microsoftgraph · KenitoInc · Jan 21, 2025 · Nov 17, 2024 · Nov 17, 2024 · Nov 17, 2024
@@ -46,12 +46,18 @@ The `Get-EntraBetaAccountSku` retrieves the list of commercial subscriptions acq
 
 For a list of license names in the Microsoft Entra or Microsoft 365 admin centers and their corresponding Microsoft Graph `skuId` and `skuPartNumber` properties, refer to the [mapping information](https://learn.microsoft.com/entra/identity/users/licensing-service-plan-reference).
 
+In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or a custom role with the necessary permissions. The following least privileged roles support this operation:
+
+- Dynamics 365 Business Central Administrator (read-only access to standard properties)  
+- Global Reader  
+- Directory Readers
+
 ## Examples
 
 ### Example 1: Gets a list of SKUs
 
 ```powershell
-Connect-Entra -Scopes 'Organization.Read.All'
+Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All'
 Get-EntraBetaAccountSku
 ```
 
@@ -68,8 +74,9 @@ This command returns a list of SKUs.
 ### Example 2: Gets a list of SKUs by TenantId
 
 ```powershell
-Connect-Entra -Scopes 'Organization.Read.All'
-Get-EntraBetaAccountSku -TenantId 'aaaabbbb-0000-cccc-1111-dddd2222eeee'
+Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All'
+$tenantId = (Get-EntraContext).TenantId
+Get-EntraBetaAccountSku -TenantId $tenantId
 ```
 
 ```Output

@@ -39,6 +39,12 @@ Get-EntraBetaAuditDirectoryLog
 The `Get-EntraBetaAuditDirectoryLog` cmdlet gets a Microsoft Entra ID audit log.
 Retrieve audit logs from Microsoft Entra ID, covering logs from various services such as user, app, device, and group management, privileged identity management (PIM), access reviews, terms of use, identity protection, password management (SSPR and admin resets), and self-service group management.
 
+In delegated scenarios with work or school accounts, the signed-in user must have a supported Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation:
+
+- Reports Reader  
+- Security Administrator  
+- Security Reader
+
 ## Examples
 
 ### Example 1: Get all logs

@@ -114,7 +114,10 @@ This command gets all the role assignments in Microsoft Entra ID.
 
 ```powershell
 Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All'
-Get-EntraBetaDirectoryRoleAssignment -UnifiedRoleAssignmentId '00001111-aaaa-2222-bbbb-3333cccc4444'
+$user = Get-EntraBetaUser -UserId '[email protected]'
+$role = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'"
+$assignment = Get-EntraBetaDirectoryRoleAssignment -All | Where-Object {$_.principalId -eq $user.Id -AND $_.RoleDefinitionId -eq $role.Id}
+Get-EntraBetaDirectoryRoleAssignment -UnifiedRoleAssignmentId $assignment.Id
 ```
 
 ```Output
@@ -131,7 +134,8 @@ This command gets the role assignments using specified roleAssignment Id.
 
 ```powershell
 Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All'
-Get-EntraBetaDirectoryRoleAssignment -Filter "principalId eq 'aaaaaaaa-bbbb-cccc-1111-222222222222'"
+$userId = (Get-EntraBetaUser -UserId '[email protected]').Id
+Get-EntraBetaDirectoryRoleAssignment -Filter "principalId eq '$userId'"
 ```
 
 ```Output
@@ -147,7 +151,8 @@ This command gets the role assignments containing the specified principalId.
 
 ```powershell
 Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All'
-Get-EntraBetaDirectoryRoleAssignment -Filter "roleDefinitionId eq 'a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1'"
+$roleId = (Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'").Id
+Get-EntraBetaDirectoryRoleAssignment -Filter "roleDefinitionId eq '$roleId'"
 ```
 
 ```Output

@@ -94,7 +94,8 @@ This command returns all the role definitions present.
 
 ```powershell
 Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All'
-Get-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId '2af84b1e-32c8-42b7-82bc-daa82404023b'
+$role = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'"
+Get-EntraBetaDirectoryRoleDefinition -UnifiedRoleDefinitionId $role.Id
 ```
 
 ```Output

@@ -52,6 +52,10 @@ The Gmail user will use their Google account credentials to authenticate and acc
 
 The current set of identity providers can be Microsoft, Google, Facebook, Amazon, or LinkedIn.
 
+In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation:
+
+- External Identity Provider Administrator
+
 ## Examples
 
 ### Example 1: Retrieve all identity providers

@@ -46,12 +46,18 @@ Get-EntraBetaSubscribedSku
 
 The `Get-EntraBetaSubscribedSku` cmdlet gets subscribed SKUs to Microsoft services.
 
+In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or a custom role with the necessary permissions. The following least privileged roles support this operation:
+
+- Dynamics 365 Business Central Administrator (read-only access to standard properties)  
+- Global Reader  
+- Directory Readers
+
 ## Examples
 
 ### Example 1: Get subscribed SKUs
 
 ```powershell
-Connect-Entra -Scopes 'Organization.Read.All'
+Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All'
 Get-EntraBetaSubscribedSku
 ```
 
@@ -68,7 +74,7 @@ This example demonstrates how to retrieve subscribed SKUs to Microsoft services.
 ### Example 2: Get subscribed SKUs by SubscribedSkuId
 
 ```powershell
-Connect-Entra -Scopes 'Organization.Read.All'
+Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All'
 Get-EntraBetaSubscribedSku -SubscribedSkuId 'aaaaaaaa-0b0b-1c1c-2d2d-333333333333'
 ```
 
@@ -85,7 +91,7 @@ This example demonstrates how to retrieve specified subscribed SKUs to Microsoft
 ### Example 3: Get available license plans
 
 ```powershell
-Connect-Entra -Scopes 'User.ReadWrite.All','Organization.Read.All'
+Connect-Entra -Scopes 'User.ReadWrite.All','Organization.Read.All','LicenseAssignment.Read.All'
 Get-EntraBetaSubscribedSku | Select-Object -Property Sku*, ConsumedUnits -ExpandProperty PrepaidUnits
 ```
 
@@ -105,7 +111,7 @@ This example demonstrates how to retrieve available license plans.
 ### Example 4: Retrieve all users assigned a specific license
 
 ```powershell
-Connect-Entra -Scopes 'Organization.Read.All'
+Connect-Entra -Scopes 'Organization.Read.All','LicenseAssignment.Read.All'
 $sku = Get-EntraBetaSubscribedSku | Where-Object { $_.SkuPartNumber -eq 'DEVELOPERPACK_E5' }
 $skuId = $sku.SkuId
 $usersWithDeveloperPackE5 = Get-EntraBetaUser -All | Where-Object {
@@ -127,7 +133,7 @@ This example demonstrates how to retrieve all users assigned a specific license.
 ### Example 5: Get a list of users, their assigned licenses, and licensing source
 
 ```powershell
-Connect-Entra -Scopes 'Organization.Read.All','User.Read.All','Group.Read.All'
+Connect-Entra -Scopes 'Organization.Read.All','User.Read.All','Group.Read.All','LicenseAssignment.Read.All'
 
 # Get all users with specified properties
 $Users = Get-EntraBetaUser -All -Property AssignedLicenses, LicenseAssignmentStates, DisplayName, UserPrincipalName, ObjectId

@@ -36,19 +36,19 @@ New-EntraBetaDirectoryRoleAssignment
 
 The `New-EntraBetaDirectoryRoleAssignment` cmdlet creates a new Microsoft Entra role assignment.
 
+In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are:
+
+- Privileged Role Administrator
+
 ## Examples
 
 ### Example 1: Create a new Microsoft Entra ID role assignment
 
 ```powershell
 Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory','EntitlementManagement.ReadWrite.All'
-$params = @{
-    RoleDefinitionId = 'a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1'
-    PrincipalId = 'aaaaaaaa-bbbb-cccc-1111-222222222222'
-    DirectoryScopeId = '/'
- }
-
-New-EntraBetaDirectoryRoleAssignment @params
+$user = Get-EntraBetaUser -UserId '[email protected]'
+$role = Get-EntraBetaDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'"
+New-EntraBetaDirectoryRoleAssignment -RoleDefinitionId $role.Id -PrincipalId $user.Id -DirectoryScopeId '/'
 ```
 
 ```Output

@@ -41,22 +41,19 @@ New-EntraBetaDirectoryRoleDefinition
 
 Create a new Microsoft Entra ID roleDefinition object.
 
