Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Set-AzRoleAssignment
- Module:
- Az.Resources Module
Update an existing Role Assignment.
The cmdlet may call below Microsoft Graph API according to input parameters:
- GET /users/{id}
- GET /servicePrincipals/{id}
- GET /groups/{id}
- GET /directoryObjects/{id}
- POST /directoryObjects/getByIds
Please notice that this cmdlet will mark ObjectType as Unknown in output if the object of role assignment is not found or current account has insufficient privileges to get object type.
Syntax
RoleAssignmentParameterSet (Default)
Set-AzRoleAssignment
-InputObject <PSRoleAssignment>
[-SkipClientSideScopeValidation]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
InputFileParameterSet
Set-AzRoleAssignment
-InputFile <String>
[-SkipClientSideScopeValidation]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Use the Set-AzRoleAssignment command to modify an existing assignment. Descriptions can be any valid string, use that to differentiate from one another. if Condition is set Condition Version has to be set as well but if you're updating a Condition that is not necessary. Condition Version can be upgraded from 1.0 to 2.0 but it can't not be downgraded back. Be cautious as 2.0 is not retrocompatible with 1.0.
Examples
Example 1
$ConditionVersion = "2.0"
$Description = "This is a new role assignment for John"
$Condition = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:Path] StringEqualsIgnoreCase 'foo_storage_container'"
$roleAssignment = Get-AzRoleAssignment -Scope "/subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourceGroups/contoso_rg" -PrincipalId "0c0f6cdc-90dd-4664-83c0-a0d986c4c604"
$roleAssignment.Description = $Description
$roleAssignment.Condition = $Condition
$roleAssignment.ConditionVersion = $ConditionVersion
Set-AzRoleAssignment -InputObject $roleAssignment -PassThru
RoleAssignmentId : /providers/Microsoft.Management/managementGroups/1273adef-00a3
-4086-a51a-dbcce1857d36/providers/Microsoft.Authorization/role
Assignments/926c2a76-be19-4281-94de-38777629b9dc
Scope : /subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourceGroups/contoso_rg
DisplayName : John Doe
SignInName : John.Doe@Contoso.com
RoleDefinitionName : Owner
RoleDefinitionId : 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
ObjectId : 0c0f6cdc-90dd-4664-83c0-a0d986c4c604
ObjectType : User
CanDelegate : False
Description : This is a new role assignment for John
ConditionVersion : 2.0
Condition : @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:Path] StringEqualsIgnoreCase 'foo_storage_container'
Update an existing role assignment by modifying an object
Example 2
Set-AzRoleAssignment -InputFile "C:\RoleAssignments\example.json" -PassThru
RoleAssignmentId : /providers/Microsoft.Management/managementGroups/1273adef-00a3
-4086-a51a-dbcce1857d36/providers/Microsoft.Authorization/role
Assignments/926c2a76-be19-4281-94de-38777629b9dc
Scope : /subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourceGroups/contoso_rg
DisplayName : John Doe
SignInName : John.Doe@Contoso.com
RoleDefinitionName : Owner
RoleDefinitionId : 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
ObjectId : 0c0f6cdc-90dd-4664-83c0-a0d986c4c604
ObjectType : User
CanDelegate : False
Description : This is a new role assignment for John
ConditionVersion : 2.0
Condition : @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:Path] StringEqualsIgnoreCase 'foo_storage_container'
Update an existing role assignment by using a file
Parameters
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | cf |
Parameter sets
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
Parameter properties
| Type: | IAzureContextContainer |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | AzContext, AzureRmContext, AzureCredential |
Parameter sets
-InputFile
File name containing a single role definition.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-InputObject
Role Assignment.
Parameter properties
| Type: | PSRoleAssignment |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-PassThru
If specified, displays the updated role assignment
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-SkipClientSideScopeValidation
If specified, skip client side scope validation.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | wi |
Parameter sets
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Inputs
PSRoleAssignment
Outputs
PSRoleAssignment
Azure PowerShell
Feedback
Was this page helpful?