具有全局管理员权限的Azure AD应用程序 [英] Azure AD application with Global Administrator rights

问题描述

因此，我正在尝试在azure AD上设置一个应用程序，该应用程序除其他外可以删除用户.

So I am trying to set up an application on azure AD that can, among other things delete users.

我已经注册了该应用程序，并使用客户端ID和安全证书来获取访问令牌.

I have the application registered and use the client id and secert to gain teh access token.

我能够授予应用程序创建用户的权限，并且效果很好，但是当我删除图形API时，我获得了403权限不足，无法完成操作.

I was able to give the application permissions to create users and that works fine, but when i go to delete over the graph API i get a 403 Insufficient privileges to complete the operation.

我正在通过图形其余API尝试此操作.我尝试删除的用户也是通过rest调用创建的.该用户与该应用程序位于同一租户中，因此我没有尝试从多个租户中删除用户.

I am trying this over the graph rest API. The user that i am attempting to delete was made through the rest call as well. The user is in the same tenant as the application , so i am not trying to delete users from multiple tenants.

似乎我需要做的是给予应用程序全局管理员"或公司管理员"权限，但是我正在研究在何处以及如何执行此操作.

It seems what i need to do is give the application either Global admin or Company admin rights, but i am spinning wheels on where and or how to do this.

任何帮助将不胜感激.

Any help would be appreciated.

推荐答案

看看我的答案

Take a look at my answer here.

您可以提升租户中应用程序的访问级别 通过将该应用程序的服务主体添加到Company Administrator目录角色.这将使应用程序具有相同的功能 公司管理员的权限级别，谁可以执行 任何事物.对于任何类型的 目录角色取决于您要授予的访问级别 这个应用程序.

You can elevate the level of access an Application has in your tenant by adding the service principal of that application to the Company Administrator Directory Role. This will give the Application the same level of permissions as the Company Administrator, who can do anything. You can follow these same instructions for any type of Directory Role depending on the level of access you want to give to this application.

请注意，这只会影响您的应用在租户中的访问权限.

您还必须已经是租户的公司管理员才能遵循这些说明.

为了进行更改，您将需要安装蔚蓝 Active Directory PowerShell 模块.

In order to make the change, you will need to install the Azure Active Directory PowerShell Module.

一旦安装了模块，请通过以下方式向租户进行身份验证 您的管理员帐户:

Once you have the module installed, authenticate to your tenant with your Administrator Account:

Connect-MSOLService

然后，我们需要获取我们两个服务主体的对象ID 要提升权限，并为您的租户提升公司管理员角色.

Then we need to get the Object ID of both the Service Principal we want to elevate, and the Company Administrator Role for your tenant.

通过App ID GUID搜索服务主体:

Search for Service Principal by App ID GUID:

$sp = Get-MsolServicePrincipal -AppPrincipalId <App ID GUID>

按名称搜索目录角色

$role = Get-MsolRole -RoleName "Company Administrator"

现在我们可以使用Add-MsolRoleMember命令将此角色添加到 服务主体.

Now we can use the Add-MsolRoleMember command to add this role to the service principal.

Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId

要检查一切是否正常，请找回工作组的所有成员. 公司管理员角色:

To check everything is working, lets get back all the members of the Company Administrator role:

Get-MsolRoleMember -RoleObjectId $role.ObjectId

您应该在该列表中看到您的应用程序，其中RoleMemberType 是ServicePrincipal，而DisplayName是您的名字 应用程序.

You should see your application in that list, where RoleMemberType is ServicePrincipal and DisplayName is the name of your application.

现在，您的应用程序应该能够执行任何Graph API调用 公司管理员可以在没有用户登录的情况下完成所有操作， 使用客户端凭据流.

Now your application should be able to perform any Graph API calls that the Company Administrator could do, all without a user signed-in, using the Client Credential Flow.

让我知道这是否有帮助！

Let me know if this helps!

这篇关于具有全局管理员权限的Azure AD应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！