在 Microsoft Graph PowerShell 中,检查 IsPrivileged
属性是否设置为 True
。
若要列出特权角色,请使用 Get-MgBetaRoleManagementDirectoryRoleDefinition 命令。
Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "isPrivileged eq true" | Format-List
AllowedPrincipalTypes :
Description : Can create and manage all aspects of app registrations and enterprise apps.
DisplayName : Application Administrator
Id : 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3
InheritsPermissionsFrom : {88d8e3e3-8f55-4a1e-953a-9b9898b8876b}
IsBuiltIn : True
IsEnabled : True
IsPrivileged : True
ResourceScopes : {/}
RolePermissions : {Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRolePermission}
TemplateId : 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3
Version : 1
AdditionalProperties : {[assignmentMode, allowed], [categories, identity], [richDescription, Users in this role can
add, manage, and configureenterprise applications, app registrations and manage on-premises
like app proxy.], [inheritsPermissionsFrom@odata.context, https://microsoftgraph.chinacloudapi.cn/beta/$m
etadata#roleManagement/directory/roleDefinitions('9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3')/inhe
ritsPermissionsFrom]}
AllowedPrincipalTypes :
Description : Can reset passwords for non-administrators and Helpdesk Administrators.
DisplayName : Helpdesk Administrator
Id : 729827e3-9c14-49f7-bb1b-9608f156bbb8
InheritsPermissionsFrom : {88d8e3e3-8f55-4a1e-953a-9b9898b8876b}
IsBuiltIn : True
IsEnabled : True
IsPrivileged : True
ResourceScopes : {/}
RolePermissions : {Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRolePermission}
TemplateId : 729827e3-9c14-49f7-bb1b-9608f156bbb8
Version : 1
AdditionalProperties : {[assignmentMode, allowed], [categories, identity], [richDescription, Users with this role
can change passwords, invalidate refresh tokens, manage service requests, and monitor
service health. Invalidating a refresh token forces the user to sign in again. Helpdesk
administrators can reset passwords and invalidate refresh tokens of other users who are
non-administrators or assigned the following roles only:
* Directory Readers
* Guest Inviter
* Helpdesk Administrator
* Message Center Reader
* Password Administrator
* Reports Reader], [inheritsPermissionsFrom@odata.context, https://microsoftgraph.chinacloudapi.cn/beta/$
metadata#roleManagement/directory/roleDefinitions('729827e3-9c14-49f7-bb1b-9608f156bbb8')/inh
eritsPermissionsFrom]}
...
若要列出特权权限,请使用 Get-MgBetaRoleManagementDirectoryResourceNamespaceResourceAction 命令。
Get-MgBetaRoleManagementDirectoryResourceNamespaceResourceAction -UnifiedRbacResourceNamespaceId "microsoft.directory" -Filter "isPrivileged eq true" | Format-List
ActionVerb : PATCH
AuthenticationContext : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphAuthenticationContextClassReference
AuthenticationContextId :
Description : Update all properties (including privileged properties) on single-directory applications
Id : microsoft.directory-applications.myOrganization-allProperties-update-patch
IsAuthenticationContextSettable :
IsPrivileged : True
Name : microsoft.directory/applications.myOrganization/allProperties/update
ResourceScope : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRbacResourceScope
ResourceScopeId :
AdditionalProperties : {}
ActionVerb : PATCH
AuthenticationContext : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphAuthenticationContextClassReference
AuthenticationContextId :
Description : Update credentials on single-directory applications
Id : microsoft.directory-applications.myOrganization-credentials-update-patch
IsAuthenticationContextSettable :
IsPrivileged : True
Name : microsoft.directory/applications.myOrganization/credentials/update
ResourceScope : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRbacResourceScope
ResourceScopeId :
AdditionalProperties : {}
...
若要列出特权分配,请使用 Get-MgBetaRoleManagementDirectoryRoleAssignment 命令。
Get-MgBetaRoleManagementDirectoryRoleAssignment -ExpandProperty "roleDefinition" -Filter "roleDefinition/isPrivileged eq true" | Format-List
AppScope : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphAppScope
AppScopeId :
Condition :
DirectoryScope : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphDirectoryObject
DirectoryScopeId : /
Id : <Id>
Principal : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphDirectoryObject
PrincipalId : <PrincipalId>
PrincipalOrganizationId : <PrincipalOrganizationId>
ResourceScope : /
RoleDefinition : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRoleDefinition
RoleDefinitionId : 62e90394-69f5-4237-9190-012177145e10
AdditionalProperties : {}
AppScope : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphAppScope
AppScopeId :
Condition :
DirectoryScope : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphDirectoryObject
DirectoryScopeId : /
Id : <Id>
Principal : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphDirectoryObject
PrincipalId : <PrincipalId>
PrincipalOrganizationId : <PrincipalOrganizationId>
ResourceScope : /
RoleDefinition : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRoleDefinition
RoleDefinitionId : 62e90394-69f5-4237-9190-012177145e10
AdditionalProperties : {}
...
