Can't assign Directory Readers role to managed identity using Az PowerShell: "Role Not Found" Error
I'm working on connecting to Microsoft Graph using a User Managed Identity (UMI). I've already created the managed identity in the Azure portal, but now I need to assign Directory Readers role to this identity using PowerShell to retrieve directory objects information.
I tried using New-AzRoleAssignment -ObjectId 'xxxxxxxxx' -RoleDefinitionName "Directory Reader" -Scope '/' but it's failing with New-AzRoleAssignment: Cannot find role definition with name 'Directory Readers' error
The Directory Readers role is visible in the Azure portal and can be assigned manually, but it’s not found in PowerShell.
How can the Directory Readers role be assigned to a managed identity using Az PowerShell? Is this possible, or is something being overlooked?
Note that, New-AzRoleAssignment cmdlet is used for Azure RBAC roles but "Directory Readers" is Microsoft Entra Role.
Initially, I too got same error when I ran your command in my environment like this:
New-AzRoleAssignment -ObjectId 'msiID' -RoleDefinitionName "Directory Reader" -Scope '/'
Response:
To resolve the error, switch to Microsoft Graph PowerShell module by running below commands to assign "Directory Readers" role to managed identity service principal:
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq 'Directory Readers'"
$managedIdentity = Get-MgServicePrincipal -Filter "DisplayName eq 'msiname'"
New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId $roleDefinition.Id -PrincipalId $managedIdentity.Id
Response:
To confirm that, I checked the same in Portal where "Directory Readers" role assigned successfully to managed identity service principal like this:
- How to configure backend application on Container Apps
- WebJob is stopping due to website shutting down
- Azure SQL trigger for Functions configuration problem
- Does azure blob storage support http2?
- Azure Pronunciation Assessment Could not deserialize speech context error
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- How do I Parse FormData containing a audio file in AZ function app in 2025
- Not able to delete Public IP address in azure
- Azure Devops Apple App Store Release.Missing value for the attribute 'whatsNew'
- Azure Storage accounts container public access level has dissabled
- Issue with adding delegated Graph API permission to Enterprise app with Terraform
- Getting an error when using the Flexible File Destination Task in Visual Studio 2022 SSIS
- Problem with Azure Email Communication Service Custom Domain
- How to refresh client assertion in ConfidentialClientApplication?
- Using Microsoft Graph Explorer (we have code too) we can GET All Subscriptions, but GET one by ID gives access error
- Invalid operands found for operator -eq
- nginx - php-fpm - azure container app returns truncated pages
- Adding custom headers to Azure Functions response
- Azure Queue Trigger is hit but not executing the logic inside of it
- az cli not showing redisenterprise keys
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- Azure Devops Server Pipelines: Any way to have a Stage result as "Succeeded" even if a constituent Job reported "SucceededWithIssues"?
- YAML strings including special characters % and & were not printed correctly for Windows environment
- Azure function returns error: No job functions found. Try making your job classes and methods public
- How to view Oldest Query results in Azure Monitor Metrics for an Azure PostgreSQL Flex Server instance
- Authenticate to Azure with certificate from Linux
- What are the minimum Azure permissions required to publish a Power BI report using "App Owns the Data"?
- How to report an Azure Text-to-Speech bug?
- Refresh an Azure search index
- Best way to clean up resources in StatefulService