Azure AD - 将服务主体启用为应用程序管理员 [英] Azure AD - enable the service principal as a an application administrator

问题描述

我想知道如何在 Azure AD 中拥有一个 ServicePrincipal，它能够更改不属于它的应用注册，例如删除应用或旋转其键.有人告诉我，如果 SP 具有应用程序管理员"角色，那么它应该有足够的权限来执行此操作.

I'd like to know how to have a ServicePrincipal in Azure AD that will be able to alter app registrations that it doesn't own, like remove an app or rotate its keys. I was told that if SP has "Application administrator" role then it should have enough permissions to do so.

那么我怎样才能在 Powershell 中实现这一点呢?

So how would I be able to achieve this in Powershell?

推荐答案

我想你正在寻找 Add-AzureADDirectoryRoleMember PowerShell cmdlet.

I think you are looking for the Add-AzureADDirectoryRoleMember PowerShell cmdlet.

这是一个例子:

# Fetch role instance
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Application Administrator'}

# If role instance does not exist, instantiate it based on the role template
if ($role -eq $null) {
    # Instantiate an instance of the role template
    $roleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object {$_.displayName -eq 'Application Administrator'}
    Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId

    # Fetch role
    $role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Application Administrator'}
}

# Add the SP to role
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId  -RefObjectId <ObjectID of your SP>

这篇关于Azure AD - 将服务主体启用为应用程序管理员的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！