在 Microsoft Graph API 中,检查 isPrivileged
属性是否设置为 true
。
若要列出特权角色,请使用 List roleDefinitions API。
GET https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/roleDefinitions?$filter=isPrivileged eq true
响应
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://microsoftgraph.chinacloudapi.cn/beta/$metadata#roleManagement/directory/roleDefinitions",
"value": [
{
"id": "aaf43236-0c0d-4d5f-883a-6955382ac081",
"description": "Can manage secrets for federation and encryption in the Identity Experience Framework (IEF).",
"displayName": "B2C IEF Keyset Administrator",
"isBuiltIn": true,
"isEnabled": true,
"isPrivileged": true,
"resourceScopes": [
"/"
],
"templateId": "aaf43236-0c0d-4d5f-883a-6955382ac081",
"version": "1",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/b2cTrustFrameworkKeySet/allProperties/allTasks"
],
"condition": null
}
],
"inheritsPermissionsFrom@odata.context": "https://microsoftgraph.chinacloudapi.cn/beta/$metadata#roleManagement/directory/roleDefinitions('aaf43236-0c0d-4d5f-883a-6955382ac081')/inheritsPermissionsFrom",
"inheritsPermissionsFrom": [
{
"id": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
}
]
},
{
"id": "be2f45a1-457d-42af-a067-6ec1fa63bc45",
"description": "Can configure identity providers for use in direct federation.",
"displayName": "External Identity Provider Administrator",
"isBuiltIn": true,
"isEnabled": true,
"isPrivileged": true,
"resourceScopes": [
"/"
],
"templateId": "be2f45a1-457d-42af-a067-6ec1fa63bc45",
"version": "1",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/domains/federation/update",
"microsoft.directory/identityProviders/allProperties/allTasks"
],
"condition": null
}
],
"inheritsPermissionsFrom@odata.context": "https://microsoftgraph.chinacloudapi.cn/beta/$metadata#roleManagement/directory/roleDefinitions('be2f45a1-457d-42af-a067-6ec1fa63bc45')/inheritsPermissionsFrom",
"inheritsPermissionsFrom": [
{
"id": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
}
]
}
]
}
若要列出特权权限,请使用 List resourceActions API。
GET https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/resourceNamespaces/microsoft.directory/resourceActions?$filter=isPrivileged eq true
响应
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://microsoftgraph.chinacloudapi.cn/beta/$metadata#roleManagement/directory/resourceNamespaces('microsoft.directory')/resourceActions",
"value": [
{
"actionVerb": "PATCH",
"description": "Update application credentials",
"id": "microsoft.directory-applications-credentials-update-patch",
"isPrivileged": true,
"name": "microsoft.directory/applications/credentials/update",
"resourceScopeId": null
},
{
"actionVerb": null,
"description": "Manage all aspects of authorization policy",
"id": "microsoft.directory-authorizationPolicy-allProperties-allTasks",
"isPrivileged": true,
"name": "microsoft.directory/authorizationPolicy/allProperties/allTasks",
"resourceScopeId": null
}
]
}
若要列出特权角色分配,请使用 List unifiedRoleAssignments API。
GET https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/roleAssignments?$expand=roleDefinition&$filter=roleDefinition/isPrivileged eq true
响应
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://microsoftgraph.chinacloudapi.cn/beta/$metadata#roleManagement/directory/roleAssignments(roleDefinition())",
"value": [
{
"id": "{id}",
"principalId": "{principalId}",
"principalOrganizationId": "{principalOrganizationId}",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9",
"roleDefinition": {
"id": "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9",
"description": "Can manage Conditional Access capabilities.",
"displayName": "Conditional Access Administrator",
"isBuiltIn": true,
"isEnabled": true,
"isPrivileged": true,
"resourceScopes": [
"/"
],
"templateId": "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9",
"version": "1",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/namedLocations/create",
"microsoft.directory/namedLocations/delete",
"microsoft.directory/namedLocations/standard/read",
"microsoft.directory/namedLocations/basic/update",
"microsoft.directory/conditionalAccessPolicies/create",
"microsoft.directory/conditionalAccessPolicies/delete",
"microsoft.directory/conditionalAccessPolicies/standard/read",
"microsoft.directory/conditionalAccessPolicies/owners/read",
"microsoft.directory/conditionalAccessPolicies/policyAppliedTo/read",
"microsoft.directory/conditionalAccessPolicies/basic/update",
"microsoft.directory/conditionalAccessPolicies/owners/update",
"microsoft.directory/conditionalAccessPolicies/tenantDefault/update"
],
"condition": null
}
]
}
},
{
"id": "{id}",
"principalId": "{principalId}",
"principalOrganizationId": "{principalOrganizationId}",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "c4e39bd9-1100-46d3-8c65-fb160da0071f",
"roleDefinition": {
"id": "c4e39bd9-1100-46d3-8c65-fb160da0071f",
"description": "Can access to view, set and reset authentication method information for any non-admin user.",
"displayName": "Authentication Administrator",
"isBuiltIn": true,
"isEnabled": true,
"isPrivileged": true,
"resourceScopes": [
"/"
],
"templateId": "c4e39bd9-1100-46d3-8c65-fb160da0071f",
"version": "1",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/users/authenticationMethods/create",
"microsoft.directory/users/authenticationMethods/delete",
"microsoft.directory/users/authenticationMethods/standard/restrictedRead",
"microsoft.directory/users/authenticationMethods/basic/update",
"microsoft.directory/deletedItems.users/restore",
"microsoft.directory/users/delete",
"microsoft.directory/users/disable",
"microsoft.directory/users/enable",
"microsoft.directory/users/invalidateAllRefreshTokens",
"microsoft.directory/users/restore",
"microsoft.directory/users/basic/update",
"microsoft.directory/users/manager/update",
"microsoft.directory/users/password/update",
"microsoft.directory/users/userPrincipalName/update",
"microsoft.azure.serviceHealth/allEntities/allTasks",
"microsoft.azure.supportTickets/allEntities/allTasks",
"microsoft.office365.serviceHealth/allEntities/allTasks",
"microsoft.office365.supportTickets/allEntities/allTasks",
"microsoft.office365.webPortal/allEntities/standard/read"
],
"condition": null
}
]
}
}
]
}