在 Microsoft Graph PowerShell 中,检查 IsPrivileged
属性是否设置为 True
。
若要列出特权角色,请使用 Get-MgBetaRoleManagementDirectoryRoleDefinition 命令。
Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "isPrivileged eq true" | Format-List
AllowedPrincipalTypes :
Description : Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.
DisplayName : Global Administrator
Id : 62e90394-69f5-4237-9190-012177145e10
InheritsPermissionsFrom : {88d8e3e3-8f55-4a1e-953a-9b9898b8876b}
IsBuiltIn : True
IsEnabled : True
IsPrivileged : True
ResourceScopes : {/}
RolePermissions : {Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRolePermission}
TemplateId : 62e90394-69f5-4237-9190-012177145e10
Version : 1
AdditionalProperties : {[inheritsPermissionsFrom@odata.context, https://microsoftgraph.chinacloudapi.cn/beta/$metadata#roleManag
ement/directory/roleDefinitions('62e90394-69f5-4237-9190-012177145e10')/inheritsPermissionsFr
om]}
AllowedPrincipalTypes :
Description : Can manage all aspects of users and groups, including resetting passwords for limited admins.
DisplayName : User Administrator
Id : fe930be7-5e62-47db-91af-98c3a49a38b1
InheritsPermissionsFrom : {88d8e3e3-8f55-4a1e-953a-9b9898b8876b}
IsBuiltIn : True
IsEnabled : True
IsPrivileged : True
ResourceScopes : {/}
RolePermissions : {Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRolePermission}
TemplateId : fe930be7-5e62-47db-91af-98c3a49a38b1
Version : 1
AdditionalProperties : {[inheritsPermissionsFrom@odata.context, https://microsoftgraph.chinacloudapi.cn/beta/$metadata#roleManag
ement/directory/roleDefinitions('fe930be7-5e62-47db-91af-98c3a49a38b1')/inheritsPermissionsFr
om]}
...
若要列出特权权限,请使用 Get-MgBetaRoleManagementDirectoryResourceNamespaceResourceAction 命令。
Get-MgBetaRoleManagementDirectoryResourceNamespaceResourceAction -UnifiedRbacResourceNamespaceId "microsoft.directory" -Filter "isPrivileged eq true" | Format-List
ActionVerb : PATCH
AuthenticationContext : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphAuthenticationContextClassReference
AuthenticationContextId :
Description : Update all properties (including privileged properties) on single-directory applications
Id : microsoft.directory-applications.myOrganization-allProperties-update-patch
IsAuthenticationContextSettable :
IsPrivileged : True
Name : microsoft.directory/applications.myOrganization/allProperties/update
ResourceScope : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRbacResourceScope
ResourceScopeId :
AdditionalProperties : {}
ActionVerb : PATCH
AuthenticationContext : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphAuthenticationContextClassReference
AuthenticationContextId :
Description : Update credentials on single-directory applications
Id : microsoft.directory-applications.myOrganization-credentials-update-patch
IsAuthenticationContextSettable :
IsPrivileged : True
Name : microsoft.directory/applications.myOrganization/credentials/update
ResourceScope : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRbacResourceScope
ResourceScopeId :
AdditionalProperties : {}
...
若要列出特权分配,请使用 Get-MgBetaRoleManagementDirectoryRoleAssignment 命令。
Get-MgBetaRoleManagementDirectoryRoleAssignment -ExpandProperty "roleDefinition" -Filter "roleDefinition/isPrivileged eq true" | Format-List
AppScope : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphAppScope
AppScopeId :
Condition :
DirectoryScope : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphDirectoryObject
DirectoryScopeId : /
Id : <Id>
Principal : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphDirectoryObject
PrincipalId : <PrincipalId>
PrincipalOrganizationId : <PrincipalOrganizationId>
ResourceScope : /
RoleDefinition : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRoleDefinition
RoleDefinitionId : 62e90394-69f5-4237-9190-012177145e10
AdditionalProperties : {}
AppScope : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphAppScope
AppScopeId :
Condition :
DirectoryScope : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphDirectoryObject
DirectoryScopeId : /
Id : <Id>
Principal : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphDirectoryObject
PrincipalId : <PrincipalId>
PrincipalOrganizationId : <PrincipalOrganizationId>
ResourceScope : /
RoleDefinition : Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRoleDefinition
RoleDefinitionId : 62e90394-69f5-4237-9190-012177145e10
AdditionalProperties : {}
...