+In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are:
+
+- Privileged Role Administrator
+
 ## Examples
 
 ### Example 1: Creates a new role definition
 
 ```powershell
 Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory'
-$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission
-$RolePermissions.AllowedResourceActions =  @("microsoft.directory/applications/basic/read")
-
-$params = @{
-   RolePermissions = $RolePermissions
-   IsEnabled = $false
-   DisplayName = 'MyRoleDefinition'
-}
-
-New-EntraBetaDirectoryRoleDefinition @params
+$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission
+$rolePermissions.AllowedResourceActions =  @("microsoft.directory/applications/basic/read")
+New-EntraBetaDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition'
 ```
 
 ```Output
@@ -77,16 +74,9 @@ This command creates a new role definition in Microsoft Entra ID.
 
 ```powershell
 Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory'
-$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission
-$RolePermissions.AllowedResourceActions =  @("microsoft.directory/applications/basic/read")
-$params = @{
-   RolePermissions = $RolePermissions
-   IsEnabled = $false
-   DisplayName = 'MyRoleDefinition'
-   Description = 'Role Definition demo'
-}
-
-New-EntraBetaDirectoryRoleDefinition @params
+$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission
+$rolePermissions.AllowedResourceActions =  @("microsoft.directory/applications/basic/read")
+New-EntraBetaDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -Description 'Role Definition demo'
 ```
 
 ```Output
@@ -108,16 +98,9 @@ This command creates a new role definition with Description parameter.
 
 ```powershell
 Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory'
-$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission
-$RolePermissions.AllowedResourceActions =  @("microsoft.directory/applications/basic/read")
-$params = @{
-   RolePermissions = $RolePermissions
-   IsEnabled = $false
-   DisplayName = 'MyRoleDefinition'
-   ResourceScopes = '/'
-}
-
-New-EntraBetaDirectoryRoleDefinition @params
+$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission
+$rolePermissions.AllowedResourceActions =  @("microsoft.directory/applications/basic/read")
+New-EntraBetaDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -ResourceScopes '/'
 ```
 
 ```Output
@@ -138,16 +121,9 @@ This command creates a new role definition with ResourceScopes parameter.
 
 ```powershell
 Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory'
-$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission
-$RolePermissions.AllowedResourceActions =  @("microsoft.directory/applications/basic/read")
-$params = @{
-   RolePermissions = $RolePermissions
-   IsEnabled = $false
-   DisplayName = 'MyRoleDefinition'
-   TemplateId = 'f2ef992c-3afb-46b9-b7cf-a126ee74c451'
-}
-
-New-EntraBetaDirectoryRoleDefinition @params
+$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission
+$rolePermissions.AllowedResourceActions =  @("microsoft.directory/applications/basic/read")
+New-EntraBetaDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -TemplateId 'f2ef992c-3afb-46b9-b7cf-a126ee74c451'
 ```
 
 ```Output
@@ -168,22 +144,15 @@ This command creates a new role definition with TemplateId parameter.
 
 ```powershell
 Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory'
-$RolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission
-$RolePermissions.AllowedResourceActions =  @("microsoft.directory/applications/basic/read")
-$params = @{
-   RolePermissions = $RolePermissions
-   IsEnabled = $false
-   DisplayName = 'MyRoleDefinition'
-   Version = '2'
-}
-
-New-EntraBetaDirectoryRoleDefinition @params
+$rolePermissions = New-object Microsoft.Open.MSGraph.Model.RolePermission
+$rolePermissions.AllowedResourceActions =  @("microsoft.directory/applications/basic/read")
+New-EntraBetaDirectoryRoleDefinition -RolePermissions $rolePermissions -IsEnabled $false -DisplayName 'MyRoleDefinition' -Version '2'
 ```
 
 ```Output
 DisplayName      Id                                   TemplateId                           Description IsBuiltIn IsEnabled
 -----------      --                                   ----------                           ----------- --------- ---------
-MyRoleDefinition a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 b69d16e9-b3f9-4289-a87f-8f796bd9fa28             False     False
+MyRoleDefinition a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 f2ef992c-3afb-46b9-b7cf-a126ee74c451             False     False
 
 ```
 

@@ -52,7 +52,9 @@ The current set of identity providers can be:
 - Amazon
 - LinkedIn
 
-The work or school account needs to belong to at least the External Identity Provider Administrator Microsoft Entra role.
+In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation:
+
+- External Identity Provider Administrator
 
 ## Examples