Set-AzRoleAssignment
Update an existing Role Assignment.
The cmdlet may call below Microsoft Graph API according to input parameters:
- GET /users/{id}
- GET /servicePrincipals/{id}
- GET /groups/{id}
- GET /directoryObjects/{id}
- POST /directoryObjects/getByIds
Please notice that this cmdlet will mark ObjectType
as Unknown
in output if the object of role assignment is not found or current account has insufficient privileges to get object type.
Syntax
Set-AzRoleAssignment
-InputObject <PSRoleAssignment>
[-SkipClientSideScopeValidation]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Set-AzRoleAssignment
-InputFile <String>
[-SkipClientSideScopeValidation]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Use the Set-AzRoleAssignment command to modify an existing assignment.
Descriptions can be any valid string, use that to diferentiate from one another.
if Condition is set Condition Version has to be set as well but if you're updating a Condition that is not necesary.
Condition Version can be upgraded from 1.0 to 2.0 but it can't not be downgraded back. Be cautious as 2.0 is not retrocompatible with 1.0.
Examples
Example 1
$ConditionVersion = "2.0"
$Description = "This is a new role assignment for John"
$Condition = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:Path] StringEqualsIgnoreCase 'foo_storage_container'"
$roleAssignment = Get-AzRoleAssignment -Scope "/subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourceGroups/contoso_rg" -PrincipalId "00001111-aaaa-2222-bbbb-3333cccc4444"
$roleAssignment.Description = $Description
$roleAssignment.Condition = $Condition
$roleAssignment.ConditionVersion = $ConditionVersion
Set-AzRoleAssignment -InputObject $roleAssignment -PassThru
RoleAssignmentId : /providers/Microsoft.Management/managementGroups/1273adef-00a3
-4086-a51a-dbcce1857d36/providers/Microsoft.Authorization/role
Assignments/926c2a76-be19-4281-94de-38777629b9dc
Scope : /subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourceGroups/contoso_rg
DisplayName : John Doe
SignInName : [email protected]
RoleDefinitionName : Owner
RoleDefinitionId : 00001111-aaaa-2222-bbbb-3333cccc4444
ObjectId : 00001111-aaaa-2222-bbbb-3333cccc4444
ObjectType : User
CanDelegate : False
Description : This is a new role assignment for John
ConditionVersion : 2.0
Condition : @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:Path] StringEqualsIgnoreCase 'foo_storage_container'
Update an existing role assignment by modifying an object
Example 2
Set-AzRoleAssignment -InputFile "C:\RoleAssignments\example.json" -PassThru
RoleAssignmentId : /providers/Microsoft.Management/managementGroups/1273adef-00a3
-4086-a51a-dbcce1857d36/providers/Microsoft.Authorization/role
Assignments/926c2a76-be19-4281-94de-38777629b9dc
Scope : /subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourceGroups/contoso_rg
DisplayName : John Doe
SignInName : [email protected]
RoleDefinitionName : Owner
RoleDefinitionId : 00001111-aaaa-2222-bbbb-3333cccc4444
ObjectId : 00001111-aaaa-2222-bbbb-3333cccc4444
ObjectType : User
CanDelegate : False
Description : This is a new role assignment for John
ConditionVersion : 2.0
Condition : @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:Path] StringEqualsIgnoreCase 'foo_storage_container'
Update an existing role assignment by using a file
Parameters
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
Type: | IAzureContextContainer |
Aliases: | AzContext, AzureRmContext, AzureCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InputFile
File name containing a single role definition.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InputObject
Role Assignment.
Type: | PSRoleAssignment |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-PassThru
If specified, displays the updated role assignment
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-SkipClientSideScopeValidation
If specified, skip client side scope validation.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Inputs
Outputs
Azure PowerShell