具有全局管理员权限的 Azure AD 应用程序

Azure AD application with Global Administrator rights

所以我正在尝试在 azure AD 上设置一个应用程序,除其他外,它可以删除用户。

我已注册应用程序并使用客户端 ID 和 secert 获取访问令牌。

我能够授予应用程序创建用户的权限并且工作正常,但是当我在图表上删除时 API 我得到 403 权限不足无法完成操作。

我正在图休息 API 上尝试这个。我试图删除的用户也是通过 rest 调用进行的。用户与应用程序位于同一租户中,因此我不会尝试从多个租户中删除用户。

看来我需要做的是授予应用程序全局管理员或公司管理员权限,但我正在考虑在哪里以及如何执行此操作。

如有任何帮助,我们将不胜感激。

看看我的回答

You can elevate the level of access an Application has in your tenant by adding the service principal of that application to the Company Administrator Directory Role. This will give the Application the same level of permissions as the Company Administrator, who can do anything. You can follow these same instructions for any type of Directory Role depending on the level of access you want to give to this application.

Note that this will only affect the access your app has in your tenant.

Also you must already be a Company Administrator of the tenant to follow these instructions.

In order to make the change, you will need to install the Azure Active Directory PowerShell Module.

Once you have the module installed, authenticate to your tenant with your Administrator Account:

Connect-MSOLService

Then we need to get the Object ID of both the Service Principal we want to elevate, and the Company Administrator Role for your tenant.

Search for Service Principal by App ID GUID:

$sp = Get-MsolServicePrincipal -AppPrincipalId <App ID GUID>

Search for Directory Role by Name

$role = Get-MsolRole -RoleName "Company Administrator"

Now we can use the Add-MsolRoleMember command to add this role to the service principal.

Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId

To check everything is working, lets get back all the members of the Company Administrator role:

Get-MsolRoleMember -RoleObjectId $role.ObjectId

You should see your application in that list, where RoleMemberType is ServicePrincipal and DisplayName is the name of your application.

Now your application should be able to perform any Graph API calls that the Company Administrator could do, all without a user signed-in, using the Client Credential Flow.

如果有帮助请告诉我!

更新:

The answer above has been updated to use Azure Active Directory V2 PowerShell

If you don't have the AzureAD module already installed you will need to install it. See Azure Active Directory PowerShell Module Version for Graph for Azure AD administrative tasks for more info about the module or simply run:

Install-Module AzureAD

Once you have the module installed, authenticate to your tenant with your Administrator Account:

Connect-AzureAD

Then we need to get the Service Principal we want to elevate, and the Company Administrator Role for your tenant.

 $sp = Get-AzureRmADServicePrincipal | Where DisplayName -eq '<service-principal-name>'

Search for Directory Role by Name

$role = Get-AzureADDirectoryRole | Where DisplayName -eq 'Company Administrator'

Now we can use the Add-AzureADDirectoryRoleMember command to add this role to the service principal.

Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.Id

To check everything is working, lets get back all the members of the Company Administrator role:

Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId

You should see your application in that list, where DisplayName is the name of your application.

现在您的应用程序应该能够执行公司管理员可以执行的任何 Graph API 调用,所有这些都无需用户登录,使用客户端凭据流。