首先,感谢两位大佬的教程
https://hostloc.com/thread-833230-1-1.html
https://hostloc.com/thread-833198-1-1.html
我在他们教程的基础上加以细化,让小白也能上手
为什么要通过 API 提升子号为全局管理员?这个原因其实很简单,了解 Microsoft 365 / Office 365 A1 / A1P / A3 的朋友应该都知道,对于这些来源不明的全局,微软发现后肯定是要封的,封所有管理员,但是一般不封子号,封了后,如果你还有 API,那么就可以通过 API 提升子号为全局管理员,再次对全局进行掌控
一 Microsoft 365 / Office 365 A1 / A1P / A3 通过 API 提升子号为全局管理员的基本条件
- API 权限:RoleManagement.ReadWrite.Directory
- 能登录的子号
- SP 不为 0
满足以上三个条件后,就可以开始提升子号为全局管理员
二 创建 Azure AD 应用程序
可以看我以前的教程:
一定要开启:RoleManagement.ReadWrite.Directory 权限
三 注册 Postman
进入:
注册并登录账号
四 创建 Microsoft Graph Postman 工作区
不明白的请看官方文档:点击进入
五 在 Postman 中配置身份验证 / 授权
填入第二步中得到的【ClientID】【TenantID】【ClientSecret】,然后点【Save】保存
进入【Application】开始授权
注意上图中右上角那儿要选择刚刚创建的【M365 Environment】
点击【Get New Access Token】开始授权
授权成功
点击【Use Token】后再点击【Save】保存
不明白的请看官方文档:点击进入
六 获取子号 ID & 管理员 ID
进入位置请看下图
在 GET 后输入:
# 输入以下地址 https://graph.microsoft.com/v1.0/users
然后点击【Send】
# 返回结果 { "businessPhones": [], "displayName": "GV靓号", "givenName": "GV", "jobTitle": null, "mail": null, "mobilePhone": null, "officeLocation": null, "preferredLanguage": null, "surname": "靓号", "userPrincipalName": "gv@yjuniversity.eu", "id": "763b6ba7-549e-4364-bc9f-3f63af52e860" },
记录要提权为管理员的子号 ID,即最后一行
在 GET 后输入:
# 输入以下地址 https://graph.microsoft.com/v1.0/directoryRoleTemplates
然后点击【Send】
# 返回结果 # 全局管理员 { "id": "62e90394-69f5-4237-9190-012177145e10", "deletedDateTime": null, "description": "Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.", "displayName": "Global Administrator" }, # 密码管理员 { "id": "966707d0-3269-4727-9be2-8c3a10f19b9d", "deletedDateTime": null, "description": "Can reset passwords for non-administrators and Password Administrators.", "displayName": "Password Administrator" },
记录要提权为哪种管理员的 ID,即第一行
七 Microsoft 365 / Office 365 A1 / A1P / A3 通过 API 提升子号为全局管理员
我以提升为全局管理员为例来示范
# 在 POST 后输入下面的内容,62e90394-69f5-4237-9190-012177145e10 可以修改为其他管理员 ID https://graph.microsoft.com/v1.0/directoryRoles/roleTemplateId=62e90394-69f5-4237-9190-012177145e10/members/$ref # 在相应位置输入下面的内容,763b6ba7-549e-4364-bc9f-3f63af52e860 换成你子号的 ID { "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/763b6ba7-549e-4364-bc9f-3f63af52e860" }
注意看图中内容的输入位置
最后点击【Send】
返回【204 No Content】,说明成功了
不明白的请看官方文档:点击进入
Microsoft 365 / Office 365 A1 / A1P / A3 通过 API 提升子号为全局管理员的教程 / 方法结束
所有管理员 ID
{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryRoleTemplates", "value": [ { "id": "62e90394-69f5-4237-9190-012177145e10", "deletedDateTime": null, "description": "Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.", "displayName": "Global Administrator" }, { "id": "10dae51f-b6af-4016-8d66-8c2a99b929b3", "deletedDateTime": null, "description": "Default role for guest users. Can read a limited set of directory information.", "displayName": "Guest User" }, { "id": "2af84b1e-32c8-42b7-82bc-daa82404023b", "deletedDateTime": null, "description": "Default role for guest users with restricted access. Can read a limited set of directory information.", "displayName": "Restricted Guest User" }, { "id": "95e79109-95c0-4d8e-aee3-d01accf2d47b", "deletedDateTime": null, "description": "Can invite guest users independent of the 'members can invite guests' setting.", "displayName": "Guest Inviter" }, { "id": "fe930be7-5e62-47db-91af-98c3a49a38b1", "deletedDateTime": null, "description": "Can manage all aspects of users and groups, including resetting passwords for limited admins.", "displayName": "User Administrator" }, { "id": "729827e3-9c14-49f7-bb1b-9608f156bbb8", "deletedDateTime": null, "description": "Can reset passwords for non-administrators and Helpdesk Administrators.", "displayName": "Helpdesk Administrator" }, { "id": "f023fd81-a637-4b56-95fd-791ac0226033", "deletedDateTime": null, "description": "Can