Merge pull request #197592 from rolyon/rolyon-aadroles-admin-units-assign-roles-powershell-update

PRMerger14 · web-flow · commit 72451cd91bbf · 2022-05-09T14:40:40.000-07:00
[Azure AD roles] [Admin units] Assign role with admin unit scope powershell update
diff --git a/articles/active-directory/roles/admin-units-assign-roles.md b/articles/active-directory/roles/admin-units-assign-roles.md
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.topic: how-to
 ms.subservice: roles
 ms.workload: identity
-ms.date: 03/22/2022
+ms.date: 05/09/2022
 ms.author: rolyon
 ms.reviewer: anandy
 ms.custom: oldportal;it-pro;
@@ -90,17 +90,16 @@ You can assign an Azure AD role with an administrative unit scope by using the A
 
 ### PowerShell
 
+Use the [New-AzureADMSRoleAssignment](/powershell/module/azuread/new-azureadmsroleassignment) command and the `DirectoryScopeId` parameter to assign a role with administrative unit scope.
+
 ```powershell
-$adminUser = Get-AzureADUser -ObjectId "Use the user's UPN, who would be an admin on this unit"
-$role = Get-AzureADDirectoryRole | Where-Object -Property DisplayName -EQ -Value "User Administrator"
-$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'The display name of the unit'"
-$roleMember = New-Object -TypeName Microsoft.Open.MSGraph.Model.MsRoleMemberInfo
-$roleMember.Id = $adminUser.ObjectId
-Add-AzureADMSScopedRoleMembership -Id $adminUnitObj.Id -RoleId $role.ObjectId -RoleMemberInfo $roleMember
+$user = Get-AzureADUser -Filter "userPrincipalName eq 'Example_UPN'"
+$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Example_role_name'"
+$adminUnit = Get-AzureADMSAdministrativeUnit -Filter "displayName eq 'Example_admin_unit_name'"
+$directoryScope = '/administrativeUnits/' + $adminUnit.Id
+$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId $directoryScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
 ```
 
-You can change the highlighted section as required for the specific environment.
-
 ### Microsoft Graph API
 
 Request
@@ -136,13 +135,13 @@ You can view all the role assignments created with an administrative unit scope
 
 ### PowerShell
 
+Use the [Get-AzureADMSScopedRoleMembership](/powershell/module/azuread/get-azureadmsscopedrolemembership) command to list role assignments with administrative unit scope.
+
 ```powershell
-$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'The display name of the unit'"
-Get-AzureADMSScopedRoleMembership -Id $adminUnitObj.Id | fl *
+$adminUnit = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Example_admin_unit_name'"
+Get-AzureADMSScopedRoleMembership -Id $adminUnit.Id | fl *
 ```
 
-You can change the highlighted section as required for your specific environment.
-
 ### Microsoft Graph API
 
 Request
diff --git a/articles/active-directory/roles/custom-assign-powershell.md b/articles/active-directory/roles/custom-assign-powershell.md
@@ -132,10 +132,10 @@ Get-AzureADMSRoleAssignment -Filter "principalId eq '27c8ca78-ab1c-40ae-bd1b-eae
 Get-AzureADMSRoleAssignment -Filter "roleDefinitionId eq '355aed8a-864b-4e2b-b225-ea95482e7570'"
 ```
 
-### Delete a role assignment
+### Remove a role assignment
 
 ``` PowerShell
-# Delete role assignment
+# Remove role assignment
 Remove-AzureADMSRoleAssignment -Id 'qiho4WOb9UKKgng_LbPV7tvKaKRCD61PkJeKMh7Y458-1'
 ```
 
