具有全局管理员权限的 Azure AD 应用程序
Azure AD application with Global Administrator rights
所以我正在尝试在 azure AD 上设置一个应用程序,除其他外,它可以删除用户。
我已注册应用程序并使用客户端 ID 和 secert 获取访问令牌。
我能够授予应用程序创建用户的权限并且工作正常,但是当我在图表上删除时 API 我得到 403 权限不足无法完成操作。
我正在图休息 API 上尝试这个。我试图删除的用户也是通过 rest 调用进行的。用户与应用程序位于同一租户中,因此我不会尝试从多个租户中删除用户。
看来我需要做的是授予应用程序全局管理员或公司管理员权限,但我正在考虑在哪里以及如何执行此操作。
如有任何帮助,我们将不胜感激。
看看我的回答。
You can elevate the level of access an Application has in your tenant
by adding the service principal of that application to the Company Administrator
Directory Role. This will give the Application the same
level of permissions as the Company Administrator, who can do
anything. You can follow these same instructions for any type of
Directory Role depending on the level of access you want to give to
this application.
Note that this will only affect the access your app has in your tenant.
Also you must already be a Company Administrator of the tenant to follow these instructions.
In order to make the change, you will need to install the Azure
Active Directory PowerShell
Module.
Once you have the module installed, authenticate to your tenant with
your Administrator Account:
Connect-MSOLService
Then we need to get the Object ID of both the Service Principal we
want to elevate, and the Company Administrator Role for your tenant.
Search for Service Principal by App ID GUID:
$sp = Get-MsolServicePrincipal -AppPrincipalId <App ID GUID>
Search for Directory Role by Name
$role = Get-MsolRole -RoleName "Company Administrator"
Now we can use the Add-MsolRoleMember
command to add this role to
the service principal.
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
To check everything is working, lets get back all the members of the
Company Administrator role:
Get-MsolRoleMember -RoleObjectId $role.ObjectId
You should see your application in that list, where RoleMemberType
is ServicePrincipal
and DisplayName
is the name of your
application.
Now your application should be able to perform any Graph API calls
that the Company Administrator could do, all without a user signed-in,
using the Client Credential Flow.
如果有帮助请告诉我!
更新:
The answer above has been updated to use Azure Active Directory V2 PowerShell
If you don't have the AzureAD
module already installed you will need to install it. See Azure Active Directory PowerShell Module Version for Graph for Azure AD administrative tasks for more info about the module or simply run:
Install-Module AzureAD
Once you have the module installed, authenticate to your tenant with your Administrator Account:
Connect-AzureAD
Then we need to get the Service Principal we want to elevate, and the Company Administrator Role for your tenant.
$sp = Get-AzureRmADServicePrincipal | Where DisplayName -eq '<service-principal-name>'
Search for Directory Role by Name
$role = Get-AzureADDirectoryRole | Where DisplayName -eq 'Company Administrator'
Now we can use the Add-AzureADDirectoryRoleMember
command to add this role to the service principal.
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.Id
To check everything is working, lets get back all the members of the Company Administrator role:
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
You should see your application in that list, where DisplayName is the name of your application.
现在您的应用程序应该能够执行公司管理员可以执行的任何 Graph API 调用,所有这些都无需用户登录,使用客户端凭据流。
所以我正在尝试在 azure AD 上设置一个应用程序,除其他外,它可以删除用户。
我已注册应用程序并使用客户端 ID 和 secert 获取访问令牌。
我能够授予应用程序创建用户的权限并且工作正常,但是当我在图表上删除时 API 我得到 403 权限不足无法完成操作。
我正在图休息 API 上尝试这个。我试图删除的用户也是通过 rest 调用进行的。用户与应用程序位于同一租户中,因此我不会尝试从多个租户中删除用户。
看来我需要做的是授予应用程序全局管理员或公司管理员权限,但我正在考虑在哪里以及如何执行此操作。
如有任何帮助,我们将不胜感激。
看看我的回答
You can elevate the level of access an Application has in your tenant by adding the service principal of that application to the
Company Administrator
Directory Role. This will give the Application the same level of permissions as the Company Administrator, who can do anything. You can follow these same instructions for any type of Directory Role depending on the level of access you want to give to this application.Note that this will only affect the access your app has in your tenant.
Also you must already be a Company Administrator of the tenant to follow these instructions.
In order to make the change, you will need to install the Azure Active Directory PowerShell Module.
Once you have the module installed, authenticate to your tenant with your Administrator Account:
Connect-MSOLService
Then we need to get the Object ID of both the Service Principal we want to elevate, and the Company Administrator Role for your tenant.
Search for Service Principal by App ID GUID:
$sp = Get-MsolServicePrincipal -AppPrincipalId <App ID GUID>
Search for Directory Role by Name
$role = Get-MsolRole -RoleName "Company Administrator"
Now we can use the
Add-MsolRoleMember
command to add this role to the service principal.Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
To check everything is working, lets get back all the members of the Company Administrator role:
Get-MsolRoleMember -RoleObjectId $role.ObjectId
You should see your application in that list, where
RoleMemberType
isServicePrincipal
andDisplayName
is the name of your application.Now your application should be able to perform any Graph API calls that the Company Administrator could do, all without a user signed-in, using the Client Credential Flow.
如果有帮助请告诉我!
更新:
The answer above has been updated to use Azure Active Directory V2 PowerShell
If you don't have the
AzureAD
module already installed you will need to install it. See Azure Active Directory PowerShell Module Version for Graph for Azure AD administrative tasks for more info about the module or simply run:
Install-Module AzureAD
Once you have the module installed, authenticate to your tenant with your Administrator Account:
Connect-AzureAD
Then we need to get the Service Principal we want to elevate, and the Company Administrator Role for your tenant.
$sp = Get-AzureRmADServicePrincipal | Where DisplayName -eq '<service-principal-name>'
Search for Directory Role by Name
$role = Get-AzureADDirectoryRole | Where DisplayName -eq 'Company Administrator'
Now we can use the
Add-AzureADDirectoryRoleMember
command to add this role to the service principal.
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.Id
To check everything is working, lets get back all the members of the Company Administrator role:
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
You should see your application in that list, where DisplayName is the name of your application.
现在您的应用程序应该能够执行公司管理员可以执行的任何 Graph API 调用,所有这些都无需用户登录,使用客户端凭据流。