read service health information and manage support tickets.", "displayName": "Service Support Administrator" }, { "id": "b0f54661-2d74-4c50-afa3-1ec803f12efe", "deletedDateTime": null, "description": "Can perform common billing related tasks like updating payment information.", "displayName": "Billing Administrator" }, { "id": "a0b1b346-4d3e-4e8b-98f8-753987be4970", "deletedDateTime": null, "description": "Default role for member users. Can read all and write a limited set of directory information.", "displayName": "User" }, { "id": "4ba39ca4-527c-499a-b93d-d9b492c50246", "deletedDateTime": null, "description": "Do not use - not intended for general use.", "displayName": "Partner Tier1 Support" }, { "id": "e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8", "deletedDateTime": null, "description": "Do not use - not intended for general use.", "displayName": "Partner Tier2 Support" }, { "id": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "deletedDateTime": null, "description": "Can read basic directory information. Commonly used to grant directory read access to applications and guests.", "displayName": "Directory Readers" }, { "id": "9360feb5-f418-4baa-8175-e2a00bac4301", "deletedDateTime": null, "description": "Can read and write basic directory information. For granting access to applications, not intended for users.", "displayName": "Directory Writers" }, { "id": "29232cdf-9323-42fd-ade2-1d097af3e4de", "deletedDateTime": null, "description": "Can manage all aspects of the Exchange product.", "displayName": "Exchange Administrator" }, { "id": "f28a1f50-f6e7-4571-818b-6a12f2af6b6c", "deletedDateTime": null, "description": "Can manage all aspects of the SharePoint service.", "displayName": "SharePoint Administrator" }, { "id": "75941009-915a-4869-abe7-691bff18279e", "deletedDateTime": null, "description": "Can manage all aspects of the Skype for Business product.", "displayName": "Skype for Business Administrator" }, { "id": "d405c6df-0af8-4e3b-95e4-4d06e542189e", "deletedDateTime": null, "description": "Device Users", "displayName": "Device Users" }, { "id": "9f06204d-73c1-4d4c-880a-6edb90606fd8", "deletedDateTime": null, "description": "Device Administrators", "displayName": "Azure AD Joined Device Local Administrator" }, { "id": "9c094953-4995-41c8-84c8-3ebb9b32c93f", "deletedDateTime": null, "description": "Device Join", "displayName": "Device Join" }, { "id": "c34f683f-4d5a-4403-affd-6615e00e3a7f", "deletedDateTime": null, "description": "Workplace Device Join", "displayName": "Workplace Device Join" }, { "id": "17315797-102d-40b4-93e0-432062caca18", "deletedDateTime": null, "description": "Can read and manage compliance configuration and reports in Azure AD and Office 365.", "displayName": "Compliance Administrator" }, { "id": "d29b2b05-8046-44ba-8758-1e26182fcf32", "deletedDateTime": null, "description": "Only used by Azure AD Connect service.", "displayName": "Directory Synchronization Accounts" }, { "id": "2b499bcd-da44-4968-8aec-78e1674fa64d", "deletedDateTime": null, "description": "Deprecated - Do Not Use.", "displayName": "Device Managers" }, { "id": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", "deletedDateTime": null, "description": "Can create and manage all aspects of app registrations and enterprise apps.", "displayName": "Application Administrator" }, { "id": "cf1c38e5-3621-4004-a7cb-879624dced7c", "deletedDateTime": null, "description": "Can create application registrations independent of the 'Users can register applications' setting.", "displayName": "Application Developer" }, { "id": "5d6b6bb7-de71-4623-b4af-96380a352509", "deletedDateTime": null, "description": "Can