具有全局管理员权限的 Azure AD 应用程序 [英] Azure AD application with Global Administrator rights

问题描述

所以我试图在 azure AD 上设置一个应用程序，除其他外，它可以删除用户.

So I am trying to set up an application on azure AD that can, among other things delete users.

我已注册应用程序并使用客户端 ID 和安全证书获取访问令牌.

I have the application registered and use the client id and secert to gain teh access token.

我能够授予应用程序创建用户的权限并且工作正常，但是当我通过图形 API 删除时，我得到了 403 Insufficient permissions to complete the operation.

I was able to give the application permissions to create users and that works fine, but when i go to delete over the graph API i get a 403 Insufficient privileges to complete the operation.

我正在通过 graph rest API 尝试这个.我试图删除的用户也是通过 rest 调用创建的.用户与应用程序在同一个租户中，所以我不想从多个租户中删除用户.

I am trying this over the graph rest API. The user that i am attempting to delete was made through the rest call as well. The user is in the same tenant as the application , so i am not trying to delete users from multiple tenants.

看来我需要做的是给应用程序全局管理员或公司管理员权限，但我对在哪里以及如何执行此操作感到困惑.

It seems what i need to do is give the application either Global admin or Company admin rights, but i am spinning wheels on where and or how to do this.

任何帮助将不胜感激.

推荐答案

看看我的回答 这里.

您可以提升应用程序在租户中的访问级别通过将该应用程序的服务主体添加到 Company Administrator 目录角色.这将使应用程序相同作为公司管理员的权限级别，谁可以做任何事物.您可以按照这些相同的说明处理任何类型的目录角色取决于您要授予的访问级别这个应用程序.

You can elevate the level of access an Application has in your tenant by adding the service principal of that application to the Company Administrator Directory Role. This will give the Application the same level of permissions as the Company Administrator, who can do anything. You can follow these same instructions for any type of Directory Role depending on the level of access you want to give to this application.

请注意，这只会影响您的应用在租户中的访问权限.

此外，您必须已经是租户的公司管理员才能遵循这些说明.

为了进行更改，您需要安装 天蓝色活动目录 PowerShell模块.

In order to make the change, you will need to install the Azure Active Directory PowerShell Module.

安装模块后，向租户进行身份验证您的管理员帐户:

Once you have the module installed, authenticate to your tenant with your Administrator Account:

Connect-MSOLService

然后我们需要获取我们两个Service Principal的Object ID想要提升，以及租户的公司管理员角色.

Then we need to get the Object ID of both the Service Principal we want to elevate, and the Company Administrator Role for your tenant.

按应用 ID GUID 搜索服务主体:

Search for Service Principal by App ID GUID:

$sp = Get-MsolServicePrincipal -AppPrincipalId <App ID GUID>

按名称搜索目录角色

$role = Get-MsolRole -RoleName "Company Administrator"

现在我们可以使用 Add-MsolRoleMember 命令将此角色添加到服务主体.

Now we can use the Add-MsolRoleMember command to add this role to the service principal.

Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId

要检查一切是否正常，让我们找回所有的成员公司管理员角色:

To check everything is working, lets get back all the members of the Company Administrator role:

Get-MsolRoleMember -RoleObjectId $role.ObjectId

您应该在该列表中看到您的应用程序，其中 RoleMemberType是 ServicePrincipal 并且 DisplayName 是您的名称应用.

You should see your application in that list, where RoleMemberType is ServicePrincipal and DisplayName is the name of your application.

现在您的应用程序应该能够执行任何图形 API 调用公司管理员可以在没有用户登录的情况下执行所有操作，使用客户端凭据流.

Now your application should be able to perform any Graph API calls that the Company Administrator could do, all without a user signed-in, using the Client Credential Flow.

如果这有帮助，请告诉我！

Let me know if this helps!

这篇关于具有全局管理员权限的 Azure AD 应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！