New-AzureRmRoleAssignment
Assigns the specified RBAC role to the specified principal, at the specified scope.
Warning
The AzureRM PowerShell module has been officially deprecated as of February 29, 2024. Users are
advised to migrate from AzureRM to the Az PowerShell module to ensure continued support and
updates.
Although the AzureRM module may still function, it's no longer maintained or supported, placing
any continued use at the user's discretion and risk. Please refer to our
migration resources for guidance on transitioning to the Az module.
Syntax
EmptyParameterSet (Default)
New-AzureRmRoleAssignment
-ObjectId <Guid>
-Scope <String>
-RoleDefinitionName <String>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceGroupWithObjectIdParameterSet
New-AzureRmRoleAssignment
-ObjectId <Guid>
-ResourceGroupName <String>
-RoleDefinitionName <String>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceWithObjectIdParameterSet
New-AzureRmRoleAssignment
-ObjectId <Guid>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
-RoleDefinitionName <String>
[-ParentResource <String>]
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ScopeWithObjectIdParameterSet
New-AzureRmRoleAssignment
-ObjectId <Guid>
-RoleDefinitionName <String>
[-Scope <String>]
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
RoleIdWithScopeAndObjectIdParameterSet
New-AzureRmRoleAssignment
-ObjectId <Guid>
-Scope <String>
-RoleDefinitionId <Guid>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceGroupWithSignInNameParameterSet
New-AzureRmRoleAssignment
-SignInName <String>
-ResourceGroupName <String>
-RoleDefinitionName <String>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceWithSignInNameParameterSet
New-AzureRmRoleAssignment
-SignInName <String>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
-RoleDefinitionName <String>
[-ParentResource <String>]
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ScopeWithSignInNameParameterSet
New-AzureRmRoleAssignment
-SignInName <String>
-RoleDefinitionName <String>
[-Scope <String>]
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceGroupWithSPNParameterSet
New-AzureRmRoleAssignment
-ApplicationId <String>
-ResourceGroupName <String>
-RoleDefinitionName <String>
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceWithSPNParameterSet
New-AzureRmRoleAssignment
-ApplicationId <String>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
-RoleDefinitionName <String>
[-ParentResource <String>]
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ScopeWithSPNParameterSet
New-AzureRmRoleAssignment
-ApplicationId <String>
-RoleDefinitionName <String>
[-Scope <String>]
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
Description
Use the New-AzureRMRoleAssignment command to grant access.
Access is granted by assigning the appropriate RBAC role to them at the right scope.
To grant access to the entire subscription, assign a role at the subscription scope.
To grant access to a specific resource group within a subscription, assign a role at the resource group scope.
The subject of the assignment must be specified.
To specify a user, use SignInName or Microsoft Entra ObjectId parameters.
To specify a security group, use Microsoft Entra ObjectId parameter.
And to specify a Microsoft Entra application, use ApplicationId or ObjectId parameters.
The role that is being assigned must be specified using the RoleDefinitionName parameter.
The scope at which access is being granted may be specified.
It defaults to the selected subscription.
The scope of the assignment can be specified using one of the following parameter combinations
a.
Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId>
b.
ResourceGroupName - to grant access to the specified resource group.
c.
ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - to specify a particular resource within a resource group to grant access to.
Examples
Example 1
PS C:\> New-AzureRmRoleAssignment -ResourceGroupName rg1 -SignInName allen.young@live.com -RoleDefinitionName Reader -AllowDelegation
Grant Reader role access to a user at a resource group scope with the Role Assignment being available for delegation
Example 2
PS C:\> Get-AzureRMADGroup -SearchString "Christine Koch Team"
DisplayName Type Id
----------- ---- --------
Christine Koch Team 00001111-aaaa-2222-bbbb-3333cccc4444
PS C:\> New-AzureRmRoleAssignment -ObjectId 00001111-aaaa-2222-bbbb-3333cccc4444 -RoleDefinitionName Contributor -ResourceGroupName rg1
Grant access to a security group
Example 3
PS C:\> New-AzureRmRoleAssignment -SignInName john.doe@contoso.com -RoleDefinitionName Owner -Scope "/subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourcegroups/rg1/providers/Microsoft.Web/sites/site1"
Grant access to a user at a resource (website)
Example 4
PS C:\> New-AzureRMRoleAssignment -ObjectId 00001111-aaaa-2222-bbbb-3333cccc4444 -RoleDefinitionName "Virtual Machine Contributor" -ResourceName Devices-Engineering-ProjectRND -ResourceType Microsoft.Network/virtualNetworks/subnets -ParentResource virtualNetworks/VNET-EASTUS-01 -ResourceGroupName Network
Grant access to a group at a nested resource (subnet)
Example 5
PS C:\> $servicePrincipal = New-AzureRmADServicePrincipal -DisplayName "testServiceprincipal"
PS C:\> New-AzureRmRoleAssignment -RoleDefinitionName "Reader" -ApplicationId $servicePrincipal.ApplicationId
Grant reader access to a service principal
Parameters
-AllowDelegation
The delegation flag while creating a Role assignment.
Parameter properties
Type: SwitchParameter
Default value: False Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ApplicationId
The Application ID of the ServicePrincipal
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: SPN, ServicePrincipalName
Parameter sets
ResourceGroupWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with azure
Parameter properties
Type: IAzureContextContainer
Default value: None Supports wildcards: False DontShow: False Aliases: AzureRmContext, AzureCredential
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ObjectId
Microsoft Entra Objectid of the user, group or service principal.
Parameter properties
Type: Guid
Default value: None Supports wildcards: False DontShow: False Aliases: Id, PrincipalId
Parameter sets
EmptyParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
RoleIdWithScopeAndObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ParentResource
The parent resource in the hierarchy(of the resource specified using ResourceName parameter).
Should only be used in conjunction with ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ResourceWithObjectIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ResourceGroupName
The resource group name.
Creates an assignment that is effective at the specified resource group.
When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ResourceGroupWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ResourceName
The resource name.
For e.g.
storageaccountprod.
Should only be used in conjunction with ResourceGroupName, ResourceType and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ResourceWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ResourceType
The resource type.
For e.g.
Microsoft.Network/virtualNetworks.
Should only be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ResourceWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-RoleDefinitionId
Id of the RBAC role that needs to be assigned to the principal.
Parameter properties
Type: Guid
Default value: None Supports wildcards: False DontShow: False
Parameter sets
RoleIdWithScopeAndObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-RoleDefinitionName
Name of the RBAC role that needs to be assigned to the principal i.e.
Reader, Contributor, Virtual Network Administrator, etc.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
EmptyParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-Scope
The Scope of the role assignment.
In the format of relative URI.
For e.g.
"/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG".
If not specified, will create the role assignment at subscription level.
If specified, it should start with "/subscriptions/{id}".
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
EmptyParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
RoleIdWithScopeAndObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-SignInName
The email address or the user principal name of the user.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: Email, UserPrincipalName
Parameter sets
ResourceGroupWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters .
Outputs
Notes
Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment