Azure AD - 以应用程序管理员身份启用服务主体
Azure AD - enable the service principal as a an application administrator
我想知道如何在 Azure AD 中拥有一个 ServicePrincipal,它将能够改变它不拥有的应用程序注册,例如删除应用程序或轮换其密钥。有人告诉我,如果 SP 具有 "Application administrator" 角色,那么它应该有足够的权限来这样做。
那么我如何才能在 Powershell 中实现这一点?
我认为您正在寻找 Add-AzureADDirectoryRoleMember PowerShell cmdlet。
这是一个例子:
# Fetch role instance
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Application Administrator'}
# If role instance does not exist, instantiate it based on the role template
if ($role -eq $null) {
# Instantiate an instance of the role template
$roleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object {$_.displayName -eq 'Application Administrator'}
Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
# Fetch role
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Application Administrator'}
}
# Add the SP to role
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId <ObjectID of your SP>
我想知道如何在 Azure AD 中拥有一个 ServicePrincipal,它将能够改变它不拥有的应用程序注册,例如删除应用程序或轮换其密钥。有人告诉我,如果 SP 具有 "Application administrator" 角色,那么它应该有足够的权限来这样做。
那么我如何才能在 Powershell 中实现这一点?
我认为您正在寻找 Add-AzureADDirectoryRoleMember PowerShell cmdlet。
这是一个例子:
# Fetch role instance
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Application Administrator'}
# If role instance does not exist, instantiate it based on the role template
if ($role -eq $null) {
# Instantiate an instance of the role template
$roleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object {$_.displayName -eq 'Application Administrator'}
Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
# Fetch role
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Application Administrator'}
}
# Add the SP to role
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId <ObjectID of your SP>