From 8720d24ffa8a558d98fa93e405e797bf5e510627 Mon Sep 17 00:00:00 2001 From: Steve Mutungi <132555836+SteveMutungi254@users.noreply.github.com> Date: Sun, 17 Nov 2024 19:44:21 +0000 Subject: [PATCH 1/6] Enriching examples --- .../Get-EntraBetaIdentityProvider.md | 4 ++ .../New-EntraBetaIdentityProvider.md | 4 +- .../New-EntraBetaInvitation.md | 62 +++++++++---------- .../New-EntraBetaOauth2PermissionGrant.md | 8 +++ .../Remove-EntraBetaIdentityProvider.md | 4 +- .../Remove-EntraBetaOAuth2PermissionGrant.md | 14 ++++- .../Set-EntraBetaIdentityProvider.md | 22 +++---- .../Get-EntraIdentityProvider.md | 4 ++ .../New-EntraIdentityProvider.md | 4 +- .../New-EntraInvitation.md | 48 +++++++------- .../New-EntraOauth2PermissionGrant.md | 8 +++ .../Remove-EntraIdentityProvider.md | 4 +- .../Remove-EntraOAuth2PermissionGrant.md | 14 ++++- .../Set-EntraIdentityProvider.md | 22 +++---- 14 files changed, 126 insertions(+), 96 deletions(-) diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaIdentityProvider.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaIdentityProvider.md index 291932b8fb..426092e3a2 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaIdentityProvider.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaIdentityProvider.md @@ -52,6 +52,10 @@ The Gmail user will use their Google account credentials to authenticate and acc The current set of identity providers can be Microsoft, Google, Facebook, Amazon, or LinkedIn. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator + ## Examples ### Example 1: Retrieve all identity providers diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaIdentityProvider.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaIdentityProvider.md index e48d0af50c..eb3bc86f98 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaIdentityProvider.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaIdentityProvider.md @@ -52,7 +52,9 @@ The current set of identity providers can be: - Amazon - LinkedIn -The work or school account needs to belong to at least the External Identity Provider Administrator Microsoft Entra role. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator ## Examples diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaInvitation.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaInvitation.md index 2697f37099..a49d006d3e 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaInvitation.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaInvitation.md @@ -50,7 +50,16 @@ Invitation adds an external user to the organization. When creating a new invita To reset the redemption status for a guest user, the User.ReadWrite.All permission is the minimum required. -For delegated scenarios, the signed-in user must have at least one of the following roles: Guest Inviter, Directory Writers, or User Administrator. Additionally, to reset the redemption status, the signed-in user must have the Helpdesk Administrator or User Administrator role. +For delegated scenarios, the signed-in user must have at least one of the following roles: + +- Guest Inviter +- Directory Writers +- User Administrator + +Additionally, to reset the redemption status, the signed-in user must have the: + +- Helpdesk Administrator +- User Administrator role ## Examples @@ -58,13 +67,10 @@ For delegated scenarios, the signed-in user must have at least one of the follow ```powershell Connect-Entra -Scopes 'User.Invite.All' -$params = @{ - InvitedUserEmailAddress = 'someexternaluser@externaldomain.com' - SendInvitationMessage = $True - InviteRedirectUrl = 'https://myapps.onmicrosoft.com' -} - -New-EntraBetaInvitation @params +$emailAddress = 'someexternaluser@externaldomain.com' +$sendInvitationMessage = $True +$redirectUrl = 'https://myapps.onmicrosoft.com' +New-EntraBetaInvitation -InvitedUserEmailAddress $emailAddress -SendInvitationMessage $sendInvitationMessage -InviteRedirectUrl $redirectUrl ``` ```Output @@ -83,14 +89,11 @@ When the user accepts the invitation, they're forwarded to the url as specified ```powershell Connect-Entra -Scopes 'User.Invite.All' -$params = @{ - InvitedUserEmailAddress = 'someexternaluser@externaldomain.com' - SendInvitationMessage = $True - InviteRedirectUrl = 'https://myapps.onmicrosoft.com' - InvitedUserDisplayName = 'microsoftuser' -} - -New-EntraBetaInvitation @params +$emailAddress = 'someexternaluser@externaldomain.com' +$sendInvitationMessage = $True +$redirectUrl = 'https://myapps.onmicrosoft.com' +$displayName = 'microsoftuser' +New-EntraBetaInvitation -InvitedUserEmailAddress $emailAddress -SendInvitationMessage $sendInvitationMessage -InviteRedirectUrl $redirectUrl -InvitedUserDisplayName $displayName ``` ```Output @@ -140,14 +143,11 @@ This example demonstrates how to invite a new external user to your directory wi ```powershell Connect-Entra -Scopes 'User.Invite.All' -$params = @{ - InvitedUserEmailAddress = 'someexternaluser@externaldomain.com' - SendInvitationMessage = $True - InviteRedirectUrl = 'https://myapps.microsoft.com' - InvitedUserType = 'Guest' -} - -New-EntraBetaInvitation @params +$emailAddress = 'someexternaluser@externaldomain.com' +$sendInvitationMessage = $True +$redirectUrl = 'https://myapps.onmicrosoft.com' +$userType = 'Guest' +New-EntraBetaInvitation -InvitedUserEmailAddress $emailAddress -SendInvitationMessage $sendInvitationMessage -InviteRedirectUrl $redirectUrl -InvitedUserType $userType ``` ```Output @@ -162,14 +162,12 @@ This example demonstrates how to invite a new external user to your directory wi ```powershell Connect-Entra -Scopes 'User.Invite.All' -$params = @{ - InvitedUserEmailAddress = 'someexternaluser@externaldomain.com' - SendInvitationMessage = $True - InviteRedirectUrl = 'https://myapps.onmicrosoft.com' - InvitedUserDisplayName = 'microsoftuser' - ResetRedemption = $true -} -New-EntraBetaInvitation @params +$emailAddress = 'someexternaluser@externaldomain.com' +$sendInvitationMessage = $True +$redirectUrl = 'https://myapps.onmicrosoft.com' +$displayName = 'microsoftuser' +$resetRedemption = $True +New-EntraBetaInvitation -InvitedUserEmailAddress $emailAddress -SendInvitationMessage $sendInvitationMessage -InviteRedirectUrl $redirectUrl -InvitedUserDisplayName $displayName -ResetRedemption $resetRedemption ``` ```Output diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaOauth2PermissionGrant.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaOauth2PermissionGrant.md index 067d0ed656..fd6e24fe67 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaOauth2PermissionGrant.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaOauth2PermissionGrant.md @@ -40,6 +40,14 @@ New-EntraBetaOauth2PermissionGrant The `New-EntraBetaOauth2PermissionGrant` cmdlet creates a delegated permission grant using an oAuth2PermissionGrant object. This grant authorizes a client service principal to access a resource service principal on behalf of a signed-in user, with access limited to the specified delegated permissions. