jkbryan/CreateCustomRole.ps1

## CreateCustomRole.ps1
Connect-MgGraph -TenantId <YourTenantID> -Scopes "RoleManagement.ReadWrite.Directory"
# Basic role information
$displayName = "Clone of Exchange Administrator"
$description = "Can manage all aspects of the Exchange product."
$templateId = (New-Guid).Guid
# Set of permissions to grant
$allowedResourceAction =
@(
        #"microsoft.directory/groups/hiddenMembers/read",
        "microsoft.directory/groups.unified/create",
        "microsoft.directory/groups.unified/delete",
        #"microsoft.directory/groups.unified/restore",
        "microsoft.directory/groups.unified/basic/update",
        "microsoft.directory/groups.unified/members/update",
        "microsoft.directory/groups.unified/owners/update",
        #"microsoft.azure.serviceHealth/allEntities/allTasks",
        #"microsoft.azure.supportTickets/allEntities/allTasks",
        #"microsoft.office365.exchange/allEntities/basic/allTasks",
        #"microsoft.office365.network/performance/allProperties/read",
        #"microsoft.office365.serviceHealth/allEntities/allTasks",
        #"microsoft.office365.supportTickets/allEntities/allTasks",
        #"microsoft.office365.usageReports/allEntities/allProperties/read",
        #"microsoft.office365.webPortal/allEntities/standard/read",
        "microsoft.directory/administrativeUnits/standard/read",
        "microsoft.directory/administrativeUnits/members/read",
        "microsoft.directory/applications/standard/read",
        "microsoft.directory/applications/owners/read",
        #"microsoft.directory/applications/policies/read",
        #"microsoft.directory/contacts/standard/read",
        #"microsoft.directory/contacts/memberOf/read",
        #"microsoft.directory/contracts/standard/read",
        "microsoft.directory/devices/standard/read",
        #"microsoft.directory/devices/memberOf/read",
        "microsoft.directory/devices/registeredOwners/read",
        "microsoft.directory/devices/registeredUsers/read",
        #"microsoft.directory/directoryRoles/standard/read",
        #"microsoft.directory/directoryRoles/eligibleMembers/read",
        #"microsoft.directory/directoryRoles/members/read",
        #"microsoft.directory/domains/standard/read",
        "microsoft.directory/groups/standard/read",
        "microsoft.directory/groups/appRoleAssignments/read",
        "microsoft.directory/groups/memberOf/read",
        "microsoft.directory/groups/members/read",
        "microsoft.directory/groups/owners/read",
        #"microsoft.directory/groups/settings/read",
        #"microsoft.directory/groupSettings/standard/read",
        #"microsoft.directory/groupSettingTemplates/standard/read",
        #"microsoft.directory/oAuth2PermissionGrants/standard/read",
        #"microsoft.directory/organization/standard/read",
        #"microsoft.directory/organization/trustedCAsForPasswordlessAuth/read",
        "microsoft.directory/applicationPolicies/standard/read",
        #"microsoft.directory/roleAssignments/standard/read",
        #"microsoft.directory/roleDefinitions/standard/read",
        "microsoft.directory/servicePrincipals/appRoleAssignedTo/read",
        "microsoft.directory/servicePrincipals/appRoleAssignments/read",
        "microsoft.directory/servicePrincipals/standard/read",
        #"microsoft.directory/servicePrincipals/memberOf/read",
        "microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read",
        "microsoft.directory/servicePrincipals/owners/read",
        #"microsoft.directory/servicePrincipals/ownedObjects/read",
        "microsoft.directory/servicePrincipals/policies/read",
        #"microsoft.directory/subscribedSkus/standard/read",
        "microsoft.directory/users/standard/read",
        "microsoft.directory/users/appRoleAssignments/read",
        "microsoft.directory/users/deviceForResourceAccount/read",
        "microsoft.directory/users/directReports/read",
        "microsoft.directory/users/invitedBy/read",
        "microsoft.directory/users/licenseDetails/read",
        "microsoft.directory/users/manager/read",
        "microsoft.directory/users/memberOf/read",
        #"microsoft.directory/users/oAuth2PermissionGrants/read",
        "microsoft.directory/users/ownedDevices/read",
        #"microsoft.directory/users/ownedObjects/read",
        #"microsoft.directory/users/photo/read",
        "microsoft.directory/users/registeredDevices/read",
        "microsoft.directory/users/scopedRoleMemberOf/read",
        "microsoft.directory/users/sponsors/read"
)
$rolePermissions = @(@{AllowedResourceActions= $allowedResourceAction})
# Create new custom admin role
$customAdmin = New-MgRoleManagementDirectoryRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -IsEnabled -Description $description -TemplateId $templateId
	Connect-MgGraph -TenantId <YourTenantID> -Scopes "RoleManagement.ReadWrite.Directory"
	# Basic role information
	$displayName = "Clone of Exchange Administrator"
	$description = "Can manage all aspects of the Exchange product."