read security information and reports in Azure AD and Office 365.", "displayName": "Security Reader" }, { "id": "194ae4cb-b126-40b2-bd5b-6091b380977d", "deletedDateTime": null, "description": "Security Administrator allows ability to read and manage security configuration and reports.", "displayName": "Security Administrator" }, { "id": "e8611ab8-c189-46e8-94e1-60213ab1f814", "deletedDateTime": null, "description": "Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management.", "displayName": "Privileged Role Administrator" }, { "id": "3a2c62db-5318-420d-8d74-23affee5d9d5", "deletedDateTime": null, "description": "Can manage all aspects of the Intune product.", "displayName": "Intune Administrator" }, { "id": "158c047a-c907-4556-b7ef-446551a6b5f7", "deletedDateTime": null, "description": "Can create and manage all aspects of app registrations and enterprise apps except App Proxy.", "displayName": "Cloud Application Administrator" }, { "id": "5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91", "deletedDateTime": null, "description": "Can approve Microsoft support requests to access customer organizational data.", "displayName": "Customer LockBox Access Approver" }, { "id": "44367163-eba1-44c3-98af-f5787879f96a", "deletedDateTime": null, "description": "Can manage all aspects of the Dynamics 365 product.", "displayName": "Dynamics 365 Administrator" }, { "id": "a9ea8996-122f-4c74-9520-8edcd192826c", "deletedDateTime": null, "description": "Can manage all aspects of the Power BI product.", "displayName": "Power BI Administrator" }, { "id": "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9", "deletedDateTime": null, "description": "Can manage conditional access capabilities.", "displayName": "Conditional Access Administrator" }, { "id": "4a5d8f65-41da-4de4-8968-e035b65339cf", "deletedDateTime": null, "description": "Can read sign-in and audit reports.", "displayName": "Reports Reader" }, { "id": "790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b", "deletedDateTime": null, "description": "Can read messages and updates for their organization in Office 365 Message Center only.", "displayName": "Message Center Reader" }, { "id": "7495fdc4-34c4-4d15-a289-98788ce399fd", "deletedDateTime": null, "description": "Can manage all aspects of the Azure Information Protection product.", "displayName": "Azure Information Protection Administrator" }, { "id": "38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4", "deletedDateTime": null, "description": "Can access and manage Desktop management tools and services.", "displayName": "Desktop Analytics Administrator" }, { "id": "4d6ac14f-3453-41d0-bef9-a3e0c569773a", "deletedDateTime": null, "description": "Can manage product licenses on users and groups.", "displayName": "License Administrator" }, { "id": "7698a772-787b-4ac8-901f-60d6b08affd2", "deletedDateTime": null, "description": "Full access to manage devices in Azure AD.", "displayName": "Cloud Device Administrator" }, { "id": "c4e39bd9-1100-46d3-8c65-fb160da0071f", "deletedDateTime": null, "description": "Allowed to view, set and reset authentication method information for any non-admin user.", "displayName": "Authentication Administrator" }, { "id": "7be44c8a-adaf-4e2a-84d6-ab2649e08a13", "deletedDateTime": null, "description": "Allowed to view, set and reset authentication method information for any user (admin or non-admin).", "displayName": "Privileged Authentication Administrator" }, { "id": "baf37b3a-610e-45da-9e62-d9d1e5e8914b", "deletedDateTime": null, "description": "Can manage calling and meetings features within the Microsoft Teams service.", "displayName": "Teams Communications