From 5453ed1b172f0087cf837938ee70f19c6571902b Mon Sep 17 00:00:00 2001
From: Yaniv Shasha <yanivsh@microsoft.com>
Date: Sat, 14 Aug 2021 22:11:08 +0300
Subject: [PATCH] Update readme.md

---
 Playbooks/Reset-AADUserPassword/readme.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Playbooks/Reset-AADUserPassword/readme.md b/Playbooks/Reset-AADUserPassword/readme.md
index f6f96347b5..435f9dc600 100644
--- a/Playbooks/Reset-AADUserPassword/readme.md
+++ b/Playbooks/Reset-AADUserPassword/readme.md
@@ -30,11 +30,19 @@ $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
 
 $GraphAppId = "00000003-0000-0000-c000-000000000000"
 $PermissionName = "User.ReadWrite.All" 
+$roleName="Password Administrator"
 
 $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
 $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
 New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
 -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
+$role = Get-AzureADDirectoryRole | Where {$_.displayName -eq $roleName}
+if ($role -eq $null) {
+$roleTemplate = Get-AzureADDirectoryRoleTemplate | Where {$_.displayName -eq $roleName}
+Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
+$role = Get-AzureADDirectoryRole | Where {$_.displayName -eq $roleName}
+}
+Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $MI.ObjectID
 ```