	$templateId = (New-Guid).Guid
	# Set of permissions to grant
	$allowedResourceAction =
	@(
	#"microsoft.directory/groups/hiddenMembers/read",
	"microsoft.directory/groups.unified/create",
	"microsoft.directory/groups.unified/delete",
	#"microsoft.directory/groups.unified/restore",
	"microsoft.directory/groups.unified/basic/update",
	"microsoft.directory/groups.unified/members/update",
	"microsoft.directory/groups.unified/owners/update",
	#"microsoft.azure.serviceHealth/allEntities/allTasks",
	#"microsoft.azure.supportTickets/allEntities/allTasks",
	#"microsoft.office365.exchange/allEntities/basic/allTasks",
	#"microsoft.office365.network/performance/allProperties/read",
	#"microsoft.office365.serviceHealth/allEntities/allTasks",
	#"microsoft.office365.supportTickets/allEntities/allTasks",
	#"microsoft.office365.usageReports/allEntities/allProperties/read",
	#"microsoft.office365.webPortal/allEntities/standard/read",
	"microsoft.directory/administrativeUnits/standard/read",
	"microsoft.directory/administrativeUnits/members/read",
	"microsoft.directory/applications/standard/read",
	"microsoft.directory/applications/owners/read",
	#"microsoft.directory/applications/policies/read",
	#"microsoft.directory/contacts/standard/read",
	#"microsoft.directory/contacts/memberOf/read",
	#"microsoft.directory/contracts/standard/read",
	"microsoft.directory/devices/standard/read",
	#"microsoft.directory/devices/memberOf/read",
	"microsoft.directory/devices/registeredOwners/read",
	"microsoft.directory/devices/registeredUsers/read",
	#"microsoft.directory/directoryRoles/standard/read",
	#"microsoft.directory/directoryRoles/eligibleMembers/read",
	#"microsoft.directory/directoryRoles/members/read",
	#"microsoft.directory/domains/standard/read",
	"microsoft.directory/groups/standard/read",
	"microsoft.directory/groups/appRoleAssignments/read",
	"microsoft.directory/groups/memberOf/read",
	"microsoft.directory/groups/members/read",
	"microsoft.directory/groups/owners/read",
	#"microsoft.directory/groups/settings/read",
	#"microsoft.directory/groupSettings/standard/read",
	#"microsoft.directory/groupSettingTemplates/standard/read",
	#"microsoft.directory/oAuth2PermissionGrants/standard/read",
	#"microsoft.directory/organization/standard/read",
	#"microsoft.directory/organization/trustedCAsForPasswordlessAuth/read",
	"microsoft.directory/applicationPolicies/standard/read",
	#"microsoft.directory/roleAssignments/standard/read",
	#"microsoft.directory/roleDefinitions/standard/read",
	"microsoft.directory/servicePrincipals/appRoleAssignedTo/read",
	"microsoft.directory/servicePrincipals/appRoleAssignments/read",
	"microsoft.directory/servicePrincipals/standard/read",
	#"microsoft.directory/servicePrincipals/memberOf/read",
	"microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read",
	"microsoft.directory/servicePrincipals/owners/read",
	#"microsoft.directory/servicePrincipals/ownedObjects/read",
	"microsoft.directory/servicePrincipals/policies/read",
	#"microsoft.directory/subscribedSkus/standard/read",
	"microsoft.directory/users/standard/read",
	"microsoft.directory/users/appRoleAssignments/read",
	"microsoft.directory/users/deviceForResourceAccount/read",
	"microsoft.directory/users/directReports/read",
	"microsoft.directory/users/invitedBy/read",
	"microsoft.directory/users/licenseDetails/read",
	"microsoft.directory/users/manager/read",
	"microsoft.directory/users/memberOf/read",
	#"microsoft.directory/users/oAuth2PermissionGrants/read",
	"microsoft.directory/users/ownedDevices/read",
	#"microsoft.directory/users/ownedObjects/read",
	#"microsoft.directory/users/photo/read",
	"microsoft.directory/users/registeredDevices/read",
	"microsoft.directory/users/scopedRoleMemberOf/read",
	"microsoft.directory/users/sponsors/read"
	)
	$rolePermissions = @(@{AllowedResourceActions= $allowedResourceAction})
	# Create new custom admin role
	$customAdmin = New-MgRoleManagementDirectoryRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -IsEnabled -Description $description -TemplateId $templateId