在 Microsoft Graph API 中,检查 isPrivileged
属性是否设置为 true
。
若要列出特权角色,请使用 List roleDefinitions API。
GET https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/roleDefinitions?$filter=isPrivileged eq true
响应
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://microsoftgraph.chinacloudapi.cn/beta/$metadata#roleManagement/directory/roleDefinitions",
"value": [
{
"id": "aaf43236-0c0d-4d5f-883a-6955382ac081",
"description": "Can manage secrets for federation and encryption in the Identity Experience Framework (IEF).",
"displayName": "B2C IEF Keyset Administrator",
"isBuiltIn": true,
"isEnabled": true,
"isPrivileged": true,
"resourceScopes": [
"/"
],
"templateId": "aaf43236-0c0d-4d5f-883a-6955382ac081",
"version": "1",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/b2cTrustFrameworkKeySet/allProperties/allTasks"
],
"condition": null
}
],
"inheritsPermissionsFrom@odata.context": "https://microsoftgraph.chinacloudapi.cn/beta/$metadata#roleManagement/directory/roleDefinitions('aaf43236-0c0d-4d5f-883a-6955382ac081')/inheritsPermissionsFrom",
"inheritsPermissionsFrom": [
{
"id": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
}
]
},
{
"id": "be2f45a1-457d-42af-a067-6ec1fa63bc45",
"description": "Can configure identity providers for use in direct federation.",
"displayName": "External Identity Provider Administrator",
"isBuiltIn": true,
"isEnabled": true,
"isPrivileged": true,
"resourceScopes": [
"/"
],
"templateId": "be2f45a1-457d-42af-a067-6ec1fa63bc45",
"version": "1",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/domains/federation/update",
"microsoft.directory/identityProviders/allProperties/allTasks"
],
"condition": null
}
],
"inheritsPermissionsFrom@odata.context": "https://microsoftgraph.chinacloudapi.cn/beta/$metadata#roleManagement/directory/roleDefinitions('be2f45a1-457d-42af-a067-6ec1fa63bc45')/inheritsPermissionsFrom",
"inheritsPermissionsFrom": [
{
"id": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
}
]
}
]
}
若要列出特权权限,请使用 List resourceActions API。
GET https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/resourceNamespaces/microsoft.directory/resourceActions?$filter=isPrivileged eq true
响应
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://microsoftgraph.chinacloudapi.cn/beta/$metadata#roleManagement/directory/resourceNamespaces('microsoft.directory')/resourceActions",
"value": [
{
"actionVerb": "PATCH",
"description": "Update application credentials",
"id": "microsoft.directory-applications-credentials-update-patch",
"isPrivileged": true,
"name": "microsoft.directory/applications/credentials/update",
"resourceScopeId": null
},
{
"actionVerb": null,
"description": "Manage all aspects of authorization policy",
"id": "microsoft.directory-authorizationPolicy-allProperties-allTasks",
"isPrivileged": true,
"name": "microsoft.directory/authorizationPolicy/allProperties/allTasks",
"resourceScopeId": null
}
]
}
若要列出特权角色分配,请使用 List unifiedRoleAssignments API。
GET https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/roleAssignments?$expand=roleDefinition&$filter=roleDefinition/isPrivileged eq true
响应
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://microsoftgraph.chinacloudapi.cn/beta/$metadata#roleManagement/directory/roleAssignments(roleDefinition())",
"value": [
{
"id": "{id}",
"principalId": "{principalId}",
"principalOrganizationId": "{principalOrganizationId}",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9",
"roleDefinition": {
"id": "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9",
"description": "Can manage Conditional Access capabilities.",
"displayName": "Conditional Access Administrator",
"isBuiltIn": true,
"isEnabled": true,
"isPrivileged": true,
"resourceScopes": [
"/"
],
"templateId": "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9",
"version": "1",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/namedLocations/create",
"microsoft.directory/namedLocations/delete",
"microsoft.directory/namedLocations/standard/read",
"microsoft.directory/namedLocations/basic/update",
"microsoft.directory/conditionalAccessPolicies/create",
"microsoft.directory/conditionalAccessPolicies/delete",
"microsoft.directory/conditionalAccessPolicies/standard/read",
"microsoft.directory/conditionalAccessPolicies/owners/read",
"microsoft.directory/conditionalAccessPolicies/policyAppliedTo/read",
"microsoft.directory/conditionalAccessPolicies/basic/update",
"microsoft.directory/conditionalAccessPolicies/owners/update",
"microsoft.directory/conditionalAccessPolicies/tenantDefault/update"
],
"condition": null
}
]
}
},
{
"id": "{id}",
"principalId": "{principalId}",
"principalOrganizationId": "{principalOrganizationId}",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "c4e39bd9-1100-46d3-8c65-fb160da0071f",
"roleDefinition": {
"id": "c4e39bd9-1100-46d3-8c65-fb160da0071f",
"description": "Can access to view, set and reset authentication method information for any non-admin user.",
"displayName": "Authentication Administrator",
"isBuiltIn": true,
"isEnabled": true,
"isPrivileged": true,
"resourceScopes": [
"/"
],
"templateId": "c4e39bd9-1100-46d3-8c65-fb160da0071f",
"version": "1",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/users/authenticationMethods/create",
"microsoft.directory/users/authenticationMethods/delete",
"microsoft.directory/users/authenticationMethods/standard/restrictedRead",
"microsoft.directory/users/authenticationMethods/basic/update",
"microsoft.directory/deletedItems.users/restore",
"microsoft.directory/users/delete",
"microsoft.directory/users/disable",
"microsoft.directory/users/enable",
"microsoft.directory/users/invalidateAllRefreshTokens",
"microsoft.directory/users/restore",
"microsoft.directory/users/basic/update",
"microsoft.directory/users/manager/update",
"microsoft.directory/users/password/update",
"microsoft.directory/users/userPrincipalName/update",
"microsoft.azure.serviceHealth/allEntities/allTasks",
"microsoft.azure.supportTickets/allEntities/allTasks",
"microsoft.office365.serviceHealth/allEntities/allTasks",
"microsoft.office365.supportTickets/allEntities/allTasks",
"microsoft.office365.webPortal/allEntities/standard/read"
],
"condition": null
}
]
}
}
]
}