion of Role-assignable Groups

Track the recently deleted groups report with AdminDroid to spot the deletion of role-assignable groups in Microsoft 365 and avoid accidental removal of critical access.

Detect Role-assignable Groups with Sign-In Disabled Owners

Use AdminDroid's groups with disabled owners report to identify role-assignable groups owned by sign-in disabled users, ensuring active management of privileged roles and prevent issues in role adjustments.

Download Role Assignable Groups Reports Using AdminDroid

Export role-assignable group reports using AdminDroid in your preferred format such as PDF, CSV, XLS, XLSX and more to easily analyze and share important data with your team.

In conclusion, AdminDroid provides a streamlined solution for tracking role-assignable groups, which gives complete visibility into role assignments. It ensures efficient management and helps maintain precise access control within your organization.

Explore a full range of reporting options

Important Tips

Use PIM to make a group eligible for a role assignment so members can activate roles through just-in-time access without providing standing access.

Enforce the principle of least privilege in Azure AD when assigning Microsoft 365 admin roles to minimize unauthorized access and ensure users only have the necessary permissions.

Assign Microsoft Entra roles with an administrative unit scope to restrict access and allow admins to manage the members in designated areas only.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints while retrieving role-assignable groups in Entra ID.

Error Nesting is currently not supported for groups that can be assigned to a role.

This error occurs when attempting to nest a group that has an assigned role in Microsoft Entra ID, as role-assignable groups do not support nesting.

Fix Ensure that a role-assignable group is not used as the parent group for nesting.

Error Visibility can only be set to Private for groups assignable to role.

The issue appears when trying to set a group configured as role-assignable to any visibility other than 'Private', since only 'Private' visibility is permitted for role-assignable groups.

Fix Ensure that the group's visibility setting is configured to Private when creating or modifying a group that is assigned to a role.

Error Get-MgGroup : Insufficient privileges to complete the operation.

This error occurs when running the 'Get-MgGroup' cmdlet in PowerShell without necessary permissions to perform the requested operation.

Fix Use the 'Group.Read.All' permission to connect to the MS Graph PowerShell module before running the 'Get-MgGroup' cmdlet.
// # Run the below cmdlet to connect to the MS Graph PowerShell with required permissions.
Connect-MgGraph -Scopes "Group.Read.All"

Error Microsoft Entra roles can be assigned to the group greyed out.

This issue arises when attempting to make a group role-assignable but the option is unavailable due to the licensing requirements.

Fix Ensure that you have a Microsoft Entra ID P1 license to create role-assignable groups in M365.

Frequently Asked Questions

Utilize Role-assignable Groups in Microsoft 365 to Streamline Entra Role Assignments

How to create role-assignable groups in Microsoft Entra ID?

How to create role-assignable groups in Microsoft Entra ID? +

Instead of assigning roles to individual users, create a role-assignable group and assign permissions to the group. For example, by assigning the 'Help Desk Admins' role to the 'Help Desk' role-assignable group, you can ensure consistent access for all members, streamline administrative tasks, and simplify auditing.

Set up a Role-assignable Group in the Microsoft Entra Admin Center

  • Navigate to the All groups in the Microsoft Entra admin center
  • Click New group and select the Group type. Then, enter a suitable name and description for your group.
  • Switch the 'Microsoft Entra roles can be assigned to the group' toggle to Yes.
  • Choose the Members and Owners for the group. You can add roles to the group via the 'Roles' option or assign them later once the group is created.
  • Click Create to set up a role-assignable group in Microsoft Entra ID.
create-role-assignable-group-in-entra-id

Creating a role-assignable group in Microsoft 365 through the admin portal involves navigating through multiple tabs and sections, which can be cumbersome. Using PowerShell, admins can streamline this process effectively.

Create a Role-assignable Group using Microsoft Graph PowerShell

Connect to the Microsoft Graph PowerShell with required permissions using the below cmdlet.

Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"

Once connected, you can create the desired type of role-assignable group. Below are the steps to create security and Microsoft 365 role-assignable groups.

Security Role-assignable Group

A security role-assignable group is used when you need to assign permissions without the need for collaboration tools. This type of group is ideal for managing access and roles in scenarios where communication features are not required.

Run the below cmdlet in PowerShell to create a security role-assignable group in Microsoft 365.

