<p>一篇好文章可以在这里找到:<a href="https://blogs.msdn.microsoft.com/aaddevsup/2018/08/29/how-to-add-an-azure-ad-role-to-a-enterprise-application-service-principal/" rel="nofollow noreferrer">https://blogs.msdn.microsoft.com/aaddevsup/2018/08/29/how-to-add-an-azure-ad-role-to-a-enterprise-application-service-principal/</a></p>
<p>代码如下:</p>
<pre><code># Fetch User Account Administrator role instance
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'User Account Administrator'}
# If role instance does not exist, instantiate it based on the role template
if ($role -eq $null) {
# Instantiate an instance of the role template
$roleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object {$_.displayName -eq 'User Account Administrator'}
Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
# Fetch User Account Administrator role instance again
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'User Account Administrator'}
}
#Now that we have the object IDs for the AAD role, we will need to get both object IDs to add the role to the enterprise application. We can use the command below :
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $BeckeChB2Cs0v1GraphApiAdSPN.ObjectId
</code></pre>