Administrator" }, { "id": "f70938a0-fc10-4177-9e90-2178f8765737", "deletedDateTime": null, "description": "Can troubleshoot communications issues within Teams using advanced tools.", "displayName": "Teams Communications Support Engineer" }, { "id": "fcf91098-03e3-41a9-b5ba-6f0ec8188a12", "deletedDateTime": null, "description": "Can troubleshoot communications issues within Teams using basic tools.", "displayName": "Teams Communications Support Specialist" }, { "id": "69091246-20e8-4a56-aa4d-066075b2a7a8", "deletedDateTime": null, "description": "Can manage the Microsoft Teams service.", "displayName": "Teams Administrator" }, { "id": "eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c", "deletedDateTime": null, "description": "Has administrative access in the M365 Insights app.", "displayName": "Insights Administrator" }, { "id": "ac16e43d-7b2d-40e0-ac05-243ff356ab5b", "deletedDateTime": null, "description": "Can read security messages and updates in Office 365 Message Center only.", "displayName": "Message Center Privacy Reader" }, { "id": "6e591065-9bad-43ed-90f3-e9424366d2f0", "deletedDateTime": null, "description": "Can create and manage all aspects of user flows.", "displayName": "External ID User Flow Administrator" }, { "id": "0f971eea-41eb-4569-a71e-57bb8a3eff1e", "deletedDateTime": null, "description": "Can create and manage the attribute schema available to all user flows.", "displayName": "External ID User Flow Attribute Administrator" }, { "id": "aaf43236-0c0d-4d5f-883a-6955382ac081", "deletedDateTime": null, "description": "Can manage secrets for federation and encryption in the Identity Experience Framework (IEF).", "displayName": "B2C IEF Keyset Administrator" }, { "id": "3edaf663-341e-4475-9f94-5c398ef6c070", "deletedDateTime": null, "description": "Can create and manage trust framework policies in the Identity Experience Framework (IEF).", "displayName": "B2C IEF Policy Administrator" }, { "id": "be2f45a1-457d-42af-a067-6ec1fa63bc45", "deletedDateTime": null, "description": "Can configure identity providers for use in direct federation.", "displayName": "External Identity Provider Administrator" }, { "id": "e6d1a23a-da11-4be4-9570-befc86d067a7", "deletedDateTime": null, "description": "Creates and manages compliance content.", "displayName": "Compliance Data Administrator" }, { "id": "5f2222b1-57c3-48ba-8ad5-d4759f1fde6f", "deletedDateTime": null, "description": "Creates and manages security events.", "displayName": "Security Operator" }, { "id": "74ef975b-6605-40af-a5d2-b9539d836353", "deletedDateTime": null, "description": "Can manage settings for Microsoft Kaizala.", "displayName": "Kaizala Administrator" }, { "id": "f2ef992c-3afb-46b9-b7cf-a126ee74c451", "deletedDateTime": null, "description": "Can read everything that a global admin can read but not update anything.", "displayName": "Global Reader" }, { "id": "0964bb5e-9bdb-4d7b-ac29-58e794862a40", "deletedDateTime": null, "description": "Can create and manage all aspects of Microsoft Search settings.", "displayName": "Search Administrator" }, { "id": "8835291a-918c-4fd7-a9ce-faa49f0cf7d9", "deletedDateTime": null, "description": "Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.", "displayName": "Search Editor" }, { "id": "966707d0-3269-4727-9be2-8c3a10f19b9d", "deletedDateTime": null, "description": "Can reset passwords for non-administrators and Password Administrators.", "displayName": "Password Administrator" }, { "id": "644ef478-e28f-4e28-b9dc-3fdde9aa0b1f", "deletedDateTime": null, "description": "Can manage all aspects of printers and printer connectors.", "displayName": "Printer Administrator" }, { "id": "e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477", "deletedDateTime": null, "description": "Can