New-MgGroup -DisplayName "<GroupName>" -MailEnabled:$false -SecurityEnabled -MailNickName "<MailNickName>" -IsAssignableToRole:$true

Microsoft 365 Role-assignable Group

A Microsoft 365 role-assignable group is used when you need to assign roles with integration into collaboration tools such as email and Teams. This type of group is ideal for team-based projects and communication, where both access control and collaboration are necessary.

Execute the following PowerShell cmdlet to create a Microsoft 365 role-assignable group.

New-MgGroup -DisplayName "<GroupName>" -MailEnabled:$true -SecurityEnabled -MailNickName "<MailNickName>" -IsAssignableToRole:$true -GroupTypes "Unified"

How to assign Microsoft Entra roles to groups?

How to assign Microsoft Entra roles to groups? +

Use Microsoft Entra groups to manage role assignments efficiently and reduce manual tasks. By assigning roles to groups rather than individual users, you can centralize access management, making it easy to add or remove users from a role as needed.

Assign Roles to a Group using Microsoft Entra Admin Center

  • Go to the All roles page in the Microsoft Entra admin center.
  • Select the role you want to add to the group and click 'Add assignments'.
  • Under the Membership tab, click the link below 'Select member(s)'.
  • In the Groups tab, select the groups to assign the role and click Select. Then, click Next.
    assign-roles-to-groups-in-entra-id
  • Under the 'Setting' tab, you can configure the Assignment type to any one of the following.
    • Eligible: This option is to make users eligible to perform privileged tasks, which require an approval process before they can take action.
    • Active: Using this option, you can directly assign the role to users, which grants them immediate access to the associated privileges and responsibilities.
  • Then, specify the maximum allowed role assignment duration, or set it to Permanently eligible if desired.
  • Finally, Click Assign to apply the role to the selected groups.
    entra-role-assignment-type-and-duration

Using the Microsoft Entra Admin Center to assign roles can be time-consuming, especially when dealing with multiple groups. In contrast, PowerShell provides a more efficient solution, offering faster execution and greater flexibility in handling role assignments.

Microsoft 365 Role Assignments for Groups using PowerShell

Connect to the Microsoft Graph PowerShell with required permission using the below cmdlet.

Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"

Run the below cmdlet in PowerShell to retrieve the role definition ID of a Microsoft Entra role you wish to assign to a group.

Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq '<RoleName>'"
get-m365-role-definition-using-powershell

Execute the following PowerShell cmdlet to assign Microsoft Entra roles to groups.

New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId <RoleDefinitionId> -PrincipalId <GroupId>

Note: You can fetch the Group ID using the 'Get-MgGroup' cmdlet.

To view the role assignments for the group, use the PowerShell cmdlet below.

Get-MgRoleManagementDirectoryRoleAssignment -Filter "PrincipalId eq '<GroupId>'"
get-directory-role-assignments-using-powershell

What are the restrictions of role-assignable groups in Entra ID?

What are the restrictions of role-assignable groups in Entra ID? +

Role-assignable groups are secured with specific restrictions to enhance role-based access control in Microsoft Entra ID. These restrictions involve immutability, membership limitations, and specific administrative permissions. They help ensure that only authorized users gain role-based access control in Entra ID, which makes identity management more secure.

Role-assignable groups in Microsoft Entra ID come with the following restrictions

  • Group Status Cannot Be Altered: Once a group is created as role-assignable, its status cannot be changed. Additionally, existing groups cannot be converted to role-assignable.
  • Count Limit: Each organization can have up to 500 role-assignable groups.
  • Membership Type: Microsoft restricts dynamic memberships for role-assignable groups. It's because dynamic groups could automatically add unintended members, leading to unauthorized role assignments.
  • Nesting: Role-assignable groups cannot include other groups as members; however, they can be added as members of other groups. This restriction prevents admin roles from being unintentionally extended to nested groups, reducing the risk of unintentional privilege escalation.
  • Administrative Access Requirements: The 'Group.ReadWrite.All' permission won't work for managing membership of role-assignable groups. Users must have the 'RoleManagement.ReadWrite.Directory' permission to manage group membership.
  • Delegated Management: Only Privileged Role Administrators can manage the group membership by default, but they can delegate this task by assigning group owners.
  • Access Restrictions: Modifications to sensitive attributes, credential changes, or MFA resets for role-assignable group members and owners require the Privileged Authentication Administrator role. Also, Privileged Role Administrator permissions are required to create role-assignable groups.

