Skip to content

Instantly share code, notes, and snippets.

@jkbryan
Last active February 23, 2024 15:51
Show Gist options
  • Save jkbryan/9b7b40c1f09a25b0bc3d423330307b25 to your computer and use it in GitHub Desktop.
Save jkbryan/9b7b40c1f09a25b0bc3d423330307b25 to your computer and use it in GitHub Desktop.
CreateCustomRole
Connect-MgGraph -TenantId <YourTenantID> -Scopes "RoleManagement.ReadWrite.Directory"
# Basic role information
$displayName = "Clone of Exchange Administrator"
$description = "Can manage all aspects of the Exchange product."
$templateId = (New-Guid).Guid
# Set of permissions to grant
$allowedResourceAction =
@(
#"microsoft.directory/groups/hiddenMembers/read",
"microsoft.directory/groups.unified/create",
"microsoft.directory/groups.unified/delete",
#"microsoft.directory/groups.unified/restore",
"microsoft.directory/groups.unified/basic/update",
"microsoft.directory/groups.unified/members/update",
"microsoft.directory/groups.unified/owners/update",
#"microsoft.azure.serviceHealth/allEntities/allTasks",
#"microsoft.azure.supportTickets/allEntities/allTasks",
#"microsoft.office365.exchange/allEntities/basic/allTasks",
#"microsoft.office365.network/performance/allProperties/read",
#"microsoft.office365.serviceHealth/allEntities/allTasks",
#"microsoft.office365.supportTickets/allEntities/allTasks",
#"microsoft.office365.usageReports/allEntities/allProperties/read",
#"microsoft.office365.webPortal/allEntities/standard/read",
"microsoft.directory/administrativeUnits/standard/read",
"microsoft.directory/administrativeUnits/members/read",
"microsoft.directory/applications/standard/read",
"microsoft.directory/applications/owners/read",
#"microsoft.directory/applications/policies/read",
#"microsoft.directory/contacts/standard/read",
#"microsoft.directory/contacts/memberOf/read",
#"microsoft.directory/contracts/standard/read",
"microsoft.directory/devices/standard/read",
#"microsoft.directory/devices/memberOf/read",
"microsoft.directory/devices/registeredOwners/read",
"microsoft.directory/devices/registeredUsers/read",
#"microsoft.directory/directoryRoles/standard/read",
#"microsoft.directory/directoryRoles/eligibleMembers/read",
#"microsoft.directory/directoryRoles/members/read",
#"microsoft.directory/domains/standard/read",
"microsoft.directory/groups/standard/read",
"microsoft.directory/groups/appRoleAssignments/read",
"microsoft.directory/groups/memberOf/read",
"microsoft.directory/groups/members/read",
"microsoft.directory/groups/owners/read",
#"microsoft.directory/groups/settings/read",
#"microsoft.directory/groupSettings/standard/read",
#"microsoft.directory/groupSettingTemplates/standard/read",
#"microsoft.directory/oAuth2PermissionGrants/standard/read",
#"microsoft.directory/organization/standard/read",
#"microsoft.directory/organization/trustedCAsForPasswordlessAuth/read",
"microsoft.directory/applicationPolicies/standard/read",
#"microsoft.directory/roleAssignments/standard/read",
#"microsoft.directory/roleDefinitions/standard/read",
"microsoft.directory/servicePrincipals/appRoleAssignedTo/read",
"microsoft.directory/servicePrincipals/appRoleAssignments/read",
"microsoft.directory/servicePrincipals/standard/read",
#"microsoft.directory/servicePrincipals/memberOf/read",
"microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read",
"microsoft.directory/servicePrincipals/owners/read",
#"microsoft.directory/servicePrincipals/ownedObjects/read",
"microsoft.directory/servicePrincipals/policies/read",
#"microsoft.directory/subscribedSkus/standard/read",
"microsoft.directory/users/standard/read",
"microsoft.directory/users/appRoleAssignments/read",
"microsoft.directory/users/deviceForResourceAccount/read",
"microsoft.directory/users/directReports/read",
"microsoft.directory/users/invitedBy/read",
"microsoft.directory/users/licenseDetails/read",
"microsoft.directory/users/manager/read",
"microsoft.directory/users/memberOf/read",
#"microsoft.directory/users/oAuth2PermissionGrants/read",
"microsoft.directory/users/ownedDevices/read",
#"microsoft.directory/users/ownedObjects/read",
#"microsoft.directory/users/photo/read",
"microsoft.directory/users/registeredDevices/read",
"microsoft.directory/users/scopedRoleMemberOf/read",
"microsoft.directory/users/sponsors/read"
)
$rolePermissions = @(@{AllowedResourceActions= $allowedResourceAction})
# Create new custom admin role
$customAdmin = New-MgRoleManagementDirectoryRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -IsEnabled -Description $description -TemplateId $templateId
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment