Enable-EntraDirectoryRole

Enable-EntraDirectoryRole

    [-RoleTemplateId <String>]
    [<CommonParameters>]

The Enable-EntraDirectoryRole cmdlet activates an existing directory role in Microsoft Entra ID.

The Company Administrators and the default user directory roles (User, Guest User, and Restricted Guest User) are activated by default. To access and assign members to other directory roles, you must first activate them using their corresponding directory role template ID.

In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are:

• Privileged Role Administrator

Connect-Entra -Scopes 'RoleManagement.ReadWrite.Directory'
$guestRole = Get-EntraDirectoryRoleTemplate | Where-Object {$_.DisplayName -eq 'Guest Inviter'}
Enable-EntraDirectoryRole -RoleTemplateId $guestRole.Id

DeletedDateTime Id                                   Description                                      DisplayName   RoleTemplateId
--------------- --                                   -----------                                      -----------   --------------
                b5baa59b-86ab-4053-ac3a-0396116d1924 Guest Inviter has access to invite guest users.  Guest Inviter 92ed04bf-c94a-4b82-9729-b799a7a4c178

The example shows how to enable the directory role.

You can use Get-EntraDirectoryRoleTemplate to fetch a specific directory role to activate.

• RoleTemplateId parameter specifies the ID of the role template to enable.

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

• For additional details see Activate directoryRole.