Skip to content

Commit fe2a437

Browse files
rolyonrolyon
committed
Assign role with admin unit scope powershell
1 parent 687b584 commit fe2a437

File tree

2 files changed

+10
-11
lines changed

2 files changed

+10
-11
lines changed

articles/active-directory/roles/admin-units-assign-roles.md

Lines changed: 8 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ ms.service: active-directory
99
ms.topic: how-to
1010
ms.subservice: roles
1111
ms.workload: identity
12-
ms.date: 03/22/2022
12+
ms.date: 05/09/2022
1313
ms.author: rolyon
1414
ms.reviewer: anandy
1515
ms.custom: oldportal;it-pro;
@@ -91,12 +91,11 @@ You can assign an Azure AD role with an administrative unit scope by using the A
9191
### PowerShell
9292

9393
```powershell
94-
$adminUser = Get-AzureADUser -ObjectId "Use the user's UPN, who would be an admin on this unit"
95-
$role = Get-AzureADDirectoryRole | Where-Object -Property DisplayName -EQ -Value "User Administrator"
96-
$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'The display name of the unit'"
97-
$roleMember = New-Object -TypeName Microsoft.Open.MSGraph.Model.MsRoleMemberInfo
98-
$roleMember.Id = $adminUser.ObjectId
99-
Add-AzureADMSScopedRoleMembership -Id $adminUnitObj.Id -RoleId $role.ObjectId -RoleMemberInfo $roleMember
94+
$user = Get-AzureADUser -Filter "userPrincipalName eq 'Example_UPN'"
95+
$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Example_role_name'"
96+
$adminUnit = Get-AzureADMSAdministrativeUnit -Filter "displayName eq 'Example_admin_unit_name'"
97+
$directoryScope = '/administrativeUnits/' + $adminUnit.Id
98+
$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId $directoryScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
10099
```
101100

102101
You can change the highlighted section as required for the specific environment.
@@ -137,8 +136,8 @@ You can view all the role assignments created with an administrative unit scope
137136
### PowerShell
138137

139138
```powershell
140-
$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'The display name of the unit'"
141-
Get-AzureADMSScopedRoleMembership -Id $adminUnitObj.Id | fl *
139+
$adminUnit = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Example_admin_unit_name'"
140+
Get-AzureADMSScopedRoleMembership -Id $adminUnit.Id | fl *
142141
```
143142

144143
You can change the highlighted section as required for your specific environment.

articles/active-directory/roles/custom-assign-powershell.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -132,10 +132,10 @@ Get-AzureADMSRoleAssignment -Filter "principalId eq '27c8ca78-ab1c-40ae-bd1b-eae
132132
Get-AzureADMSRoleAssignment -Filter "roleDefinitionId eq '355aed8a-864b-4e2b-b225-ea95482e7570'"
133133
```
134134

135-
### Delete a role assignment
135+
### Remove a role assignment
136136

137137
``` PowerShell
138-
# Delete role assignment
138+
# Remove role assignment
139139
Remove-AzureADMSRoleAssignment -Id 'qiho4WOb9UKKgng_LbPV7tvKaKRCD61PkJeKMh7Y458-1'
140140
```
141141

0 commit comments

Comments
 (0)