What are the differences between role-assignable groups and PIM for groups?

What are the differences between role-assignable groups and PIM for groups? +

Role-assignable groups and Privileged Identity Management (PIM) for groups are both features in Microsoft Entra ID that help manage access to resources, but they serve different purposes.

Role-assignable Groups

These groups are designed to streamline the assignment of roles to multiple users. By creating role-assignable groups, admins can assign a role to a group rather than to individual users, simplifying management. Microsoft recommends role-assignable groups not only for role assignments but also for accessing sensitive resources due to extra protections they offer.

  • Group-Based Role Assignments: Assigning roles to a group ensures that all members within the group are automatically assigned the specified roles.
  • Access to Sensitive Resources: Role-assignable groups provide enhanced security for sensitive resources by offering additional protection, making them a preferred option for such access.
  • Ease of Management: It reduces administrative overhead by allowing bulk role assignments and updates.

Privileged Identity Management for Groups

PIM for Groups enhances security by providing just-in-time membership and ownership access to groups. It manages highly privileged roles to sensitive resources, allowing temporary role activation within Microsoft Entra groups. It is important to note that any group, whether role-assignable or not (except dynamic membership groups and those synchronized from on-premises) are eligible for PIM for Groups.

  • Just-in-Time Access: Users can activate their role for a limited time, reducing the risk of persistent access.
  • Approval Workflows: Role activations can require approval, adding an extra layer of security.

In summary, role-assignable groups focus on simplifying role management, while PIM for groups ensures secure and time-bound access to critical roles.

Note: Role-assignable groups require Microsoft Entra ID P1 for creating and assigning roles to groups. Microsoft Entra ID P2 enables Privileged Identity Management (PIM) for just-in-time access to roles.

How to create an Entra ID custom role in Microsoft 365?

How to create an Entra ID custom role in Microsoft 365? +

In Microsoft Entra ID, custom roles allow organizations to manage permissions with precision, ensuring employees only have the access they need. While Microsoft Entra built-in roles provide standard permissions, custom roles enable effective delegation of responsibilities, enhance security, and limit unnecessary access to sensitive data.

Create a Custom Role in Microsoft Entra ID

  • Log in to the Microsoft Entra admin center.
  • Open the All roles page under Identity»Roles & adminsRoles & admins.
  • Select 'New custom role' option and enter the role's details in the 'Basics' tab, such as Name and Description.
  • For Baseline permissions, select 'Start from scratch' to create a completely new role from Microsoft Entra role permissions.
  • Alternatively, choose 'Clone from a custom role' to copy an existing custom role. Then, click 'Next'.
  • In the 'Permissions' tab, select the permissions you want to include in the custom role, then click 'Next'.
  • Review the selected permissions for the custom role in 'Review + create' tab.
  • Finally, click 'Create' to save the Entra ID custom role in Microsoft 365.

Create a Custom Role using PowerShell

Connect to the Microsoft Graph PowerShell with required permissions using the below cmdlet.

Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"

Run the below PowerShell script to create a custom role in Entra ID.

$displayName = "<RoleName>"
$allowedResourceAction = @("<RolePermission1>", "<RolePermission2>")
$rolePermissions = @(@{AllowedResourceActions= $allowedResourceAction})
New-MgRoleManagementDirectoryRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -IsEnabled -TemplateId $templateId

Note: Replace <RoleName>, <RolePermission1>, and <RolePermission2> with the actual role name and permission actions required for your custom role.

Adding custom roles can help tailor permissions to specific needs, but it may become challenging to keep track of who added them and when, especially as the list of custom roles grows. For example, in complex organizations, this is critical for auditing and maintaining control over access levels.

Using AdminDroid, you can efficiently audit custom role additions in your organization.

  • This report provides a detailed view of all custom roles added, including the role name, the admin who added it, timestamp, extended properties and more.
  • Admins can leverage this report to ensure compliance, track changes, and quickly identify any unauthorized or unnecessary roles.
custom-role-additions-report-in-admindroid
+

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
User Help Manuals Compliance Docs
x
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!