Set-AzRoleAssignment

Update an existing Role Assignment.

The cmdlet may call below Microsoft Graph API according to input parameters:

  • GET /users/{id}
  • GET /servicePrincipals/{id}
  • GET /groups/{id}
  • GET /directoryObjects/{id}
  • POST /directoryObjects/getByIds

Please notice that this cmdlet will mark ObjectType as Unknown in output if the object of role assignment is not found or current account has insufficient privileges to get object type.

Syntax

Set-AzRoleAssignment
   -InputObject <PSRoleAssignment>
   [-SkipClientSideScopeValidation]
   [-PassThru]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
Set-AzRoleAssignment
   -InputFile <String>
   [-SkipClientSideScopeValidation]
   [-PassThru]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

Use the Set-AzRoleAssignment command to modify an existing assignment.
Descriptions can be any valid string, use that to diferentiate from one another.
if Condition is set Condition Version has to be set as well but if you're updating a Condition that is not necesary. Condition Version can be upgraded from 1.0 to 2.0 but it can't not be downgraded back. Be cautious as 2.0 is not retrocompatible with 1.0.

Examples

Example 1

$ConditionVersion = "2.0"
  $Description = "This is a new role assignment for John"
  $Condition = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:Path] StringEqualsIgnoreCase 'foo_storage_container'"

  $roleAssignment = Get-AzRoleAssignment -Scope "/subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourceGroups/contoso_rg" -PrincipalId "00001111-aaaa-2222-bbbb-3333cccc4444"
  $roleAssignment.Description = $Description
  $roleAssignment.Condition = $Condition
  $roleAssignment.ConditionVersion = $ConditionVersion

  Set-AzRoleAssignment -InputObject $roleAssignment -PassThru

RoleAssignmentId   : /providers/Microsoft.Management/managementGroups/1273adef-00a3
                     -4086-a51a-dbcce1857d36/providers/Microsoft.Authorization/role
                     Assignments/926c2a76-be19-4281-94de-38777629b9dc
  Scope              : /subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourceGroups/contoso_rg
  DisplayName        : John Doe
  SignInName         : [email protected]
  RoleDefinitionName : Owner
  RoleDefinitionId   : 00001111-aaaa-2222-bbbb-3333cccc4444
  ObjectId           : 00001111-aaaa-2222-bbbb-3333cccc4444
  ObjectType         : User
  CanDelegate        : False
  Description        : This is a new role assignment for John
  ConditionVersion   : 2.0
  Condition          : @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:Path] StringEqualsIgnoreCase 'foo_storage_container'

Update an existing role assignment by modifying an object

Example 2

Set-AzRoleAssignment -InputFile "C:\RoleAssignments\example.json" -PassThru

RoleAssignmentId   : /providers/Microsoft.Management/managementGroups/1273adef-00a3
                     -4086-a51a-dbcce1857d36/providers/Microsoft.Authorization/role
                     Assignments/926c2a76-be19-4281-94de-38777629b9dc
  Scope              : /subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourceGroups/contoso_rg
  DisplayName        : John Doe
  SignInName         : [email protected]
  RoleDefinitionName : Owner
  RoleDefinitionId   : 00001111-aaaa-2222-bbbb-3333cccc4444
  ObjectId           : 00001111-aaaa-2222-bbbb-3333cccc4444
  ObjectType         : User
  CanDelegate        : False
  Description        : This is a new role assignment for John
  ConditionVersion   : 2.0
  Condition          : @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:Path] StringEqualsIgnoreCase 'foo_storage_container'

Update an existing role assignment by using a file

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Type:IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-InputFile

File name containing a single role definition.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-InputObject

Role Assignment.

Type:PSRoleAssignment
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-PassThru

If specified, displays the updated role assignment

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-SkipClientSideScopeValidation

If specified, skip client side scope validation.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

PSRoleAssignment

Outputs

PSRoleAssignment