![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 78%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
814 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Thank you for posting this in Microsoft Q&A.
I understand that you are trying to create an Azure role assignment for an Azure AD group with eligibility that should be valid for 4 hours, but you are getting an error: "ERROR: usage error: --assignee-object-id GUID --assignee-principal-type TYPE."
The command "az role assignment" will be used to create Azure roles. I have tried your Azure CLI command in my environment and noticed the same error in my environment as well.
As per this document, we have to use the "assignee-principal-type" parameter only with the "assignee-object-id" parameter, but you are using "assignee" and "assignee-principal-type" parameters at the same command, which causes an error.
Try to run the Azure CLI command as follows:
az role assignment create --assignee f531dc02-5610-4d18-b5bf-59ba8b982acb --role Contributor --scope /subscriptions/811174b4-ff1b-000013917f8ec4e
The "condition" parameter is only used for providing more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object.
In the Microsoft admin center/Azure portal, we have a feature called Privileged Identity Management (PIM). With Microsoft Entra PIM, your end-users must activate an eligible role assignment to get permission to perform certain actions. Using conditions in Microsoft Entra PIM enables you not only to limit a user's role permissions to a resource using fine-grained conditions but also to use Microsoft Entra PIM to secure the role assignment with a time-bound setting, an approval workflow, an audit trail, and so on.
Please follow the steps mentioned in this document to create an Azure role assignment for an Azure AD group with eligibility that should be valid for 4 hours.
As of now Privileged Identity Management supports only Azure Resource Manager (ARM) API commands to manage Azure resource roles.
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.