diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAccountSku.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAccountSku.md index 4df777d0c..f53b8aee0 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAccountSku.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAccountSku.md @@ -46,12 +46,18 @@ The `Get-EntraBetaAccountSku` retrieves the list of commercial subscriptions acq For a list of license names in the Microsoft Entra or Microsoft 365 admin centers and their corresponding Microsoft Graph `skuId` and `skuPartNumber` properties, refer to the [mapping information](https://learn.microsoft.com/entra/identity/users/licensing-service-plan-reference). +In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or a custom role with the necessary permissions. The following least privileged roles support this operation: + +- Dynamics 365 Business Central Administrator (read-only access to standard properties) +- Global Reader +- Directory Readers + ## Examples ### Example 1: Gets a list of SKUs ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' Get-EntraBetaAccountSku ``` @@ -68,8 +74,9 @@ This command returns a list of SKUs. ### Example 2: Gets a list of SKUs by TenantId ```powershell -Connect-Entra -Scopes 'Organization.Read.All' -Get-EntraBetaAccountSku -TenantId 'aaaabbbb-0000-cccc-1111-dddd2222eeee' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' +$tenantId = (Get-EntraContext).TenantId +Get-EntraBetaAccountSku -TenantId $tenantId ``` ```Output diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAuditDirectoryLog.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAuditDirectoryLog.md index 2443efe01..dd42d5c01 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAuditDirectoryLog.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAuditDirectoryLog.md @@ -39,6 +39,12 @@ Get-EntraBetaAuditDirectoryLog The `Get-EntraBetaAuditDirectoryLog` cmdlet gets a Microsoft Entra ID audit log. Retrieve audit logs from Microsoft Entra ID, covering logs from various services such as user, app, device, and group management, privileged identity management (PIM), access reviews, terms of use, identity protection, password management (SSPR and admin resets), and self-service group management. +In delegated scenarios with work or school accounts, the signed-in user must have a supported Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- Reports Reader +- Security Administrator +- Security Reader + ## Examples ### Example 1: Get all logs diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleAssignment.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleAssignment.md index 9e7e5f304..d64a070f7 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleAssignment.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleAssignment.md @@ -114,7 +114,10 @@ This command gets all the role assignments in Microsoft Entra ID. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraBetaDirectoryRoleAssignment -UnifiedRoleAssignmentId '00001111-aaaa-2222-bbbb-3333cccc4444' +$user = Get-EntraBetaUser -UserId 'BiancaP@M365x80713871.OnMicrosoft.com' +$role = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +$assignment = Get-EntraBetaDirectoryRoleAssignment -All | Where-Object {$_.principalId -eq $user.Id -AND $_.RoleDefinitionId -eq $role.Id} +Get-EntraBetaDirectoryRoleAssignment -UnifiedRoleAssignmentId $assignment.Id ``` ```Output @@ -131,7 +134,8 @@ This command gets the role assignments using specified roleAssignment Id. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraBetaDirectoryRoleAssignment -Filter "principalId eq 'aaaaaaaa-bbbb-cccc-1111-222222222222'" +$userId = (Get-EntraBetaUser -UserId 'SawyerM@contoso.com').Id +Get-EntraBetaDirectoryRoleAssignment -Filter "principalId eq '$userId'" ``` ```Output @@ -147,7 +151,8 @@ This command gets the role assignments containing the specified principalId. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraBetaDirectoryRoleAssignment -Filter "roleDefinitionId eq 'a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1'" +$roleId = (Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'").Id +Get-EntraBetaDirectoryRoleAssignment -Filter "roleDefinitionId eq '$roleId'" ``` ```Output diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleDefinition.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleDefinition.md index b0f1d55dc..83d76fb96 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleDefinition.md @@ -94,7 +94,8 @@ This command returns all the role definitions present. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId '2af84b1e-32c8-42b7-82bc-daa82404023b' +$role = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +Get-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId $role.Id ``` ```Output diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaIdentityProvider.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaIdentityProvider.md index 291932b8f..426092e3a 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaIdentityProvider.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaIdentityProvider.md @@ -52,6 +52,10 @@ The Gmail user will use their Google account credentials to authenticate and acc The current set of identity providers can be Microsoft, Google, Facebook, Amazon, or LinkedIn. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator + ## Examples ### Example 1: Retrieve all identity providers diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaSubscribedSku.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaSubscribedSku.md index 962647218..cb1b986e5 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaSubscribedSku.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaSubscribedSku.md @@ -46,12 +46,18 @@ Get-EntraBetaSubscribedSku The `Get-EntraBetaSubscribedSku` cmdlet gets subscribed SKUs to Microsoft services. +In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or a custom role with the necessary permissions. The following least privileged roles support this operation: + +- Dynamics 365 Business Central Administrator (read-only access to standard properties) +- Global Reader +- Directory Readers + ## Examples ### Example 1: Get subscribed SKUs ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' Get-EntraBetaSubscribedSku ``` @@ -68,7 +74,7 @@ This example demonstrates how to retrieve subscribed SKUs to Microsoft services. ### Example 2: Get subscribed SKUs by SubscribedSkuId ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' Get-EntraBetaSubscribedSku -SubscribedSkuId 'aaaaaaaa-0b0b-1c1c-2d2d-333333333333' ``` @@ -85,7 +91,7 @@ This example demonstrates how to retrieve specified subscribed SKUs to Microsoft ### Example 3: Get available license plans ```powershell -Connect-Entra -Scopes 'User.ReadWrite.All','Organization.Read.All' +Connect-Entra -Scopes 'User.ReadWrite.All','Organization.Read.All','LicenseAssignment.Read.All' Get-EntraBetaSubscribedSku | Select-Object -Property Sku*, ConsumedUnits -ExpandProperty PrepaidUnits ``` @@ -105,7 +111,7 @@ This example demonstrates how to retrieve available license plans. ### Example 4: Retrieve all users assigned a specific license ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' $sku = Get-EntraBetaSubscribedSku | Where-Object { $_.SkuPartNumber -eq 'DEVELOPERPACK_E5' } $skuId = $sku.SkuId $usersWithDeveloperPackE5 = Get-EntraBetaUser -All | Where-Object { @@ -127,7 +133,7 @@ This example demonstrates how to retrieve all users assigned a specific license. ### Example 5: Get a list of users, their assigned licenses, and licensing source ```powershell -Connect-Entra -Scopes 'Organization.Read.All','User.Read.All','Group.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','User.Read.All','Group.Read.All','LicenseAssignment.Read.All' # Get all users with specified properties $Users = Get-EntraBetaUser -All -Property AssignedLicenses, LicenseAssignmentStates, DisplayName, UserPrincipalName, ObjectId diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleAssignment.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleAssignment.md index c0285dab6..107edb0d6 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleAssignment.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleAssignment.md @@ -36,19 +36,19 @@ New-EntraBetaDirectoryRoleAssignment The `New-EntraBetaDirectoryRoleAssignment` cmdlet creates a new Microsoft Entra role assignment. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Create a new Microsoft Entra ID role assignment ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory','EntitlementManagement.ReadWrite.All' -$params = @{ - RoleDefinitionId = 'a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1' - PrincipalId = 'aaaaaaaa-bbbb-cccc-1111-222222222222' - DirectoryScopeId = '/' - } - -New-EntraBetaDirectoryRoleAssignment @params +$user = Get-EntraBetaUser -UserId 'SawyerM@contoso.com' +$role = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +New-EntraBetaDirectoryRoleAssignment -RoleDefinitionId $role.Id -PrincipalId $user.Id -DirectoryScopeId '/' ``` ```Output diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleDefinition.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleDefinition.md index fb8d50bd8..0cd075a1e 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleDefinition.md @@ -41,22 +41,19 @@ New-EntraBetaDirectoryRoleDefinition Create a new Microsoft Entra ID roleDefinition object. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Creates a new role definition ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") - -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' -} - -New-EntraBetaDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraBetaDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' ``` ```Output @@ -77,16 +74,9 @@ This command creates a new role definition in Microsoft Entra ID. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - Description = 'Role Definition demo' -} - -New-EntraBetaDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraBetaDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -Description 'Role Definition demo' ``` ```Output @@ -108,16 +98,9 @@ This command creates a new role definition with Description parameter. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - ResourceScopes = '/' -} - -New-EntraBetaDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraBetaDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -ResourceScopes '/' ``` ```Output @@ -138,16 +121,9 @@ This command creates a new role definition with ResourceScopes parameter. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - TemplateId = 'f2ef992c-3afb-46b9-b7cf-a126ee74c451' -} - -New-EntraBetaDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraBetaDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -TemplateId 'f2ef992c-3afb-46b9-b7cf-a126ee74c451' ``` ```Output @@ -168,22 +144,15 @@ This command creates a new role definition with TemplateId parameter. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - Version = '2' -} - -New-EntraBetaDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraBetaDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -Version '2' ``` ```Output DisplayName Id TemplateId Description IsBuiltIn IsEnabled ----------- -- ---------- ----------- --------- --------- -MyRoleDefinition a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 b69d16e9-b3f9-4289-a87f-8f796bd9fa28 False False +MyRoleDefinition a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 f2ef992c-3afb-46b9-b7cf-a126ee74c451 False False ``` diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaIdentityProvider.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaIdentityProvider.md index e48d0af50..eb3bc86f9 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaIdentityProvider.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaIdentityProvider.md @@ -52,7 +52,9 @@ The current set of identity providers can be: - Amazon - LinkedIn -The work or school account needs to belong to at least the External Identity Provider Administrator Microsoft Entra role. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator ## Examples diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaInvitation.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaInvitation.md index 2697f3709..a49d006d3 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaInvitation.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaInvitation.md @@ -50,7 +50,16 @@ Invitation adds an external user to the organization. When creating a new invita To reset the redemption status for a guest user, the User.ReadWrite.All permission is the minimum required. -For delegated scenarios, the signed-in user must have at least one of the following roles: Guest Inviter, Directory Writers, or User Administrator. Additionally, to reset the redemption status, the signed-in user must have the Helpdesk Administrator or User Administrator role. +For delegated scenarios, the signed-in user must have at least one of the following roles: + +- Guest Inviter +- Directory Writers +- User Administrator + +Additionally, to reset the redemption status, the signed-in user must have the: + +- Helpdesk Administrator +- User Administrator role ## Examples @@ -58,13 +67,10 @@ For delegated scenarios, the signed-in user must have at least one of the follow ```powershell Connect-Entra -Scopes 'User.Invite.All' -$params = @{ - InvitedUserEmailAddress = 'someexternaluser@externaldomain.com' - SendInvitationMessage = $True - InviteRedirectUrl = 'https://myapps.onmicrosoft.com' -} - -New-EntraBetaInvitation @params +$emailAddress = 'someexternaluser@externaldomain.com' +$sendInvitationMessage = $True +$redirectUrl = 'https://myapps.onmicrosoft.com' +New-EntraBetaInvitation -InvitedUserEmailAddress $emailAddress -SendInvitationMessage $sendInvitationMessage -InviteRedirectUrl $redirectUrl ``` ```Output @@ -83,14 +89,11 @@ When the user accepts the invitation, they're forwarded to the url as specified ```powershell Connect-Entra -Scopes 'User.Invite.All' -$params = @{ - InvitedUserEmailAddress = 'someexternaluser@externaldomain.com' - SendInvitationMessage = $True - InviteRedirectUrl = 'https://myapps.onmicrosoft.com' - InvitedUserDisplayName = 'microsoftuser' -} - -New-EntraBetaInvitation @params +$emailAddress = 'someexternaluser@externaldomain.com' +$sendInvitationMessage = $True +$redirectUrl = 'https://myapps.onmicrosoft.com' +$displayName = 'microsoftuser' +New-EntraBetaInvitation -InvitedUserEmailAddress $emailAddress -SendInvitationMessage $sendInvitationMessage -InviteRedirectUrl $redirectUrl -InvitedUserDisplayName $displayName ``` ```Output @@ -140,14 +143,11 @@ This example demonstrates how to invite a new external user to your directory wi ```powershell Connect-Entra -Scopes 'User.Invite.All' -$params = @{ - InvitedUserEmailAddress = 'someexternaluser@externaldomain.com' - SendInvitationMessage = $True - InviteRedirectUrl = 'https://myapps.microsoft.com' - InvitedUserType = 'Guest' -} - -New-EntraBetaInvitation @params +$emailAddress = 'someexternaluser@externaldomain.com' +$sendInvitationMessage = $True +$redirectUrl = 'https://myapps.onmicrosoft.com' +$userType = 'Guest' +New-EntraBetaInvitation -InvitedUserEmailAddress $emailAddress -SendInvitationMessage $sendInvitationMessage -InviteRedirectUrl $redirectUrl -InvitedUserType $userType ``` ```Output @@ -162,14 +162,12 @@ This example demonstrates how to invite a new external user to your directory wi ```powershell Connect-Entra -Scopes 'User.Invite.All' -$params = @{ - InvitedUserEmailAddress = 'someexternaluser@externaldomain.com' - SendInvitationMessage = $True - InviteRedirectUrl = 'https://myapps.onmicrosoft.com' - InvitedUserDisplayName = 'microsoftuser' - ResetRedemption = $true -} -New-EntraBetaInvitation @params +$emailAddress = 'someexternaluser@externaldomain.com' +$sendInvitationMessage = $True +$redirectUrl = 'https://myapps.onmicrosoft.com' +$displayName = 'microsoftuser' +$resetRedemption = $True +New-EntraBetaInvitation -InvitedUserEmailAddress $emailAddress -SendInvitationMessage $sendInvitationMessage -InviteRedirectUrl $redirectUrl -InvitedUserDisplayName $displayName -ResetRedemption $resetRedemption ``` ```Output diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaOauth2PermissionGrant.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaOauth2PermissionGrant.md index 067d0ed65..fd6e24fe6 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaOauth2PermissionGrant.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaOauth2PermissionGrant.md @@ -40,6 +40,14 @@ New-EntraBetaOauth2PermissionGrant The `New-EntraBetaOauth2PermissionGrant` cmdlet creates a delegated permission grant using an oAuth2PermissionGrant object. This grant authorizes a client service principal to access a resource service principal on behalf of a signed-in user, with access limited to the specified delegated permissions. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- Application Developer +- Cloud Application Administrator +- Directory Writers +- User Administrator +- Privileged Role Administrator + ## Examples ### Example 1: To grant authorization to impersonate all users diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleAssignment.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleAssignment.md index 837399cee..9ac11f68c 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleAssignment.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleAssignment.md @@ -34,13 +34,20 @@ Remove-EntraBetaDirectoryRoleAssignment The `Remove-EntraBetaDirectoryRoleAssignment` cmdlet removes a role assignment from Microsoft Entra ID. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Remove a role assignment ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory','EntitlementManagement.ReadWrite.All' -Remove-EntraBetaDirectoryRoleAssignment -UnifiedRoleAssignmentId 'Y1vFBcN4i0e3ngdNDocmngJAWGnAbFVAnJQyBBLv1lM-1' +$user = Get-EntraBetaUser -UserId 'SawyerM@contoso.com' +$role = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +$assignment = Get-EntraBetaDirectoryRoleAssignment -All | Where-Object {$_.principalId -eq $user.Id -AND $_.RoleDefinitionId -eq $role.Id} +Remove-EntraBetaDirectoryRoleAssignment -UnifiedRoleAssignmentId $assignment.Id ``` This example removes the specified role assignment from Microsoft Entra ID. diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleDefinition.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleDefinition.md index dd80d087e..501670956 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleDefinition.md @@ -36,13 +36,18 @@ Delete a Microsoft Entra ID Directory roleDefinition object by ID. You can't delete built-in roles. This feature requires a Microsoft Entra ID P1 or P2 license. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Remove a specified role definition ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -Remove-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId 'a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1' +$role = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Contoso Custom Role Definition'" +Remove-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId $role.Id ``` This example demonstrates how to remove the specified role definition from Microsoft Entra ID. diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaIdentityProvider.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaIdentityProvider.md index 421d42d51..fcce7f769 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaIdentityProvider.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaIdentityProvider.md @@ -37,7 +37,9 @@ This cmdlet is used to delete an identity provider that has been configured in t The identity provider is permanently deleted. -The work or school account needs to belong to at least the External Identity Provider Administrator Microsoft Entra role. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator ## Examples diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaOAuth2PermissionGrant.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaOAuth2PermissionGrant.md index c0bf03235..311a7958c 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaOAuth2PermissionGrant.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaOAuth2PermissionGrant.md @@ -36,15 +36,23 @@ The `Remove-EntraBetaOAuth2PermissionGrant` cmdlet removes an OAuth2PermissionGr When a delegated permission grant is deleted, the access it granted is revoked. Existing access tokens will continue to be valid for their lifetime, but new access tokens will not be granted for the delegated permissions identified in the deleted OAuth2PermissionGrant. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- Application Developer +- Cloud Application Administrator +- Directory Writers +- User Administrator +- Privileged Role Administrator + ## Examples ### Example 1: Remove an OAuth2 permission grant ```powershell Connect-Entra -Scopes 'DelegatedPermissionGrant.ReadWrite.All' -$SharePointSP = Get-EntraBetaServicePrincipal | Where-Object {$_.DisplayName -eq 'Microsoft.SharePoint'} -$SharePointOA2AllSitesRead = Get-EntraBetaOAuth2PermissionGrant | Where-Object {$_.ResourceId -eq $SharePointSP.ObjectId} | Where-Object {$_.Scope -eq 'AllSites.Read'} -Remove-EntraBetaOAuth2PermissionGrant -ObjectId $SharePointOA2AllSitesRead.ObjectId +$sharePointSP = Get-EntraBetaServicePrincipal | Where-Object {$_.DisplayName -eq 'Microsoft.SharePoint'} +$sharePointOAuth2AllSitesRead = Get-EntraBetaOAuth2PermissionGrant | Where-Object {$_.ResourceId -eq $sharePointSP.Id} | Where-Object {$_.Scope -eq 'AllSites.Read'} +Remove-EntraBetaOAuth2PermissionGrant -ObjectId $sharePointOAuth2AllSitesRead.Id ``` This example shows how to remove an OAuth2PermissionGrant object in Microsoft Entra ID. diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaDirectoryRoleDefinition.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaDirectoryRoleDefinition.md index 50cb0dce8..ac9db024f 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaDirectoryRoleDefinition.md @@ -42,6 +42,10 @@ Set-EntraBetaDirectoryRoleDefinition Updates a Microsoft Entra roleDefinition object identified by ID. You can't update built-in roles. This feature requires a Microsoft Entra ID P1 or P2 license. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Update an roleDefinition @@ -49,11 +53,7 @@ Updates a Microsoft Entra roleDefinition object identified by ID. You can't upda ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' $roleDefinition = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq ''" -$params = @{ - UnifiedRoleDefinitionId = $roleDefinition.Id - DisplayName = 'UpdatedDisplayName' -} -Set-EntraBetaDirectoryRoleDefinition @params +Set-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId $roleDefinition.Id -DisplayName 'UpdatedDisplayName' ``` This example updates the specified role definition in Microsoft Entra ID. @@ -66,11 +66,7 @@ This example updates the specified role definition in Microsoft Entra ID. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' $roleDefinition = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq ''" -$params = @{ - UnifiedRoleDefinitionId = $roleDefinition.Id - Description = 'MYROLEUPDATE1S' -} -Set-EntraBetaDirectoryRoleDefinition @params +Set-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId $roleDefinition.Id -Description 'MYROLEUPDATE1S' ``` This example updates the Description of specified role definition in Microsoft Entra ID. @@ -83,11 +79,7 @@ This example updates the Description of specified role definition in Microsoft E ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' $roleDefinition = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq ''" -$params = @{ - UnifiedRoleDefinitionId = $roleDefinition.Id - IsEnabled = $true -} -Set-EntraBetaDirectoryRoleDefinition @params +Set-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId $roleDefinition.Id -IsEnabled $true ``` This example updates the IsEnabled of specified role definition in Microsoft Entra ID. @@ -100,19 +92,18 @@ This example updates the IsEnabled of specified role definition in Microsoft Ent ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' $roleDefinition = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq ''" -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/standard/read") +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/standard/read") $params = @{ UnifiedRoleDefinitionId = $roleDefinition.Id Description = 'Update' DisplayName = 'Update' ResourceScopes = '/' IsEnabled = $false - RolePermissions = $RolePermissions + RolePermissions = $rolePermissions TemplateId = 'f2ef992c-3afb-46b9-b7cf-a126ee74c451' Version = 2 } - Set-EntraBetaDirectoryRoleDefinition @params ``` diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaIdentityProvider.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaIdentityProvider.md index 40ed98cac..6afce3234 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaIdentityProvider.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaIdentityProvider.md @@ -41,17 +41,17 @@ The `Set-EntraBetaIdentityProvider` cmdlet is used to update the properties of a The type of the identity provider can't be modified. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator + ## Examples ### Example 1: Update client id of an identity provider ```powershell Connect-Entra -Scopes 'IdentityProvider.ReadWrite.All' -$params = @{ - IdentityProviderBaseId = 'Google-OAuth' - ClientId = 'NewClientID' -} -Set-EntraBetaIdentityProvider @params +Set-EntraBetaIdentityProvider -IdentityProviderBaseId 'Google-OAuth' -ClientId 'NewClientID' ``` This example updates the client ID for the specified identity provider. @@ -63,11 +63,7 @@ This example updates the client ID for the specified identity provider. ```powershell Connect-Entra -Scopes 'IdentityProvider.ReadWrite.All' -$params = @{ - IdentityProviderBaseId = 'Google-OAuth' - ClientSecret = 'NewClientSecret' -} -Set-EntraBetaIdentityProvider @params +Set-EntraBetaIdentityProvider -IdentityProviderBaseId 'Google-OAuth' -ClientSecret 'NewClientSecret' ``` This example updates the client secret for the specified identity provider. @@ -79,11 +75,7 @@ This example updates the client secret for the specified identity provider. ```powershell Connect-Entra -Scopes 'IdentityProvider.ReadWrite.All' -$params = @{ - IdentityProviderBaseId = 'Google-OAuth' - Name = 'NewGoogleName' -} -Set-EntraBetaIdentityProvider @params +Set-EntraBetaIdentityProvider -IdentityProviderBaseId 'Google-OAuth' -Name 'NewGoogleName' ``` This example updates the display name for the specified identity provider. diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaPartnerInformation.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaPartnerInformation.md index fa862a55f..ba9e2b4b1 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaPartnerInformation.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaPartnerInformation.md @@ -86,11 +86,7 @@ This example shows how to update the support email addresses. ```powershell Connect-Entra -Scopes 'Organization.ReadWrite.All' $tenantId = (Get-EntraContext).TenantId -$params = @{ - PartnerSupportTelephones = '234234234' - TenantId = $tenantId -} -Set-EntraBetaPartnerInformation @params +Set-EntraBetaPartnerInformation -PartnerSupportTelephones '234234234' -TenantId $tenantId ``` This example shows how to update support telephone numbers. diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAccountSku.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAccountSku.md index d6e6628ec..8c3e1b9e3 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAccountSku.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAccountSku.md @@ -46,12 +46,18 @@ The `Get-EntraAccountSku` retrieves the list of commercial subscriptions acquire For a list of license names in the Microsoft Entra or Microsoft 365 admin centers and their corresponding Microsoft Graph `skuId` and `skuPartNumber` properties, refer to the [mapping information](https://learn.microsoft.com/entra/identity/users/licensing-service-plan-reference). +In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or a custom role with the necessary permissions. The following least privileged roles support this operation: + +- Dynamics 365 Business Central Administrator (read-only access to standard properties) +- Global Reader +- Directory Readers + ## Examples ### Example 1: Gets a list of SKUs ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' Get-EntraAccountSku ``` @@ -68,8 +74,9 @@ This command returns a list of SKUs. ### Example 2: Gets a list of SKUs by TenantId ```powershell -Connect-Entra -Scopes 'Organization.Read.All' -Get-EntraAccountSku -TenantId 'aaaabbbb-0000-cccc-1111-dddd2222eeee' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' +$tenantId = (Get-EntraContext).TenantId +Get-EntraAccountSku -TenantId $tenantId ``` ```Output diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAuditDirectoryLog.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAuditDirectoryLog.md index 640ed63b0..c660d1d94 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAuditDirectoryLog.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAuditDirectoryLog.md @@ -38,6 +38,12 @@ The `Get-EntraAuditDirectoryLog` cmdlet gets a Microsoft Entra ID audit log. Retrieve audit logs from Microsoft Entra ID, covering logs from various services such as user, app, device, and group management, privileged identity management (PIM), access reviews, terms of use, identity protection, password management (SSPR and admin resets), and self-service group management. +In delegated scenarios with work or school accounts, the signed-in user must have a supported Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- Reports Reader +- Security Administrator +- Security Reader + ## Examples ### Example 1: Get all logs diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleAssignment.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleAssignment.md index 7c86ba6f9..b336d1774 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleAssignment.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleAssignment.md @@ -114,7 +114,10 @@ This command gets all the role assignments in Microsoft Entra ID. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraDirectoryRoleAssignment -UnifiedRoleAssignmentId '00001111-aaaa-2222-bbbb-3333cccc4444' +$user = Get-EntraUser -UserId 'SawyerM@contoso.com' +$role = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +$assignment = Get-EntraDirectoryRoleAssignment -All | Where-Object {$_.principalId -eq $user.Id -AND $_.RoleDefinitionId -eq $role.Id} +Get-EntraDirectoryRoleAssignment -UnifiedRoleAssignmentId $assignment.Id ``` ```Output @@ -131,7 +134,8 @@ This command gets the role assignments using specified roleAssignment Id. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraDirectoryRoleAssignment -Filter "principalId eq 'aaaaaaaa-bbbb-cccc-1111-222222222222'" +$userId = (Get-EntraUser -UserId 'SawyerM@contoso.com').Id +Get-EntraDirectoryRoleAssignment -Filter "principalId eq '$userId'" ``` ```Output @@ -147,7 +151,8 @@ This command gets the role assignments containing the specified principalId. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraDirectoryRoleAssignment -Filter "roleDefinitionId eq 'a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1'" +$roleId = (Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'").Id +Get-EntraDirectoryRoleAssignment -Filter "roleDefinitionId eq '$roleId'" ``` ```Output diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleDefinition.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleDefinition.md index aeb5de0ba..ca972b48f 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleDefinition.md @@ -93,7 +93,8 @@ This command returns all the role definitions present. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraDirectoryRoleDefinition -UnifiedRoleDefinitionId '2af84b1e-32c8-42b7-82bc-daa82404023b' +$role = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +Get-EntraDirectoryRoleDefinition -UnifiedRoleDefinitionId $role.Id ``` ```Output diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraIdentityProvider.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraIdentityProvider.md index 358563649..190033a81 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraIdentityProvider.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraIdentityProvider.md @@ -52,6 +52,10 @@ The Gmail user will use their Google account credentials to authenticate and acc The current set of identity providers can be Microsoft, Google, Facebook, Amazon, or LinkedIn. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator + ## Examples ### Example 1: Retrieve all identity providers diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraSubscribedSku.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraSubscribedSku.md index bcf1591a2..d670ddacb 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraSubscribedSku.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraSubscribedSku.md @@ -44,12 +44,18 @@ Get-EntraSubscribedSku The `Get-EntraSubscribedSku` cmdlet gets subscribed SKUs to Microsoft services. +In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or a custom role with the necessary permissions. The following least privileged roles support this operation: + +- Dynamics 365 Business Central Administrator (read-only access to standard properties) +- Global Reader +- Directory Readers + ## Examples ### Example 1: Get subscribed SKUs ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' Get-EntraSubscribedSku ``` @@ -66,7 +72,7 @@ This example demonstrates how to retrieve subscribed SKUs to Microsoft services. ### Example 2: Get subscribed SKUs by SubscribedSkuId ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' Get-EntraSubscribedSku -SubscribedSkuId 'abcdefgh-1111-2222-bbbb-cccc33333333_dddddddd-4444-5555-eeee-666666666666' ``` @@ -83,7 +89,7 @@ This example demonstrates how to retrieve specified subscribed SKUs to Microsoft ### Example 3: Get available license plans ```powershell -Connect-Entra -Scopes 'User.ReadWrite.All','Organization.Read.All' +Connect-Entra -Scopes 'User.ReadWrite.All','Organization.Read.All','LicenseAssignment.Read.All' Get-EntraSubscribedSku | Select-Object -Property Sku*, ConsumedUnits -ExpandProperty PrepaidUnits ``` @@ -103,7 +109,7 @@ This example demonstrates how to retrieve available license plans. ### Example 4: Retrieve all users assigned a specific license ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' $sku = Get-EntraSubscribedSku | Where-Object { $_.SkuPartNumber -eq 'DEVELOPERPACK_E5' } $skuId = $sku.SkuId $usersWithDeveloperPackE5 = Get-EntraUser -All | Where-Object { @@ -125,7 +131,7 @@ This example demonstrates how to retrieve all users assigned a specific license. ### Example 5: Get a list of users, their assigned licenses, and licensing source ```powershell -Connect-Entra -Scopes 'Organization.Read.All','User.Read.All','Group.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','User.Read.All','Group.Read.All','LicenseAssignment.Read.All' # Get all users with specified properties $Users = Get-EntraUser -All -Property AssignedLicenses, LicenseAssignmentStates, DisplayName, UserPrincipalName, ObjectId diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleAssignment.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleAssignment.md index aae90daa6..7fb6938aa 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleAssignment.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleAssignment.md @@ -36,19 +36,19 @@ New-EntraDirectoryRoleAssignment The `New-EntraDirectoryRoleAssignment` cmdlet creates a new Microsoft Entra role assignment. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Create a new Microsoft Entra ID role assignment ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory','EntitlementManagement.ReadWrite.All' -$params = @{ - RoleDefinitionId = 'a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1' - PrincipalId = 'aaaaaaaa-bbbb-cccc-1111-222222222222' - DirectoryScopeId = '/' - } - -New-EntraDirectoryRoleAssignment @params +$user = Get-EntraUser -UserId 'SawyerM@contoso.com' +$role = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +New-EntraDirectoryRoleAssignment -RoleDefinitionId $role.Id -PrincipalId $user.Id -DirectoryScopeId '/' ``` ```Output diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleDefinition.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleDefinition.md index 3cb706610..f2af75d5a 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleDefinition.md @@ -40,22 +40,19 @@ New-EntraDirectoryRoleDefinition Create a new Microsoft Entra ID roleDefinition object. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Creates a new role definition ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") - -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' -} - -New-EntraDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' ``` ```Output @@ -76,16 +73,9 @@ This command creates a new role definition in Microsoft Entra ID. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - Description = 'Role Definition demo' -} - -New-EntraDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -Description 'Role Definition demo' ``` ```Output @@ -107,16 +97,9 @@ This command creates a new role definition with Description parameter. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - ResourceScopes = '/' -} - -New-EntraDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -ResourceScopes '/' ``` ```Output @@ -137,16 +120,9 @@ This command creates a new role definition with ResourceScopes parameter. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - TemplateId = 'f2ef992c-3afb-46b9-b7cf-a126ee74c451' -} - -New-EntraDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -TemplateId 'f2ef992c-3afb-46b9-b7cf-a126ee74c451' ``` ```Output @@ -167,16 +143,9 @@ This command creates a new role definition with TemplateId parameter. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - Version = '2' -} - -New-EntraDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -Version '2' ``` ```Output diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraIdentityProvider.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraIdentityProvider.md index 5e6ce8b6b..fb7c4ae90 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraIdentityProvider.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraIdentityProvider.md @@ -52,7 +52,9 @@ The current set of identity providers can be: - Amazon - LinkedIn -The work or school account needs to belong to at least the External Identity Provider Administrator Microsoft Entra role. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator ## Examples diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraInvitation.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraInvitation.md index df6ead8bb..fe9974b54 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraInvitation.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraInvitation.md @@ -48,7 +48,16 @@ Invitation adds an external user to the organization. When creating a new invita To reset the redemption status for a guest user, the User.ReadWrite.All permission is the minimum required. -For delegated scenarios, the signed-in user must have at least one of the following roles: Guest Inviter, Directory Writers, or User Administrator. Additionally, to reset the redemption status, the signed-in user must have the Helpdesk Administrator or User Administrator role. +For delegated scenarios, the signed-in user must have at least one of the following roles: + +- Guest Inviter +- Directory Writers +- User Administrator + +Additionally, to reset the redemption status, the signed-in user must have the: + +- Helpdesk Administrator +- User Administrator role ## Examples @@ -56,13 +65,10 @@ For delegated scenarios, the signed-in user must have at least one of the follow ```powershell Connect-Entra -Scopes 'User.Invite.All' -$params = @{ - InvitedUserEmailAddress = 'someexternaluser@externaldomain.com' - SendInvitationMessage = $True - InviteRedirectUrl = 'https://myapps.onmicrosoft.com' -} - -New-EntraInvitation @params +$emailAddress = 'someexternaluser@externaldomain.com' +$sendInvitationMessage = $True +$redirectUrl = 'https://myapps.onmicrosoft.com' +New-EntraInvitation -InvitedUserEmailAddress $emailAddress -SendInvitationMessage $sendInvitationMessage -InviteRedirectUrl $redirectUrl ``` ```Output @@ -81,14 +87,11 @@ When the user accepts the invitation, they're forwarded to the url as specified ```powershell Connect-Entra -Scopes 'User.Invite.All' -$params = @{ - InvitedUserEmailAddress = 'someexternaluser@externaldomain.com' - SendInvitationMessage = $True - InviteRedirectUrl = 'https://myapps.onmicrosoft.com' - InvitedUserDisplayName = 'microsoftuser' -} - -New-EntraInvitation @params +$emailAddress = 'someexternaluser@externaldomain.com' +$sendInvitationMessage = $True +$redirectUrl = 'https://myapps.onmicrosoft.com' +$displayName = 'microsoftuser' +New-EntraInvitation -InvitedUserEmailAddress $emailAddress -SendInvitationMessage $sendInvitationMessage -InviteRedirectUrl $redirectUrl -InvitedUserDisplayName $displayName ``` ```Output @@ -138,14 +141,11 @@ This example demonstrates how to invite a new external user to your directory wi ```powershell Connect-Entra -Scopes 'User.Invite.All' -$params = @{ - InvitedUserEmailAddress = 'someexternaluser@externaldomain.com' - SendInvitationMessage = $True - InviteRedirectUrl = 'https://myapps.microsoft.com' - InvitedUserType = 'Guest' -} - -New-EntraInvitation @params +$emailAddress = 'someexternaluser@externaldomain.com' +$sendInvitationMessage = $True +$redirectUrl = 'https://myapps.onmicrosoft.com' +$userType = 'Guest' +New-EntraInvitation -InvitedUserEmailAddress $emailAddress -SendInvitationMessage $sendInvitationMessage -InviteRedirectUrl $redirectUrl -InvitedUserType $userType ``` ```Output diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraOauth2PermissionGrant.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraOauth2PermissionGrant.md index 38a98265c..b652b87d1 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraOauth2PermissionGrant.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraOauth2PermissionGrant.md @@ -38,6 +38,14 @@ New-EntraOauth2PermissionGrant The `New-EntraOauth2PermissionGrant` cmdlet creates a delegated permission grant using an oAuth2PermissionGrant object. This grant authorizes a client service principal to access a resource service principal on behalf of a signed-in user, with access limited to the specified delegated permissions. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- Application Developer +- Cloud Application Administrator +- Directory Writers +- User Administrator +- Privileged Role Administrator + ## Examples ### Example 1: To grant authorization to impersonate all users diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleAssignment.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleAssignment.md index ba9841b7c..9d97c6593 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleAssignment.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleAssignment.md @@ -34,13 +34,20 @@ Remove-EntraDirectoryRoleAssignment The `Remove-EntraDirectoryRoleAssignment` cmdlet removes a role assignment from Microsoft Entra ID. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Remove a role assignment ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory','EntitlementManagement.ReadWrite.All' -Remove-EntraDirectoryRoleAssignment -UnifiedRoleAssignmentId Y1vFBcN4i0e3ngdNDocmngJAWGnAbFVAnJQyBBLv1lM-1 +$user = Get-EntraUser -UserId 'SawyerM@contoso.com' +$role = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +$assignment = Get-EntraDirectoryRoleAssignment -All | Where-Object {$_.principalId -eq $user.Id -AND $_.RoleDefinitionId -eq $role.Id} +Remove-EntraDirectoryRoleAssignment -UnifiedRoleAssignmentId $assignment.Id ``` This example removes the specified role assignment from Microsoft Entra ID. diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleDefinition.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleDefinition.md index d80058e54..3a76ecddf 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleDefinition.md @@ -37,13 +37,18 @@ Delete a Microsoft Entra ID Directory roleDefinition object by ID. You can't delete built-in roles. This feature requires a Microsoft Entra ID P1 or P2 license. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Remove a specified role definition ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -Remove-EntraDirectoryRoleDefinition -UnifiedRoleDefinitionId a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 +$role = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq 'Contoso Custom Role Definition'" +Remove-EntraDirectoryRoleDefinition -UnifiedRoleDefinitionId $role.Id ``` This example demonstrates how to remove the specified role definition from Microsoft Entra ID. diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraIdentityProvider.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraIdentityProvider.md index c1982b130..50ef646b4 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraIdentityProvider.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraIdentityProvider.md @@ -36,7 +36,9 @@ This cmdlet is used to delete an identity provider that has been configured in t The identity provider is permanently deleted. -The work or school account needs to belong to at least the External Identity Provider Administrator Microsoft Entra role. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator ## Examples diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraOAuth2PermissionGrant.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraOAuth2PermissionGrant.md index ae6f1af93..336c4fa41 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraOAuth2PermissionGrant.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraOAuth2PermissionGrant.md @@ -36,15 +36,23 @@ The `Remove-EntraOAuth2PermissionGrant` cmdlet removes an OAuth2PermissionGrant When a delegated permission grant is deleted, the access it granted is revoked. Existing access tokens will continue to be valid for their lifetime, but new access tokens will not be granted for the delegated permissions identified in the deleted OAuth2PermissionGrant. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- Application Developer +- Cloud Application Administrator +- Directory Writers +- User Administrator +- Privileged Role Administrator + ## Examples ### Example 1: Remove an OAuth2 permission grant ```powershell Connect-Entra -Scopes 'DelegatedPermissionGrant.ReadWrite.All' -$SharePointSP = Get-EntraServicePrincipal | Where-Object {$_.DisplayName -eq 'Microsoft.SharePoint'} -$SharePointOA2AllSitesRead = Get-EntraOAuth2PermissionGrant | Where-Object {$_.ResourceId -eq $SharePointSP.ObjectId} | Where-Object {$_.Scope -eq 'AllSites.Read'} -Remove-EntraOAuth2PermissionGrant -ObjectId $SharePointOA2AllSitesRead.ObjectId +$sharePointSP = Get-EntraServicePrincipal | Where-Object {$_.DisplayName -eq 'Microsoft.SharePoint'} +$sharePointOAuth2AllSitesRead = Get-EntraOAuth2PermissionGrant | Where-Object {$_.ResourceId -eq $sharePointSP.Id} | Where-Object {$_.Scope -eq 'AllSites.Read'} +Remove-EntraOAuth2PermissionGrant -ObjectId $sharePointOAuth2AllSitesRead.Id ``` This example shows how to remove an OAuth2PermissionGrant object in Microsoft Entra ID. diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraDirectoryRoleDefinition.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraDirectoryRoleDefinition.md index f511d04ad..889a67bd4 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraDirectoryRoleDefinition.md @@ -41,6 +41,10 @@ Set-EntraDirectoryRoleDefinition Updates a Microsoft Entra roleDefinition object identified by ID. You can't update built-in roles. This feature requires a Microsoft Entra ID P1 or P2 license. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Update an roleDefinition @@ -87,19 +91,18 @@ This example updates the IsEnabled of specified role definition in Microsoft Ent ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' $roleDefinition = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq ''" -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/standard/read") +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/standard/read") $params = @{ UnifiedRoleDefinitionId = $roleDefinition.Id Description = 'Update' DisplayName = 'Update' ResourceScopes = '/' IsEnabled = $false - RolePermissions = $RolePermissions + RolePermissions = $rolePermissions TemplateId = 'f2ef992c-3afb-46b9-b7cf-a126ee74c451' Version = 2 } - Set-EntraDirectoryRoleDefinition @params ``` diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraIdentityProvider.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraIdentityProvider.md index 557f8d8ce..9e1e90351 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraIdentityProvider.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraIdentityProvider.md @@ -41,17 +41,17 @@ The `Set-EntraIdentityProvider` cmdlet is used to update the properties of an ex The type of the identity provider can't be modified. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator + ## Examples ### Example 1: Update client id of an identity provider ```powershell Connect-Entra -Scopes 'IdentityProvider.ReadWrite.All' -$params = @{ - IdentityProviderBaseId = 'Google-OAuth' - ClientId = 'NewClientID' -} -Set-EntraIdentityProvider @params +Set-EntraIdentityProvider -IdentityProviderBaseId 'Google-OAuth' -ClientId 'NewClientID' ``` This example updates the client ID for the specified identity provider. @@ -63,11 +63,7 @@ This example updates the client ID for the specified identity provider. ```powershell Connect-Entra -Scopes 'IdentityProvider.ReadWrite.All' -$params = @{ - IdentityProviderBaseId = 'Google-OAuth' - ClientSecret = 'NewClientSecret' -} -Set-EntraIdentityProvider @params +Set-EntraIdentityProvider -IdentityProviderBaseId 'Google-OAuth' -ClientSecret 'NewClientSecret' ``` This example updates the client secret for the specified identity provider. @@ -79,11 +75,7 @@ This example updates the client secret for the specified identity provider. ```powershell Connect-Entra -Scopes 'IdentityProvider.ReadWrite.All' -$params = @{ - IdentityProviderBaseId = 'Google-OAuth' - Name = 'NewGoogleName' -} -Set-EntraIdentityProvider @params +Set-EntraIdentityProvider -IdentityProviderBaseId 'Google-OAuth' -Name 'NewGoogleName' ``` This example updates the display name for the specified identity provider. diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraPartnerInformation.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraPartnerInformation.md index 1a4ad58b1..6a0aba6f1 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraPartnerInformation.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraPartnerInformation.md @@ -86,11 +86,7 @@ This example shows how to update the support email addresses. ```powershell Connect-Entra -Scopes 'Organization.ReadWrite.All' $tenantId = (Get-EntraContext).TenantId -$params = @{ - PartnerSupportTelephones = '234234234' - TenantId = $tenantId -} -Set-EntraPartnerInformation @params +Set-EntraPartnerInformation -PartnerSupportTelephones '234234234' -TenantId $tenantId ``` This example shows how to update support telephone numbers.