manage all aspects of printers and printer connectors.", "displayName": "Printer Technician" }, { "id": "0526716b-113d-4c15-b2c8-68e3c22b9f80", "deletedDateTime": null, "description": "Can create and manage all aspects of authentication methods and password protection policies.", "displayName": "Authentication Policy Administrator" }, { "id": "fdd7a751-b60b-444a-984c-02652fe8fa1c", "deletedDateTime": null, "description": "Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports.", "displayName": "Groups Administrator" }, { "id": "11648597-926c-4cf3-9c36-bcebb0ba8dcc", "deletedDateTime": null, "description": "Can create and manage all aspects of Microsoft Dynamics 365, PowerApps and Microsoft Flow.", "displayName": "Power Platform Administrator" }, { "id": "e3973bdf-4987-49ae-837a-ba8e231c7286", "deletedDateTime": null, "description": "Can manage Azure DevOps organization policy and settings.", "displayName": "Azure DevOps Administrator" }, { "id": "8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2", "deletedDateTime": null, "description": "Can manage AD to Azure AD cloud provisioning and federation settings.", "displayName": "Hybrid Identity Administrator" }, { "id": "2b745bdf-0803-4d80-aa65-822c4493daac", "deletedDateTime": null, "description": "Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's devices.", "displayName": "Office Apps Administrator" }, { "id": "d37c8bed-0711-4417-ba38-b4abe66ce4c2", "deletedDateTime": null, "description": "Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications.", "displayName": "Network Administrator" }, { "id": "31e939ad-9672-4796-9c2e-873181342d2d", "deletedDateTime": null, "description": "Can view and share dashboards and insights via the M365 Insights app.", "displayName": "Insights Business Leader" }, { "id": "3d762c5a-1b6c-493f-843e-55a3b42923d4", "deletedDateTime": null, "description": "Can perform management related tasks on Teams certified devices.", "displayName": "Teams Devices Administrator" }, { "id": "c430b396-e693-46cc-96f3-db01bf8bb62a", "deletedDateTime": null, "description": "Can create and manage all aspects of attack simulation campaigns.", "displayName": "Attack Simulation Administrator" }, { "id": "9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f", "deletedDateTime": null, "description": "Can create attack payloads that an administrator can initiate later.", "displayName": "Attack Payload Author" }, { "id": "75934031-6c7e-415a-99d7-48dbd49e875e", "deletedDateTime": null, "description": "Can see only tenant level aggregates in Microsoft 365 Usage Analytics and Productivity Score.", "displayName": "Usage Summary Reports Reader" }, { "id": "b5a8dcf3-09d5-43a9-a639-8e29ef291470", "deletedDateTime": null, "description": "Can configure knowledge, learning and other intelligent features.", "displayName": "Knowledge Administrator" }, {p "id": "744ec460-397e-42ad-a462-8b3f9747a02c", "deletedDateTime": null, "description": "Has access to topic management dashboard and can manage content.", "displayName": "Knowledge Manager" }, { "id": "8329153b-31d0-4727-b945-745eb3bc5f31", "deletedDateTime": null, "description": "Can manage domain names in cloud and on-premises.", "displayName": "Domain Name Administrator" }, { "id": "31392ffb-586c-42d1-9346-e59415a2cc4e", "deletedDateTime": null, "description": "Can create or update Exchange Online recipients within the Exchange Online organization.", "displayName": "Exchange Recipient Administrator" } ] }
查看评论 (1)
你好,在getuser的时候返回error是什么原因呢?
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
以下三个权限也都给了的。
Directory.ReadWrite.All
User.ReadWrite.All
RoleManagement.ReadWrite.Directory
谢谢!