How-To: Manage Role-Based Access Control When Using Windows Azure AD Graph

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

Applies To

• Windows Azure Active Directory (AD) Graph
  
  

Summary

This how-to article provides step-by-step procedures and Office 365 Windows PowerShell code snippets required for performing role-based access control (RBAC) when using Windows Azure AD Graph.

Contents

1. Prerequisites
   
   
2. Objectives
   
   
3. Overview
   
   
4. Summary of Steps
   
   
5. Step 1 – Display the service principals that are members of a role
   
   
6. Step 2 – Add a service principal to a role
   
   
7. Step 3 – Remove a service principal from a role
   
   

Prerequisites

The following are required to perform the steps in this example.

• A Windows Azure AD tenant. For more information, see Windows Azure Active Directory Graph Prerequisites.
  
  
• You must have the Office 365 Windows PowerShell cmdlets installed. For more information, see Windows Azure Active Directory Graph Prerequisites.
  
  
• Your Windows Azure AD user account should be in the Company Administrator role. This role enables you to perform create, read, update, and delete operations on service principals, and also to add or remove them from administrator roles.
  
  

Objectives

• Display the service principals that are members of a specified administrator role
  
  
• Add a service principal to an administrator role.
  
  
• Remove a service principal from administrator role
  
  

Overview

You use Windows Azure Active Directory (AD) tenant roles to control access to Windows Azure AD entities. In order for your Windows Azure AD Graph-enabled application to access Windows Azure AD entities, the service principal that represents it must be a member of an administrator role. By adding the service principal to an appropriate role, you can enable read-only or read-write access to Windows Azure AD entities by your application. For information about the Windows Azure AD roles that you can use with your service principal, see Windows Azure AD Graph and Role-Based Access Control. For information about how to create a service principal, see How-To: Authenticate To Windows Azure AD Graph Using Windows Azure AD Access Control.

You use Office 365 Windows PowerShell cmdlets to manage the roles associated with a service principal. With these cmdlets, you can add, read, remove and update the role memberships of your service principal.

Summary of Steps

• Step 1 – Display the service principals that are members of a role.
  
  
• Step 2 – Add a service principal to a role
  
  
• Step 3 – Remove a service principal from a role
  
  

Step 1: Display the service principals that are members of a role

This step shows you how to display the service principals that are members of a role. The Get-MsolRoleMember cmdlet can be used to retrieve all of the service principals that belong to a specified role.

To display the service principals that belong to a role

1. From your desktop, click the Microsoft Online Services Module shortcut to open a Windows PowerShell workspace that has the Office 365 cmdlets. Alternatively, you can load the Office 365 cmdlets manually by typing import-module MSOnline at the Windows PowerShell command prompt.
   
   
2. Run the following command to initiate a connection to Microsoft Online.
   
   
   C:\PS>Connect-MsolService
   

3. Run the Get-MsolRole cmdlet to get the object ID for each of the Windows Azure AD tenant roles. You will need the object ID of the role to specify the –RoleObjectId parameter to the Get-MsolRoleMember cmdlet in the next step.
   
   
   C:\PS> Get-MsolRole
   
   ObjectId                               Name                             Description
   --------                               ----                             -----------
   62e90394-69f5-4237-9190-012177145e10   Company Administrator            Company Administrator role has full access to perform any operation in the...
   729827e3-9c14-49f7-bb1b-9608f156bbb8   Helpdesk Administrator           Helpdesk Administrator has access to perform common helpdesk related tasks.
   b0f54661-2d74-4c50-afa3-1ec803f12efe   Billing Administrator            Billing Administrator has access to perform common billing related tasks.
   f023fd81-a637-4b56-95fd-791ac0226033   Service Support Administrator    Service Support Administrator has access to perform common support tasks.
   fe930be7-5e62-47db-91af-98c3a49a38b1   User Account Administrator       User Account Administrator has access to perform common user management re...
   

4. Run the Get-MsolRoleMembership cmdlet to get the service principals that are members of a role. Specify the appropriate object ID in the RoleObjectId parameter and be sure to specify ServicePrincipal in the MemberObjectType parameter. For example, the following command returns all the service principals that are in the User Account Administrator role; your output will reflect the service principals in your directory.
   
