Reputation: 359
Azure AD application with Global Administrator rights
So I am trying to set up an application on azure AD that can, among other things delete users.
I have the application registered and use the client id and secert to gain teh access token.
I was able to give the application permissions to create users and that works fine, but when i go to delete over the graph API i get a 403 Insufficient privileges to complete the operation.
I am trying this over the graph rest API. The user that i am attempting to delete was made through the rest call as well. The user is in the same tenant as the application , so i am not trying to delete users from multiple tenants.
It seems what i need to do is give the application either Global admin or Company admin rights, but i am spinning wheels on where and or how to do this.
Any help would be appreciated.
Upvotes: 2
Views: 5472
Answers (2)
Reputation: 2346
UPDATE:
The answer above has been updated to use Azure Active Directory V2 PowerShell
If you don't have the
AzureADmodule already installed you will need to install it. See Azure Active Directory PowerShell Module Version for Graph for Azure AD administrative tasks for more info about the module or simply run:
Install-Module AzureAD
Once you have the module installed, authenticate to your tenant with your Administrator Account:
Connect-AzureAD
Then we need to get the Service Principal we want to elevate, and the Company Administrator Role for your tenant.
$sp = Get-AzureRmADServicePrincipal | Where DisplayName -eq '<service-principal-name>'
Search for Directory Role by Name
$role = Get-AzureADDirectoryRole | Where DisplayName -eq 'Company Administrator'
Now we can use the
Add-AzureADDirectoryRoleMembercommand to add this role to the service principal.
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.Id
To check everything is working, lets get back all the members of the Company Administrator role:
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
You should see your application in that list, where DisplayName is the name of your application.
Now your application should be able to perform any Graph API calls that the Company Administrator could do, all without a user signed-in, using the Client Credential Flow.
Upvotes: 4
Reputation: 12434
Take a look at my answer here.
You can elevate the level of access an Application has in your tenant by adding the service principal of that application to the
Company AdministratorDirectory Role. This will give the Application the same level of permissions as the Company Administrator, who can do anything. You can follow these same instructions for any type of Directory Role depending on the level of access you want to give to this application.Note that this will only affect the access your app has in your tenant.
Also you must already be a Company Administrator of the tenant to follow these instructions.
In order to make the change, you will need to install the Azure Active Directory PowerShell Module.
Once you have the module installed, authenticate to your tenant with your Administrator Account:
Connect-MSOLServiceThen we need to get the Object ID of both the Service Principal we want to elevate, and the Company Administrator Role for your tenant.
Search for Service Principal by App ID GUID:
$sp = Get-MsolServicePrincipal -AppPrincipalId <App ID GUID>Search for Directory Role by Name
$role = Get-MsolRole -RoleName "Company Administrator"Now we can use the
Add-MsolRoleMembercommand to add this role to the service principal.Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectIdTo check everything is working, lets get back all the members of the Company Administrator role:
Get-MsolRoleMember -RoleObjectId $role.ObjectIdYou should see your application in that list, where
RoleMemberTypeisServicePrincipalandDisplayNameis the name of your application.Now your application should be able to perform any Graph API calls that the Company Administrator could do, all without a user signed-in, using the Client Credential Flow.
Let me know if this helps!
Upvotes: 5
Related Questions
- Manage a Sharepoint Site with Microsoft Graph API using an Azure AD Entreprise Application
- how to set User administrator role to azure active directory application through graph API
- azure ad b2c graph api permissions
- How to manage Azure AD App Roles for Azure AD Users
- Managing Azure AAD Applications with Microsoft Graph
- Azure Ad Application Permission
- Azure B2C Application Roles (Graph api)
- How to create Global Administrator user using Azure Active Directory B2C GraphServiceClient?
- Code that creates Application in Azure AD with global administrator username and password
- Azure AD B2C for supporting multiple apps