How to assign roles to user in O365

by
How to assign roles to user in O365

This article talks about on how to assign roles to user in O365

Assign roles to user in O365

Azure role-based access control has several Azure built-in roles that you can assign to users, groups, service principals, and managed identities. Role assignments are the way you control access to Azure resources. If the built-in roles don’t meet the specific needs of your organization, you can create your own Azure custom roles.

Let’s see step by step how to assign roles to user in O365

Open admin portal : https://admin.microsoft.com/

Navigate to Roles –> Role assignments

Lot of different roles will be present under Microsoft Entra ID, Exchange and Billing to assign roles to user in O365

We will see any one of role e.g. “Global Reader” and steps will be applicable to every role which are enlisted in the portal

click on global reader–> under general tab you can see Who should be assigned this role?

From assigned tab you can really assign roles to user in O365

like this

Now user “admin” can View admin features and settings in all admin centers that the Global admin can view, but can’t edit any settings

Under permission tab you can see what kind of permissions are provided admin who is now a global reader

similarly you can assign different-different roles to the different-different users ask per the ask/requirement of the management

Please read carefully under General tab of the roles post then only assign those roles.

You can manage roles from here ( see below snippet )

Also Read  How to add a Team in O365

PowerShell script for above manual task

# =========================================
# Script: Manage Role Assignments in O365
# Author: Micro brother
# =========================================

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory","Directory.ReadWrite.All"
Select-MgProfile -Name "beta"

# -------------------------------
# Function: List available roles
# -------------------------------
function Get-AvailableRoles {
    Write-Host "Fetching available roles..."
    Get-MgDirectoryRoleTemplate | Select-Object DisplayName, Id
}

# -------------------------------
# Function: Enable a role (if not active)
# -------------------------------
function Enable-DirectoryRole {
    param (
        [Parameter(Mandatory = $true)]
        [string]$RoleTemplateId
    )

    try {
        $role = Get-MgDirectoryRole | Where-Object {$_.RoleTemplateId -eq $RoleTemplateId}
        if (-not $role) {
            Enable-MgDirectoryRole -DirectoryRoleTemplateId $RoleTemplateId
            Write-Host "Role with TemplateId $RoleTemplateId has been enabled."
        }
        else {
            Write-Host "Role is already enabled."
        }
    }
    catch {
        Write-Host "Error enabling role: $_"
    }
}

# -------------------------------
# Function: Assign role to a user
# -------------------------------
function Assign-RoleToUser {
    param (
        [Parameter(Mandatory = $true)]
        [string]$RoleName,

        [Parameter(Mandatory = $true)]
        [string]$UserPrincipalName
    )

    try {
        $role = Get-MgDirectoryRole | Where-Object {$_.DisplayName -eq $RoleName}
        if (-not $role) {
            Write-Host "Role '$RoleName' is not active. Please enable it first."
            return
        }

        $user = Get-MgUser -UserId $UserPrincipalName
        New-MgDirectoryRoleMemberByRef -DirectoryRoleId $role.Id -BodyParameter @{ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($user.Id)" }
        Write-Host "Role '$RoleName' assigned to user $UserPrincipalName."
    }
    catch {
        Write-Host "Error assigning role: $_"
    }
}

# -------------------------------
# Function: Remove role from a user
# -------------------------------
function Remove-RoleFromUser {
    param (
        [Parameter(Mandatory = $true)]
        [string]$RoleName,

        [Parameter(Mandatory = $true)]
        [string]$UserPrincipalName
    )

    try {
        $role = Get-MgDirectoryRole | Where-Object {$_.DisplayName -eq $RoleName}
        $user = Get-MgUser -UserId $UserPrincipalName
        Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId $role.Id -DirectoryObjectId $user.Id
        Write-Host "Role '$RoleName' removed from user $UserPrincipalName."
    }
    catch {
        Write-Host "Error removing role: $_"
    }
}

# -------------------------------
# Example Usage
# -------------------------------
# List all roles
Get-AvailableRoles

# Enable Global Administrator role if not active
#Enable-DirectoryRole -RoleTemplateId "62e90394-69f5-4237-9190-012177145e10"

# Assign Global Administrator to a user
#Assign-RoleToUser -RoleName "Global Reader" -UserPrincipalName "user1@yourdomain.com"

# Remove Global Administrator from a user
#Remove-RoleFromUser -RoleName "Global Reader" -UserPrincipalName "user1@yourdomain.com"

Conclusion :

Post reading above article reader will be able to assign roles to user in O365

You can also read this article https://microbrother.com/how-to-delete-and-restore-groups-in-o365/ to delete and restore groups in O365

Also Read  How to create contacts in O365

Thank you ☺️

Leave a Comment