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- Application Developer +- Cloud Application Administrator +- Directory Writers +- User Administrator +- Privileged Role Administrator + ## Examples ### Example 1: To grant authorization to impersonate all users diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaIdentityProvider.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaIdentityProvider.md index 421d42d510..fcce7f7699 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaIdentityProvider.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaIdentityProvider.md @@ -37,7 +37,9 @@ This cmdlet is used to delete an identity provider that has been configured in t The identity provider is permanently deleted. -The work or school account needs to belong to at least the External Identity Provider Administrator Microsoft Entra role. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator ## Examples diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaOAuth2PermissionGrant.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaOAuth2PermissionGrant.md index c0bf03235f..311a7958c3 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaOAuth2PermissionGrant.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaOAuth2PermissionGrant.md @@ -36,15 +36,23 @@ The `Remove-EntraBetaOAuth2PermissionGrant` cmdlet removes an OAuth2PermissionGr When a delegated permission grant is deleted, the access it granted is revoked. Existing access tokens will continue to be valid for their lifetime, but new access tokens will not be granted for the delegated permissions identified in the deleted OAuth2PermissionGrant. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- Application Developer +- Cloud Application Administrator +- Directory Writers +- User Administrator +- Privileged Role Administrator + ## Examples ### Example 1: Remove an OAuth2 permission grant ```powershell Connect-Entra -Scopes 'DelegatedPermissionGrant.ReadWrite.All' -$SharePointSP = Get-EntraBetaServicePrincipal | Where-Object {$_.DisplayName -eq 'Microsoft.SharePoint'} -$SharePointOA2AllSitesRead = Get-EntraBetaOAuth2PermissionGrant | Where-Object {$_.ResourceId -eq $SharePointSP.ObjectId} | Where-Object {$_.Scope -eq 'AllSites.Read'} -Remove-EntraBetaOAuth2PermissionGrant -ObjectId $SharePointOA2AllSitesRead.ObjectId +$sharePointSP = Get-EntraBetaServicePrincipal | Where-Object {$_.DisplayName -eq 'Microsoft.SharePoint'} +$sharePointOAuth2AllSitesRead = Get-EntraBetaOAuth2PermissionGrant | Where-Object {$_.ResourceId -eq $sharePointSP.Id} | Where-Object {$_.Scope -eq 'AllSites.Read'} +Remove-EntraBetaOAuth2PermissionGrant -ObjectId $sharePointOAuth2AllSitesRead.Id ``` This example shows how to remove an OAuth2PermissionGrant object in Microsoft Entra ID. diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaIdentityProvider.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaIdentityProvider.md index 40ed98cacc..6afce32340 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaIdentityProvider.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaIdentityProvider.md @@ -41,17 +41,17 @@ The `Set-EntraBetaIdentityProvider` cmdlet is used to update the properties of a The type of the identity provider can't be modified. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator + ## Examples ### Example 1: Update client id of an identity provider ```powershell Connect-Entra -Scopes 'IdentityProvider.ReadWrite.All' -$params = @{ - IdentityProviderBaseId = 'Google-OAuth' - ClientId = 'NewClientID' -} -Set-EntraBetaIdentityProvider @params +Set-EntraBetaIdentityProvider -IdentityProviderBaseId 'Google-OAuth' -ClientId 'NewClientID' ``` This example updates the client ID for the specified identity provider. @@ -63,11 +63,7 @@ This example updates the client ID for the specified identity provider. ```powershell Connect-Entra -Scopes 'IdentityProvider.ReadWrite.All' -$params = @{ - IdentityProviderBaseId = 'Google-OAuth' - ClientSecret = 'NewClientSecret' -} -Set-EntraBetaIdentityProvider @params +Set-EntraBetaIdentityProvider -IdentityProviderBaseId 'Google-OAuth' -ClientSecret 'NewClientSecret' ``` This example updates the client secret for the specified identity provider. @@ -79,11 +75,7 @@ This example updates the client secret for the specified identity provider. ```powershell Connect-Entra -Scopes 'IdentityProvider.ReadWrite.All' -$params = @{ - IdentityProviderBaseId = 'Google-OAuth' - Name = 'NewGoogleName' -} -Set-EntraBetaIdentityProvider @params +Set-EntraBetaIdentityProvider -IdentityProviderBaseId 'Google-OAuth' -Name 'NewGoogleName' ``` This example updates the display name for the specified identity provider. diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraIdentityProvider.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraIdentityProvider.md index 358563649f..190033a816 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraIdentityProvider.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraIdentityProvider.md @@ -52,6 +52,10 @@ The Gmail user will use their Google account credentials to authenticate and acc The current set of identity providers can be Microsoft, Google, Facebook, Amazon, or LinkedIn. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator + ## Examples ### Example 1: Retrieve all identity providers diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraIdentityProvider.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraIdentityProvider.md index 5e6ce8b6b1..fb7c4ae902 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraIdentityProvider.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraIdentityProvider.md @@ -52,7 +52,9 @@ The current set of identity providers can be: - Amazon - LinkedIn -The work or school account needs to belong to at least the External Identity Provider Administrator Microsoft Entra role. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator ## Examples diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraInvitation.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraInvitation.md index df6ead8bb6..fe9974b54a 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraInvitation.