Windows Azure AD Graph and Role-Based Access Control

This topic outlines the role-based access control (RBAC) that is used to restrict access to Windows Azure AD objects when working with Windows Azure AD Graph.

Windows Azure AD Graph relies on Windows Azure AD tenant roles for controlling access to Windows Azure AD entities. You can add the service principal that represents an application to one of the built-in roles in the following table to grant it either read-write or read-only access to the Windows Azure AD entities in your organization.

 

Windows Azure AD role	Windows Azure AD Graph permissions
User Management Administrator	Full read-write permissions on directory objects except service principals and accounts that are in the Company Administrator role. Cannot add, remove or update accounts to the Company Administrator role.
Directory Readers	Read-only permissions.

Use the Office 365 Windows PowerShell Add-MsolRoleMember cmdlet to add a service principal to one of the built-in roles. (You can use the Get-MsolServicePrincipal cmdlet to get the ObjectId of the service principal to pass in the RoleMemberObjectId parameter.)

Add-MsolRoleMember -RoleName "User Account Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId d71 … ea

Important
You must specify the RoleMemberType parameter when adding a service principal to a role or an error occurs.

Important
You must be a member of the Company Administrator role to add a service principal to a role.

Read more about the Office 365 PowerShell cmdlets that are used to manage group and role memberships in Manage group and role membership. For more information about how to create a service principal, see Windows Azure AD Graph Authentication.

Related

• Windows Azure AD Graph Authentication
  
  
• Windows Azure AD Graph REST API Reference
  
  
• Assigning administrator roles