Set-EntraDirectoryRoleDefinition
Update an existing Microsoft Entra ID roleDefinition.
Syntax
Default (Default)
Set-EntraDirectoryRoleDefinition
[-TemplateId <String>]
[-DisplayName <String>]
[-RolePermissions <System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.RolePermission]>]
-UnifiedRoleDefinitionId <String>
[-Description <String>]
[-Version <String>]
[-IsEnabled <Boolean>]
[-ResourceScopes <System.Collections.Generic.List`1[System.String]>]
[<CommonParameters>]
Description
Updates a Microsoft Entra roleDefinition object identified by ID. You can't update built-in roles. This feature requires a Microsoft Entra ID P1 or P2 license.
In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are:
- Privileged Role Administrator
Examples
Example 1: Update an roleDefinition
Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory'
$roleDefinition = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq '<Role-Definition-Name>'"
Set-EntraDirectoryRoleDefinition -UnifiedRoleDefinitionId $roleDefinition.Id -DisplayName 'UpdatedDisplayName'
This example updates the specified role definition in Microsoft Entra ID.
-UnifiedRoleDefinitionIdparameter specifies the roleDefinition object ID.-DisplayNameparameter specifies the display name for the role definition.
Example 2: Update an roleDefinition with Description
Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory'
$roleDefinition = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq '<Role-Definition-Name>'"
Set-EntraDirectoryRoleDefinition -UnifiedRoleDefinitionId $roleDefinition.Id -Description 'MYROLEUPDATE1S'
This example updates the Description of specified role definition in Microsoft Entra ID.
-UnifiedRoleDefinitionIdparameter specifies the roleDefinition object ID.-Descriptionparameter specifies the description for the role definition.
Example 3: Update an roleDefinition with IsEnabled
Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory'
$roleDefinition = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq '<Role-Definition-Name>'"
Set-EntraDirectoryRoleDefinition -UnifiedRoleDefinitionId $roleDefinition.Id -IsEnabled $true
This example updates the IsEnabled of specified role definition in Microsoft Entra ID.
-UnifiedRoleDefinitionIdparameter specifies the roleDefinition object ID.-IsEnabledparameter specifies whether the role definition is enabled.
Example 4: Update an roleDefinition
Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory'
$roleDefinition = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq '<Role-Definition-Name>'"
$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission
$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/standard/read")
$params = @{
UnifiedRoleDefinitionId = $roleDefinition.Id
Description = 'Update'
DisplayName = 'Update'
ResourceScopes = '/'
IsEnabled = $false
RolePermissions = $rolePermissions
TemplateId = 'f2ef992c-3afb-46b9-b7cf-a126ee74c451'
Version = 2
}
Set-EntraDirectoryRoleDefinition @params
This example updates the RolePermissions, TemplateId, TemplateId, ResourceScopes of specified role definition in Microsoft Entra ID.
-UnifiedRoleDefinitionIdparameter specifies the roleDefinition object ID.-RolePermissionsparameter specifies the permissions for the role definition.-IsEnabledparameter specifies whether the role definition is enabled.-DisplayNameparameter specifies the display name for the role definition.-Descriptionparameter specifies the description for the role definition.-ResourceScopesparameter specifies the resource scopes for the role definition.-TemplateIdparameter specifies the template ID for the role definition.-Versionparameter specifies the version for the role definition.
Parameters
-Description
Specifies a description for the role definition.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-DisplayName
Specifies a display name for the role definition.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-IsEnabled
Specifies whether the role definition is enabled. Flag indicating if the role is enabled for assignment. If false, the role is not available for assignment. Read-only when isBuiltIn is true.
Parameter properties
| Type: | System.Boolean |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-ResourceScopes
Specifies the resource scopes for the role definition.
Parameter properties
| Type: | System.Collections.Generic.List`1[System.String] |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-RolePermissions
Specifies permissions for the role definition. List of permissions included in the role. Read-only when isBuiltIn is true.
Parameter properties
| Type: | System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.RolePermission] |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-TemplateId
Specifies the template ID for the role definition. A custom template ID can be set when isBuiltIn is false. This ID is typically used to keep the same identifier across different directories. It is read-only when isBuiltIn is true.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-UnifiedRoleDefinitionId
Specifies the roleDefinition object ID.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | Id |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-Version
Specifies version for the role definition. Indicates version of the role definition. Read-only when isBuiltIn is true.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Inputs
System.String
Outputs
System.Object
Notes
Set-EntraRoleDefinition is an alias for Set-EntraDirectoryRoleDefintion.