🔐 Recipe · Entra ID & Identity

Assign an Entra ID Directory Role to a User via Microsoft Graph

Grant administrative privileges by assigning a built-in directory role such as Cloud Application Administrator to a user account

Complexity

Intermediate

Impact

security + access-control + privileged-access + identity

Context

Why This Matters

Why this matters

Directory roles in Microsoft Entra ID (formerly Azure AD) grant users administrative privileges over specific parts of your tenant — from managing applications to resetting passwords to full Global Administrator control. Assigning the right role (and no more) is the cornerstone of least-privilege administration.

This recipe walks through assigning a built-in directory role to a user using Microsoft Graph, covering the full workflow: finding the user, locating the role definition, checking for existing assignments, and making the assignment.

When to run this

Onboarding a new admin or delegating specific administrative duties
Granting time-limited elevated access for a project (consider PIM for this)
Automating role provisioning as part of a broader identity lifecycle workflow
Replacing ad-hoc Global Admin grants with scoped roles (e.g., Cloud Application Administrator instead)

Expected Outcomes

What you'll have when you're done

The target user holds the specified directory role, scoped directory-wide (/) by default
A unifiedRoleAssignment object in Entra ID recording the assignment (visible in the audit log)
Effective permissions typically take 5–15 minutes to propagate; the user may need to sign out and back in
The assignment is visible in Entra admin center → Roles and administrators → [Role] → Assignments

Risks & Considerations

Warnings and gotchas

Least privilege first. Do not reach for Global Administrator. Built-in roles like Cloud Application Administrator, User Administrator, or Helpdesk Administrator cover most delegation needs.
Permanent vs. eligible. The roleAssignments endpoint creates a permanent (active) assignment. For sensitive roles, use Privileged Identity Management (PIM) to create eligible assignments that require just-in-time activation, MFA, and approval.
MFA enforcement. Entra ID now requires MFA for admin portal access. Ensure the target user has a strong authentication method registered before they try to use their new privileges.
Audit everything. Role assignments are high-signal events. Confirm your tenant logs these to a SIEM and alerts on unexpected changes.
Do NOT share admin accounts, assign roles to service accounts without a clear justification, or leave standing Global Admin assignments for humans.

Required Permissions

Permission	Why It's Needed
RoleManagement.ReadWrite.Directory	Required to create role assignments via the roleManagement/directory endpoint
User.Read.All	Required to look up the target user by display name or UPN
Directory.Read.All	Required to enumerate role definitions and existing assignments

The fastest way to get this done — just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Assign the {role_name} directory role to {user_upn}. Verify they don't already hold it, create an active assignment at tenant scope, and confirm the assignment was recorded.

Try in Dex CoAdmin