Add-EntraScopedRoleMembership
Assign a Microsoft Entra role with an administrative unit scope.
Syntax
Default (Default)
Add-EntraScopedRoleMembership
-AdministrativeUnitId <String>
[-RoleObjectId <String>]
[-RoleMemberInfo <RoleMemberInfo>]
[<CommonParameters>]
Description
The Add-EntraScopedRoleMembership cmdlet adds a scoped role membership to an administrative unit. Specify AdministrativeUnitId parameter to add a scoped role membership.
For delegated scenarios, the calling user needs at least the Privileged Role Administrator Microsoft Entra role.
Examples
Example 1: Add a scoped role membership to an administrative unit
Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory'
$user = Get-EntraUser -UserId 'SawyerM@contoso.com'
$role = Get-EntraDirectoryRole -Filter "DisplayName eq 'Helpdesk Administrator'"
$administrativeUnit = Get-EntraAdministrativeUnit -Filter "DisplayName eq 'Pacific Administrative Unit'"
$roleMember = New-Object -TypeName Microsoft.Open.MSGraph.Model.MsRoleMemberInfo
$roleMember.Id = $user.Id
Add-EntraScopedRoleMembership -AdministrativeUnitId $administrativeUnit.Id -RoleObjectId $role.Id -RoleMemberInfo $roleMember
Id AdministrativeUnitId RoleId
-- -------------------- ------
dddddddddddd-bbbb-aaaa-bbbb-cccccccccccc aaaaaaaa-bbbb-aaaa-bbbb-cccccccccccc bbbbbbbb-1111-2222-3333-cccccccccccc
The example shows how to add a user to the specified role within the specified administrative unit.
-AdministrativeUnitIdParameter specifies the ID of an administrative unit.-RoleObjectIdParameter specifies the ID of a directory role.-RoleMemberInfoParameter specifies a RoleMemberInfo object.
Parameters
-AdministrativeUnitId
Specifies the ID of an administrative unit.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | ObjectId |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-RoleMemberInfo
Specifies a RoleMemberInfo object.
Parameter properties
| Type: | System.RoleMemberInfo |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-RoleObjectId
Specifies the ID of a directory role.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.