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraInvitation.md @@ -48,7 +48,16 @@ Invitation adds an external user to the organization. When creating a new invita To reset the redemption status for a guest user, the User.ReadWrite.All permission is the minimum required. -For delegated scenarios, the signed-in user must have at least one of the following roles: Guest Inviter, Directory Writers, or User Administrator. Additionally, to reset the redemption status, the signed-in user must have the Helpdesk Administrator or User Administrator role. +For delegated scenarios, the signed-in user must have at least one of the following roles: + +- Guest Inviter +- Directory Writers +- User Administrator + +Additionally, to reset the redemption status, the signed-in user must have the: + +- Helpdesk Administrator +- User Administrator role ## Examples @@ -56,13 +65,10 @@ For delegated scenarios, the signed-in user must have at least one of the follow ```powershell Connect-Entra -Scopes 'User.Invite.All' -$params = @{ - InvitedUserEmailAddress = 'someexternaluser@externaldomain.com' - SendInvitationMessage = $True - InviteRedirectUrl = 'https://myapps.onmicrosoft.com' -} - -New-EntraInvitation @params +$emailAddress = 'someexternaluser@externaldomain.com' +$sendInvitationMessage = $True +$redirectUrl = 'https://myapps.onmicrosoft.com' +New-EntraInvitation -InvitedUserEmailAddress $emailAddress -SendInvitationMessage $sendInvitationMessage -InviteRedirectUrl $redirectUrl ``` ```Output @@ -81,14 +87,11 @@ When the user accepts the invitation, they're forwarded to the url as specified ```powershell Connect-Entra -Scopes 'User.Invite.All' -$params = @{ - InvitedUserEmailAddress = 'someexternaluser@externaldomain.com' - SendInvitationMessage = $True - InviteRedirectUrl = 'https://myapps.onmicrosoft.com' - InvitedUserDisplayName = 'microsoftuser' -} - -New-EntraInvitation @params +$emailAddress = 'someexternaluser@externaldomain.com' +$sendInvitationMessage = $True +$redirectUrl = 'https://myapps.onmicrosoft.com' +$displayName = 'microsoftuser' +New-EntraInvitation -InvitedUserEmailAddress $emailAddress -SendInvitationMessage $sendInvitationMessage -InviteRedirectUrl $redirectUrl -InvitedUserDisplayName $displayName ``` ```Output @@ -138,14 +141,11 @@ This example demonstrates how to invite a new external user to your directory wi ```powershell Connect-Entra -Scopes 'User.Invite.All' -$params = @{ - InvitedUserEmailAddress = 'someexternaluser@externaldomain.com' - SendInvitationMessage = $True - InviteRedirectUrl = 'https://myapps.microsoft.com' - InvitedUserType = 'Guest' -} - -New-EntraInvitation @params +$emailAddress = 'someexternaluser@externaldomain.com' +$sendInvitationMessage = $True +$redirectUrl = 'https://myapps.onmicrosoft.com' +$userType = 'Guest' +New-EntraInvitation -InvitedUserEmailAddress $emailAddress -SendInvitationMessage $sendInvitationMessage -InviteRedirectUrl $redirectUrl -InvitedUserType $userType ``` ```Output diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraOauth2PermissionGrant.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraOauth2PermissionGrant.md index 38a98265c1..b652b87d18 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraOauth2PermissionGrant.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraOauth2PermissionGrant.md @@ -38,6 +38,14 @@ New-EntraOauth2PermissionGrant The `New-EntraOauth2PermissionGrant` cmdlet creates a delegated permission grant using an oAuth2PermissionGrant object. This grant authorizes a client service principal to access a resource service principal on behalf of a signed-in user, with access limited to the specified delegated permissions. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- Application Developer +- Cloud Application Administrator +- Directory Writers +- User Administrator +- Privileged Role Administrator + ## Examples ### Example 1: To grant authorization to impersonate all users diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraIdentityProvider.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraIdentityProvider.md index c1982b130d..50ef646b40 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraIdentityProvider.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraIdentityProvider.md @@ -36,7 +36,9 @@ This cmdlet is used to delete an identity provider that has been configured in t The identity provider is permanently deleted. -The work or school account needs to belong to at least the External Identity Provider Administrator Microsoft Entra role. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator ## Examples diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraOAuth2PermissionGrant.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraOAuth2PermissionGrant.md index ae6f1af933..336c4fa410 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraOAuth2PermissionGrant.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraOAuth2PermissionGrant.md @@ -36,15 +36,23 @@ The `Remove-EntraOAuth2PermissionGrant` cmdlet removes an OAuth2PermissionGrant When a delegated permission grant is deleted, the access it granted is revoked. Existing access tokens will continue to be valid for their lifetime, but new access tokens will not be granted for the delegated permissions identified in the deleted OAuth2PermissionGrant. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- Application Developer +- Cloud Application Administrator +- Directory Writers +- User Administrator +- Privileged Role Administrator + ## Examples ### Example 1: Remove an OAuth2 permission grant ```powershell Connect-Entra -Scopes 'DelegatedPermissionGrant.ReadWrite.All' -$SharePointSP = Get-EntraServicePrincipal | Where-Object {$_.DisplayName -eq 'Microsoft.SharePoint'} -$SharePointOA2AllSitesRead = Get-EntraOAuth2PermissionGrant | Where-Object {$_.ResourceId -eq $SharePointSP.ObjectId} | Where-Object {$_.Scope -eq 'AllSites.Read'} -Remove-EntraOAuth2PermissionGrant -ObjectId $SharePointOA2AllSitesRead.ObjectId +$sharePointSP = Get-EntraServicePrincipal | Where-Object {$_.DisplayName -eq 'Microsoft.SharePoint'} +$sharePointOAuth2AllSitesRead = Get-EntraOAuth2PermissionGrant | Where-Object {$_.ResourceId -eq $sharePointSP.Id} | Where-Object {$_.Scope -eq 'AllSites.Read'} +Remove-EntraOAuth2PermissionGrant -ObjectId $sharePointOAuth2AllSitesRead.Id ``` This example shows how to remove an OAuth2PermissionGrant object in Microsoft Entra ID. diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraIdentityProvider.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraIdentityProvider.md index 557f8d8cee..9e1e90351e 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraIdentityProvider.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraIdentityProvider.md @@ -41,17 +41,17 @@ The `Set-EntraIdentityProvider` cmdlet is used to update the properties of an ex The type of the identity provider can't be modified. +In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- External Identity Provider Administrator + ## Examples ### Example 1: Update client id of an identity provider ```powershell Connect-Entra -Scopes 'IdentityProvider.ReadWrite.All' -$params = @{ - IdentityProviderBaseId = 'Google-OAuth' - ClientId = 'NewClientID' -} -Set-EntraIdentityProvider @params +Set-EntraIdentityProvider -IdentityProviderBaseId 'Google-OAuth' -ClientId 'NewClientID' ``` This example updates the client ID for the specified identity provider. @@ -63,11 +63,7 @@ This example updates the client ID for the specified identity provider. ```powershell Connect-Entra -Scopes 'IdentityProvider.ReadWrite.All' -$params = @{ - IdentityProviderBaseId = 'Google-OAuth' - ClientSecret = 'NewClientSecret' -} -Set-EntraIdentityProvider @params +Set-EntraIdentityProvider -IdentityProviderBaseId 'Google-OAuth' -ClientSecret 'NewClientSecret' ``` This example updates the client secret for the specified identity provider. @@ -79,11 +75,7 @@ This example updates the client secret for the specified identity provider. ```powershell Connect-Entra -Scopes 'IdentityProvider.ReadWrite.All' -$params = @{ - IdentityProviderBaseId = 'Google-OAuth' - Name = 'NewGoogleName' -} -Set-EntraIdentityProvider @params +Set-EntraIdentityProvider -IdentityProviderBaseId 'Google-OAuth' -Name 'NewGoogleName' ``` This example updates the display name for the specified identity provider. From a540e0026c8bff9e5be23b5951552b3565afb67e Mon Sep 17 00:00:00 2001 From: Steve Mutungi <132555836+SteveMutungi254@users.noreply.github.com> Date: Sun, 17 Nov 2024 19:55:27 +0000 Subject: [PATCH 2/6] Adding required roles --- .../Get-EntraBetaAccountSku.md | 13 ++++++++++--- .../Microsoft.Graph.Entra/Get-EntraAccountSku.md | 13 ++++++++++--- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAccountSku.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAccountSku.md index 4df777d0c0..f53b8aee0b 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAccountSku.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAccountSku.md @@ -46,12 +46,18 @@ The `Get-EntraBetaAccountSku` retrieves the list of commercial subscriptions acq For a list of license names in the Microsoft Entra or Microsoft 365 admin centers and their corresponding Microsoft Graph `skuId` and `skuPartNumber` properties, refer to the [mapping information](https://learn.microsoft.com/entra/identity/users/licensing-service-plan-reference). +In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or a custom role with the necessary permissions. The following least privileged roles support this operation: + +- Dynamics 365 Business Central Administrator (read-only access to standard properties) +- Global Reader +- Directory Readers + ## Examples ### Example 1: Gets a list of SKUs ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' Get-EntraBetaAccountSku ``` @@ -68,8 +74,9 @@ This command returns a list of SKUs. ### Example 2: Gets a list of SKUs by TenantId ```powershell -Connect-Entra -Scopes 'Organization.Read.All' -Get-EntraBetaAccountSku -TenantId 'aaaabbbb-0000-cccc-1111-dddd2222eeee' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' +$tenantId = (Get-EntraContext).TenantId +Get-EntraBetaAccountSku -TenantId $tenantId ``` ```Output diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAccountSku.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAccountSku.md index d6e6628eca..8c3e1b9e39 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAccountSku.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAccountSku.md @@ -46,12 +46,18 @@ The `Get-EntraAccountSku` retrieves the list of commercial subscriptions acquire For a list of license names in the Microsoft Entra or Microsoft 365 admin centers and their corresponding Microsoft Graph `skuId` and `skuPartNumber` properties, refer to the [mapping information](https://learn.microsoft.com/entra/identity/users/licensing-service-plan-reference). +In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or a custom role with the necessary permissions. The following least privileged roles support this operation: + +- Dynamics 365 Business Central Administrator (read-only access to standard properties) +- Global Reader +- Directory Readers + ## Examples ### Example 1: Gets a list of SKUs ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' Get-EntraAccountSku ``` @@ -68,8 +74,9 @@ This command returns a list of SKUs. ### Example 2: Gets a list of SKUs by TenantId ```powershell -Connect-Entra -Scopes 'Organization.Read.All' -Get-EntraAccountSku -TenantId 'aaaabbbb-0000-cccc-1111-dddd2222eeee' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' +$tenantId = (Get-EntraContext).TenantId +Get-EntraAccountSku -TenantId $tenantId ``` ```Output From 9d1838f2d1d7a5ea95a66ef4cc0b51988d2d74b3 Mon Sep 17 00:00:00 2001 From: Steve Mutungi <132555836+SteveMutungi254@users.noreply.github.com> Date: Sun, 17 Nov 2024 20:02:17 +0000 Subject: [PATCH 3/6] Adding roles for commands --- .../Get-EntraBetaSubscribedSku.md | 16 +++++++++++----- .../Get-EntraSubscribedSku.md | 16 +++++++++++----- 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaSubscribedSku.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaSubscribedSku.md index 962647218f..cb1b986e5d 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaSubscribedSku.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaSubscribedSku.md @@ -46,12 +46,18 @@ Get-EntraBetaSubscribedSku The `Get-EntraBetaSubscribedSku` cmdlet gets subscribed SKUs to Microsoft services. +In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or a custom role with the necessary permissions. The following least privileged roles support this operation: + +- Dynamics 365 Business Central Administrator (read-only access to standard properties) +- Global Reader +- Directory Readers + ## Examples ### Example 1: Get subscribed SKUs ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' Get-EntraBetaSubscribedSku ``` @@ -68,7 +74,7 @@ This example demonstrates how to retrieve subscribed SKUs to Microsoft services. ### Example 2: Get subscribed SKUs by SubscribedSkuId ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' Get-EntraBetaSubscribedSku -SubscribedSkuId 'aaaaaaaa-0b0b-1c1c-2d2d-333333333333' ``` @@ -85,7 +91,7 @@ This example demonstrates how to retrieve specified subscribed SKUs to Microsoft ### Example 3: Get available license plans ```powershell -Connect-Entra -Scopes 'User.ReadWrite.All','Organization.Read.All' +Connect-Entra -Scopes 'User.ReadWrite.All','Organization.Read.All','LicenseAssignment.Read.All' Get-EntraBetaSubscribedSku | Select-Object -Property Sku*, ConsumedUnits -ExpandProperty PrepaidUnits ``` @@ -105,7 +111,7 @@ This example demonstrates how to retrieve available license plans. ### Example 4: Retrieve all users assigned a specific license ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' $sku = Get-EntraBetaSubscribedSku | Where-Object { $_.SkuPartNumber -eq 'DEVELOPERPACK_E5' } $skuId = $sku.SkuId $usersWithDeveloperPackE5 = Get-EntraBetaUser -All | Where-Object { @@ -127,7 +133,7 @@ This example demonstrates how to retrieve all users assigned a specific license. ### Example 5: Get a list of users, their assigned licenses, and licensing source ```powershell -Connect-Entra -Scopes 'Organization.Read.All','User.Read.All','Group.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','User.Read.All','Group.Read.All','LicenseAssignment.Read.All' # Get all users with specified properties $Users = Get-EntraBetaUser -All -Property AssignedLicenses, LicenseAssignmentStates, DisplayName, UserPrincipalName, ObjectId diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraSubscribedSku.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraSubscribedSku.md index bcf1591a2e..d670ddacba 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraSubscribedSku.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraSubscribedSku.md @@ -44,12 +44,18 @@ Get-EntraSubscribedSku The `Get-EntraSubscribedSku` cmdlet gets subscribed SKUs to Microsoft services. +In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or a custom role with the necessary permissions. The following least privileged roles support this operation: + +- Dynamics 365 Business Central Administrator (read-only access to standard properties) +- Global Reader +- Directory Readers + ## Examples ### Example 1: Get subscribed SKUs ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' Get-EntraSubscribedSku ``` @@ -66,7 +72,7 @@ This example demonstrates how to retrieve subscribed SKUs to Microsoft services. ### Example 2: Get subscribed SKUs by SubscribedSkuId ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' Get-EntraSubscribedSku -SubscribedSkuId 'abcdefgh-1111-2222-bbbb-cccc33333333_dddddddd-4444-5555-eeee-666666666666' ``` @@ -83,7 +89,7 @@ This example demonstrates how to retrieve specified subscribed SKUs to Microsoft ### Example 3: Get available license plans ```powershell -Connect-Entra -Scopes 'User.ReadWrite.All','Organization.Read.All' +Connect-Entra -Scopes 'User.ReadWrite.All','Organization.Read.All','LicenseAssignment.Read.All' Get-EntraSubscribedSku | Select-Object -Property Sku*, ConsumedUnits -ExpandProperty PrepaidUnits ``` @@ -103,7 +109,7 @@ This example demonstrates how to retrieve available license plans. ### Example 4: Retrieve all users assigned a specific license ```powershell -Connect-Entra -Scopes 'Organization.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All' $sku = Get-EntraSubscribedSku | Where-Object { $_.SkuPartNumber -eq 'DEVELOPERPACK_E5' } $skuId = $sku.SkuId $usersWithDeveloperPackE5 = Get-EntraUser -All | Where-Object { @@ -125,7 +131,7 @@ This example demonstrates how to retrieve all users assigned a specific license. ### Example 5: Get a list of users, their assigned licenses, and licensing source ```powershell -Connect-Entra -Scopes 'Organization.Read.All','User.Read.All','Group.Read.All' +Connect-Entra -Scopes 'Organization.Read.All','User.Read.All','Group.Read.All','LicenseAssignment.Read.All' # Get all users with specified properties $Users = Get-EntraUser -All -Property AssignedLicenses, LicenseAssignmentStates, DisplayName, UserPrincipalName, ObjectId From ae57b03b3d6b8f2b2203eed5f5978c751e4482ec Mon Sep 17 00:00:00 2001 From: Steve Mutungi <132555836+SteveMutungi254@users.noreply.github.com> Date: Sun, 17 Nov 2024 20:36:33 +0000 Subject: [PATCH 4/6] Adding roles --- .../Get-EntraBetaAuditDirectoryLog.md | 6 ++ .../New-EntraBetaDirectoryRoleAssignment.md | 14 ++-- .../New-EntraBetaDirectoryRoleDefinition.md | 69 +++++-------------- .../Set-EntraBetaPartnerInformation.md | 6 +- .../Get-EntraAuditDirectoryLog.md | 6 ++ .../New-EntraDirectoryRoleAssignment.md | 14 ++-- .../New-EntraDirectoryRoleDefinition.md | 69 +++++-------------- .../Set-EntraPartnerInformation.md | 6 +- 8 files changed, 66 insertions(+), 124 deletions(-) diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAuditDirectoryLog.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAuditDirectoryLog.md index 2443efe016..dd42d5c019 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAuditDirectoryLog.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaAuditDirectoryLog.md @@ -39,6 +39,12 @@ Get-EntraBetaAuditDirectoryLog The `Get-EntraBetaAuditDirectoryLog` cmdlet gets a Microsoft Entra ID audit log. Retrieve audit logs from Microsoft Entra ID, covering logs from various services such as user, app, device, and group management, privileged identity management (PIM), access reviews, terms of use, identity protection, password management (SSPR and admin resets), and self-service group management. +In delegated scenarios with work or school accounts, the signed-in user must have a supported Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- Reports Reader +- Security Administrator +- Security Reader + ## Examples ### Example 1: Get all logs diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleAssignment.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleAssignment.md index c0285dab6c..107edb0d68 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleAssignment.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleAssignment.md @@ -36,19 +36,19 @@ New-EntraBetaDirectoryRoleAssignment The `New-EntraBetaDirectoryRoleAssignment` cmdlet creates a new Microsoft Entra role assignment. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Create a new Microsoft Entra ID role assignment ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory','EntitlementManagement.ReadWrite.All' -$params = @{ - RoleDefinitionId = 'a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1' - PrincipalId = 'aaaaaaaa-bbbb-cccc-1111-222222222222' - DirectoryScopeId = '/' - } - -New-EntraBetaDirectoryRoleAssignment @params +$user = Get-EntraBetaUser -UserId 'SawyerM@contoso.com' +$role = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +New-EntraBetaDirectoryRoleAssignment -RoleDefinitionId $role.Id -PrincipalId $user.Id -DirectoryScopeId '/' ``` ```Output diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleDefinition.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleDefinition.md index b344455318..6cc20e3b9c 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/New-EntraBetaDirectoryRoleDefinition.md @@ -41,22 +41,19 @@ New-EntraBetaDirectoryRoleDefinition Create a new Microsoft Entra ID roleDefinition object. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Creates a new role definition ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") - -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' -} - -New-EntraBetaDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraBetaDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' ``` ```Output @@ -77,16 +74,9 @@ This command creates a new role definition in Microsoft Entra ID. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - Description = 'Role Definition demo' -} - -New-EntraBetaDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraBetaDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -Description 'Role Definition demo' ``` ```Output @@ -108,16 +98,9 @@ This command creates a new role definition with Description parameter. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - ResourceScopes = '/' -} - -New-EntraBetaDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraBetaDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -ResourceScopes '/' ``` ```Output @@ -138,16 +121,9 @@ This command creates a new role definition with ResourceScopes parameter. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - TemplateId = '4dd5aa9c-cf4d-4895-a993-740d342802b9' -} - -New-EntraBetaDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraBetaDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -TemplateId '4dd5aa9c-cf4d-4895-a993-740d342802b9' ``` ```Output @@ -168,16 +144,9 @@ This command creates a new role definition with TemplateId parameter. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - Version = '2' -} - -New-EntraBetaDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraBetaDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -Version '2' ``` ```Output diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaPartnerInformation.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaPartnerInformation.md index fa862a55f4..ba9e2b4b12 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaPartnerInformation.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaPartnerInformation.md @@ -86,11 +86,7 @@ This example shows how to update the support email addresses. ```powershell Connect-Entra -Scopes 'Organization.ReadWrite.All' $tenantId = (Get-EntraContext).TenantId -$params = @{ - PartnerSupportTelephones = '234234234' - TenantId = $tenantId -} -Set-EntraBetaPartnerInformation @params +Set-EntraBetaPartnerInformation -PartnerSupportTelephones '234234234' -TenantId $tenantId ``` This example shows how to update support telephone numbers. diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAuditDirectoryLog.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAuditDirectoryLog.md index 640ed63b0e..c660d1d94b 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAuditDirectoryLog.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraAuditDirectoryLog.md @@ -38,6 +38,12 @@ The `Get-EntraAuditDirectoryLog` cmdlet gets a Microsoft Entra ID audit log. Retrieve audit logs from Microsoft Entra ID, covering logs from various services such as user, app, device, and group management, privileged identity management (PIM), access reviews, terms of use, identity protection, password management (SSPR and admin resets), and self-service group management. +In delegated scenarios with work or school accounts, the signed-in user must have a supported Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation: + +- Reports Reader +- Security Administrator +- Security Reader + ## Examples ### Example 1: Get all logs diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleAssignment.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleAssignment.md index aae90daa6d..7fb6938aa6 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleAssignment.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleAssignment.md @@ -36,19 +36,19 @@ New-EntraDirectoryRoleAssignment The `New-EntraDirectoryRoleAssignment` cmdlet creates a new Microsoft Entra role assignment. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Create a new Microsoft Entra ID role assignment ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory','EntitlementManagement.ReadWrite.All' -$params = @{ - RoleDefinitionId = 'a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1' - PrincipalId = 'aaaaaaaa-bbbb-cccc-1111-222222222222' - DirectoryScopeId = '/' - } - -New-EntraDirectoryRoleAssignment @params +$user = Get-EntraUser -UserId 'SawyerM@contoso.com' +$role = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +New-EntraDirectoryRoleAssignment -RoleDefinitionId $role.Id -PrincipalId $user.Id -DirectoryScopeId '/' ``` ```Output diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleDefinition.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleDefinition.md index d55868d7d6..e87671a157 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/New-EntraDirectoryRoleDefinition.md @@ -40,22 +40,19 @@ New-EntraDirectoryRoleDefinition Create a new Microsoft Entra ID roleDefinition object. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Creates a new role definition ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") - -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' -} - -New-EntraDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' ``` ```Output @@ -76,16 +73,9 @@ This command creates a new role definition in Microsoft Entra ID. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - Description = 'Role Definition demo' -} - -New-EntraDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -Description 'Role Definition demo' ``` ```Output @@ -107,16 +97,9 @@ This command creates a new role definition with Description parameter. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - ResourceScopes = '/' -} - -New-EntraDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -ResourceScopes '/' ``` ```Output @@ -137,16 +120,9 @@ This command creates a new role definition with ResourceScopes parameter. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - TemplateId = '4dd5aa9c-cf4d-4895-a993-740d342802b9' -} - -New-EntraDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -TemplateId '4dd5aa9c-cf4d-4895-a993-740d342802b9' ``` ```Output @@ -167,16 +143,9 @@ This command creates a new role definition with TemplateId parameter. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") -$params = @{ - RolePermissions = $RolePermissions - IsEnabled = $false - DisplayName = 'MyRoleDefinition' - Version = '2' -} - -New-EntraDirectoryRoleDefinition @params +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/basic/read") +New-EntraDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -Version '2' ``` ```Output diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraPartnerInformation.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraPartnerInformation.md index 1a4ad58b18..6a0aba6f16 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraPartnerInformation.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraPartnerInformation.md @@ -86,11 +86,7 @@ This example shows how to update the support email addresses. ```powershell Connect-Entra -Scopes 'Organization.ReadWrite.All' $tenantId = (Get-EntraContext).TenantId -$params = @{ - PartnerSupportTelephones = '234234234' - TenantId = $tenantId -} -Set-EntraPartnerInformation @params +Set-EntraPartnerInformation -PartnerSupportTelephones '234234234' -TenantId $tenantId ``` This example shows how to update support telephone numbers. From 12d41b14ebd00cdf3d84985cef7046e2900f90fc Mon Sep 17 00:00:00 2001 From: Steve Mutungi <132555836+SteveMutungi254@users.noreply.github.com> Date: Sun, 17 Nov 2024 21:01:29 +0000 Subject: [PATCH 5/6] Enriching Get directory role assignment examples --- .../Get-EntraBetaDirectoryRoleAssignment.md | 11 ++++++++--- .../Remove-EntraBetaDirectoryRoleAssignment.md | 9 ++++++++- .../Get-EntraDirectoryRoleAssignment.md | 11 ++++++++--- .../Remove-EntraDirectoryRoleAssignment.md | 9 ++++++++- 4 files changed, 32 insertions(+), 8 deletions(-) diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleAssignment.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleAssignment.md index 9e7e5f3043..d64a070f78 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleAssignment.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleAssignment.md @@ -114,7 +114,10 @@ This command gets all the role assignments in Microsoft Entra ID. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraBetaDirectoryRoleAssignment -UnifiedRoleAssignmentId '00001111-aaaa-2222-bbbb-3333cccc4444' +$user = Get-EntraBetaUser -UserId 'BiancaP@M365x80713871.OnMicrosoft.com' +$role = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +$assignment = Get-EntraBetaDirectoryRoleAssignment -All | Where-Object {$_.principalId -eq $user.Id -AND $_.RoleDefinitionId -eq $role.Id} +Get-EntraBetaDirectoryRoleAssignment -UnifiedRoleAssignmentId $assignment.Id ``` ```Output @@ -131,7 +134,8 @@ This command gets the role assignments using specified roleAssignment Id. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraBetaDirectoryRoleAssignment -Filter "principalId eq 'aaaaaaaa-bbbb-cccc-1111-222222222222'" +$userId = (Get-EntraBetaUser -UserId 'SawyerM@contoso.com').Id +Get-EntraBetaDirectoryRoleAssignment -Filter "principalId eq '$userId'" ``` ```Output @@ -147,7 +151,8 @@ This command gets the role assignments containing the specified principalId. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraBetaDirectoryRoleAssignment -Filter "roleDefinitionId eq 'a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1'" +$roleId = (Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'").Id +Get-EntraBetaDirectoryRoleAssignment -Filter "roleDefinitionId eq '$roleId'" ``` ```Output diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleAssignment.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleAssignment.md index 837399cee9..9ac11f68c2 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleAssignment.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleAssignment.md @@ -34,13 +34,20 @@ Remove-EntraBetaDirectoryRoleAssignment The `Remove-EntraBetaDirectoryRoleAssignment` cmdlet removes a role assignment from Microsoft Entra ID. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Remove a role assignment ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory','EntitlementManagement.ReadWrite.All' -Remove-EntraBetaDirectoryRoleAssignment -UnifiedRoleAssignmentId 'Y1vFBcN4i0e3ngdNDocmngJAWGnAbFVAnJQyBBLv1lM-1' +$user = Get-EntraBetaUser -UserId 'SawyerM@contoso.com' +$role = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +$assignment = Get-EntraBetaDirectoryRoleAssignment -All | Where-Object {$_.principalId -eq $user.Id -AND $_.RoleDefinitionId -eq $role.Id} +Remove-EntraBetaDirectoryRoleAssignment -UnifiedRoleAssignmentId $assignment.Id ``` This example removes the specified role assignment from Microsoft Entra ID. diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleAssignment.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleAssignment.md index 7c86ba6f95..b336d17746 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleAssignment.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleAssignment.md @@ -114,7 +114,10 @@ This command gets all the role assignments in Microsoft Entra ID. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraDirectoryRoleAssignment -UnifiedRoleAssignmentId '00001111-aaaa-2222-bbbb-3333cccc4444' +$user = Get-EntraUser -UserId 'SawyerM@contoso.com' +$role = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +$assignment = Get-EntraDirectoryRoleAssignment -All | Where-Object {$_.principalId -eq $user.Id -AND $_.RoleDefinitionId -eq $role.Id} +Get-EntraDirectoryRoleAssignment -UnifiedRoleAssignmentId $assignment.Id ``` ```Output @@ -131,7 +134,8 @@ This command gets the role assignments using specified roleAssignment Id. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraDirectoryRoleAssignment -Filter "principalId eq 'aaaaaaaa-bbbb-cccc-1111-222222222222'" +$userId = (Get-EntraUser -UserId 'SawyerM@contoso.com').Id +Get-EntraDirectoryRoleAssignment -Filter "principalId eq '$userId'" ``` ```Output @@ -147,7 +151,8 @@ This command gets the role assignments containing the specified principalId. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraDirectoryRoleAssignment -Filter "roleDefinitionId eq 'a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1'" +$roleId = (Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'").Id +Get-EntraDirectoryRoleAssignment -Filter "roleDefinitionId eq '$roleId'" ``` ```Output diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleAssignment.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleAssignment.md index ba9841b7cd..9d97c6593d 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleAssignment.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleAssignment.md @@ -34,13 +34,20 @@ Remove-EntraDirectoryRoleAssignment The `Remove-EntraDirectoryRoleAssignment` cmdlet removes a role assignment from Microsoft Entra ID. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Remove a role assignment ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory','EntitlementManagement.ReadWrite.All' -Remove-EntraDirectoryRoleAssignment -UnifiedRoleAssignmentId Y1vFBcN4i0e3ngdNDocmngJAWGnAbFVAnJQyBBLv1lM-1 +$user = Get-EntraUser -UserId 'SawyerM@contoso.com' +$role = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +$assignment = Get-EntraDirectoryRoleAssignment -All | Where-Object {$_.principalId -eq $user.Id -AND $_.RoleDefinitionId -eq $role.Id} +Remove-EntraDirectoryRoleAssignment -UnifiedRoleAssignmentId $assignment.Id ``` This example removes the specified role assignment from Microsoft Entra ID. From 0a110a9f6a3c151782548ff0d46236d8f469e682 Mon Sep 17 00:00:00 2001 From: Steve Mutungi <132555836+SteveMutungi254@users.noreply.github.com> Date: Sun, 17 Nov 2024 21:17:16 +0000 Subject: [PATCH 6/6] Updating examples --- .../Get-EntraBetaDirectoryRoleDefinition.md | 3 +- ...Remove-EntraBetaDirectoryRoleDefinition.md | 7 ++++- .../Set-EntraBetaDirectoryRoleDefinition.md | 29 +++++++------------ .../Get-EntraDirectoryRoleDefinition.md | 3 +- .../Remove-EntraDirectoryRoleDefinition.md | 7 ++++- .../Set-EntraDirectoryRoleDefinition.md | 11 ++++--- 6 files changed, 33 insertions(+), 27 deletions(-) diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleDefinition.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleDefinition.md index c7542f8ba8..a53e748b89 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Get-EntraBetaDirectoryRoleDefinition.md @@ -94,7 +94,8 @@ This command returns all the role definitions present. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId '1a327991-10cb-4266-877a-998fb4df78ec' +$role = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +Get-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId $role.Id ``` ```Output diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleDefinition.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleDefinition.md index dd80d087e7..5016709563 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Remove-EntraBetaDirectoryRoleDefinition.md @@ -36,13 +36,18 @@ Delete a Microsoft Entra ID Directory roleDefinition object by ID. You can't delete built-in roles. This feature requires a Microsoft Entra ID P1 or P2 license. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Remove a specified role definition ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -Remove-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId 'a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1' +$role = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Contoso Custom Role Definition'" +Remove-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId $role.Id ``` This example demonstrates how to remove the specified role definition from Microsoft Entra ID. diff --git a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaDirectoryRoleDefinition.md b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaDirectoryRoleDefinition.md index 46e1974f67..e761641468 100644 --- a/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-beta/Microsoft.Graph.Entra.Beta/Set-EntraBetaDirectoryRoleDefinition.md @@ -42,6 +42,10 @@ Set-EntraBetaDirectoryRoleDefinition Updates a Microsoft Entra roleDefinition object identified by ID. You can't update built-in roles. This feature requires a Microsoft Entra ID P1 or P2 license. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Update an roleDefinition @@ -49,11 +53,7 @@ Updates a Microsoft Entra roleDefinition object identified by ID. You can't upda ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' $roleDefinition = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq ''" -$params = @{ - UnifiedRoleDefinitionId = $roleDefinition.Id - DisplayName = 'UpdatedDisplayName' -} -Set-EntraBetaDirectoryRoleDefinition @params +Set-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId $roleDefinition.Id -DisplayName 'UpdatedDisplayName' ``` This example updates the specified role definition in Microsoft Entra ID. @@ -66,11 +66,7 @@ This example updates the specified role definition in Microsoft Entra ID. ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' $roleDefinition = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq ''" -$params = @{ - UnifiedRoleDefinitionId = $roleDefinition.Id - Description = 'MYROLEUPDATE1S' -} -Set-EntraBetaDirectoryRoleDefinition @params +Set-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId $roleDefinition.Id -Description 'MYROLEUPDATE1S' ``` This example updates the Description of specified role definition in Microsoft Entra ID. @@ -83,11 +79,7 @@ This example updates the Description of specified role definition in Microsoft E ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' $roleDefinition = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq ''" -$params = @{ - UnifiedRoleDefinitionId = $roleDefinition.Id - IsEnabled = $true -} -Set-EntraBetaDirectoryRoleDefinition @params +Set-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId $roleDefinition.Id -IsEnabled $true ``` This example updates the IsEnabled of specified role definition in Microsoft Entra ID. @@ -100,19 +92,18 @@ This example updates the IsEnabled of specified role definition in Microsoft Ent ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' $roleDefinition = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq ''" -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/standard/read") +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/standard/read") $params = @{ UnifiedRoleDefinitionId = $roleDefinition.Id Description = 'Update' DisplayName = 'Update' ResourceScopes = '/' IsEnabled = $false - RolePermissions = $RolePermissions + RolePermissions = $rolePermissions TemplateId = '54d418b2-4cc0-47ee-9b39-e8f84ed8e073' Version = 2 } - Set-EntraBetaDirectoryRoleDefinition @params ``` diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleDefinition.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleDefinition.md index 7fcd4cd5a8..8749e56457 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Get-EntraDirectoryRoleDefinition.md @@ -93,7 +93,8 @@ This command returns all the role definitions present. ```powershell Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All' -Get-EntraDirectoryRoleDefinition -UnifiedRoleDefinitionId '1a327991-10cb-4266-877a-998fb4df78ec' +$role = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'" +Get-EntraDirectoryRoleDefinition -UnifiedRoleDefinitionId $role.Id ``` ```Output diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleDefinition.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleDefinition.md index d80058e54d..3a76ecddf4 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Remove-EntraDirectoryRoleDefinition.md @@ -37,13 +37,18 @@ Delete a Microsoft Entra ID Directory roleDefinition object by ID. You can't delete built-in roles. This feature requires a Microsoft Entra ID P1 or P2 license. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Remove a specified role definition ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' -Remove-EntraDirectoryRoleDefinition -UnifiedRoleDefinitionId a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 +$role = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq 'Contoso Custom Role Definition'" +Remove-EntraDirectoryRoleDefinition -UnifiedRoleDefinitionId $role.Id ``` This example demonstrates how to remove the specified role definition from Microsoft Entra ID. diff --git a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraDirectoryRoleDefinition.md b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraDirectoryRoleDefinition.md index d00e0c6818..5ef6d4d5b0 100644 --- a/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraDirectoryRoleDefinition.md +++ b/module/docs/entra-powershell-v1.0/Microsoft.Graph.Entra/Set-EntraDirectoryRoleDefinition.md @@ -41,6 +41,10 @@ Set-EntraDirectoryRoleDefinition Updates a Microsoft Entra roleDefinition object identified by ID. You can't update built-in roles. This feature requires a Microsoft Entra ID P1 or P2 license. +In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are: + +- Privileged Role Administrator + ## Examples ### Example 1: Update an roleDefinition @@ -87,19 +91,18 @@ This example updates the IsEnabled of specified role definition in Microsoft Ent ```powershell Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory' $roleDefinition = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq ''" -$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission -$RolePermissions.AllowedResourceActions = @("microsoft.directory/applications/standard/read") +$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission +$rolePermissions.AllowedResourceActions = @("microsoft.directory/applications/standard/read") $params = @{ UnifiedRoleDefinitionId = $roleDefinition.Id Description = 'Update' DisplayName = 'Update' ResourceScopes = '/' IsEnabled = $false - RolePermissions = $RolePermissions + RolePermissions = $rolePermissions TemplateId = '54d418b2-4cc0-47ee-9b39-e8f84ed8e073' Version = 2 } - Set-EntraDirectoryRoleDefinition @params ```