Functions/New-IntuneAdminRole.ps1
function New-IntuneAdminRole { <# .SYNOPSIS Creates a new custom admin role in Intune using the Beta cmdlets. .DESCRIPTION Uses New-MgBetaDeviceManagementRoleDefinition to create a new role definition. The payload includes displayName, description, and rolePermissions with resourceActions. #> [CmdletBinding()] param( [Parameter(Mandatory = $true)] [string]$RoleName, [Parameter(Mandatory = $false)] [string]$Description = "", [Parameter(Mandatory = $false)] [string[]]$AllowedResourceActions ) # Ensure the user is connected. if (-not (Get-MgContext -ErrorAction SilentlyContinue)) { Write-Error "You must run Connect-IntuneGraph before calling this function." return } If (!(Get-MgBetaDeviceManagementRoleDefinition -Filter "displayName eq '$RoleName'")) { Write-Host "Creating new admin role: $RoleName" -ForegroundColor Cyan # Build the payload. $RoleParams = @{ id = "" displayName = $RoleName description = $Description rolePermissions = @( @{ resourceActions = @( @{ allowedResourceActions = $AllowedResourceActions } ) } ) roleScopeTagIds = @( "0" ) } try { $result = New-MgBetaDeviceManagementRoleDefinition -BodyParameter $RoleParams Write-Verbose "Role '$RoleName' created with ID: $($result.id)" return $result } catch { Write-Error "Error creating admin role: $_" } } Else { # Update Role Permissions for Existing Role Definitions Write-Host "Role $RoleName already exists, performing update." -ForegroundColor Yellow $RoleUpdate = Get-MgBetaDeviceManagementRoleDefinition -Filter "displayName eq '$RoleName'" $RoleParams = @{ description = $Description rolePermissions = @( @{ resourceActions = @( @{ allowedResourceActions = $AllowedResourceActions } ) } ) } Update-MgBetaDeviceManagementRoleDefinition -RoleDefinitionId $($RoleUpdate.Id) ` -BodyParameter $RoleParams } } |