   
   Get-MsolRoleMember -RoleObjectId fe930be7-5e62-47db-91af-98c3a49a38b1 -MemberObjectType ServicePrincipal
   
   RoleMemberType                        EmailAddress                          DisplayName                          isLicensed
   --------------                        ------------                          -----------                          ----------
   ServicePrincipal                                                            Test Application
   

Step 2: Add a service principal to a role

This step shows you how to add a service principal to a role. The Add-MsolRoleMember cmdlet is used to add a service principal to a role.

To add a service principal to a role

1. From your desktop, click the Microsoft Online Services Module shortcut to open a Windows PowerShell workspace that has the Office 365 cmdlets. Alternatively, you can load the Office 365 cmdlets manually by typing import-module MSOnline at the Windows PowerShell command prompt.
   
   
2. Run the following command to initiate a connection to Microsoft Online.
   
   
   C:\PS>Connect-MsolService
   

3. Run the Add-MsolRoleMember cmdlet. Be sure to specify ServicePrincipal for the RoleMemberType parameter. Your command should look similar to the following; some of your parameters will be different.
   
   
   Add-MsolRoleMember -RoleMemberType ServicePrincipal -RoleName "User Account Administrator" -RoleMemberObjectId 774abbb6-76f8-4e27-98b5-001ec1cb94e9
   
   

   This command adds the specified service principal to the User Management Administrator role, which grants the service principal (and the application it represents) read-write privileges on Windows Azure AD entities.
   
   

   Important
   You must specify the RoleMemberType parameter when adding a service principal to a role or an error occurs.

   The RoleMemberObjectId parameter contains the service principal’s object ID, which can be retrieved using the following Office 365 cmdlet.
   
   
   Get-MsolServicePrincipal -AppPrincipalId 584aac2a-e932-4337-9352-2255c52686bb
   
   
   ExtensionData         : System.Runtime.Serialization.ExtensionDataObject
   AccountEnabled        : True
   AppPrincipalId        : 584aac2a-e932-4337-9352-2255c52686bb
   DisplayName           : myapp1
   ObjectId              : 774abbb6-76f8-4e27-98b5-001ec1cb94e9
   ServicePrincipalNames : {appClass/MyApp9.com}
   TrustedForDelegation  : False
   
   

   Note
   You must have the MsOnlineExtended module loaded into your workspace to use the Get-MsolServicePrincipal cmdlet. To load this module type import-module msonlineextended -force at the Windows PowerShell command prompt.

   Note
   You can specify the service principal in a number of different ways to the Get-MsolServicePrincipal cmdlet; for example, you can also use the service principal name (SPN). For more information about the Get-MsolServicePrincipal cmdlet, you can type get-help get-msolserviceprincipal -detailed at the Windows PowerShell command prompt.

Step 3: Remove a service principal from a role

This step is required only when you want to remove a service principal from a role. The Remove-MsolRoleMember cmdlet is used to remove a role member from an administrator role.

To remove a service principal from a role

1. From your desktop, click the Microsoft Online Services Module shortcut to open a Windows PowerShell workspace that has the Office 365 cmdlets. Alternatively, you can load the Office 365 cmdlets manually by typing import-module MSOnline at the Windows PowerShell command prompt.
   
   
2. Run the following command to initiate a connection to Microsoft Online.
   
   
   C:\PS>Connect-MsolService
   

3. Run the Remove-MsolRoleMember cmdlet. Be sure to specify ServicePrincipal for the RoleMemberType parameter. Your command should look similar to the following; some of your parameters will be different:
   
   
   C:\PS>Remove-MsolRoleMember -RoleName "User Account Administrator" -RoleMemberType ServicePrincipal  -RoleMemberObjectId 774abbb6-76f8-4e27-98b5-001ec1cb94e9
   

   Important
   You must specify the RoleMemberType parameter when removing a service principal from a role or an error occurs.

   The RoleMemberObjectId parameter contains the object ID of the service principal, which can be retrieved as shown in Step 2: Add a service principal to a role.
   
   

See Also

Concepts

Windows Azure AD Graph How-to Procedures Index
Windows Azure AD Graph and Role-Based Access Control