Add-AipServiceSuperUser
Adds a super user to Azure Information Protection.
Syntax
EmailAddress
Add-AipServiceSuperUser
-EmailAddress <String>
[<CommonParameters>]
SvcPrincipalId
Add-AipServiceSuperUser
-ServicePrincipalId <String>
[<CommonParameters>]
Description
The Add-AipServiceSuperUser cmdlet adds an individual account to the super user list for your organization. This operation makes the account an owner for all content that is protected by your organization. This means that these super users can decrypt this rights-protected content and remove rights-protection from it, even if an expiration date has been set and expired. Typically, this level of access is required for legal eDiscovery and by auditing teams.
However, before a super user can do these operations, the super user feature for Azure Information Protection must be enabled by using the Enable-AipServiceSuperUserFeature cmdlet. By default, the super user feature is not enabled.
Specify the account by email address or service principal ID. To specify a user who does not have an email address, specify their User Principal Name instead. For more information, see Preparing users and groups for Azure Information Protection.
To specify a group rather than individual users, use the Set-AipServiceSuperUserGroup cmdlet instead of this Add-AipServiceSuperUser cmdlet.
You must use PowerShell to configure super users; you cannot do this configuration by using a management portal.
Examples
Example 1: Add a user as a super user
PS C:\>Add-AipServiceSuperUser -EmailAddress "EvanNarvaez@Contoso.com"
This command adds an individual user to your organization's super user list for Azure Information Protection, by specifying the user's email address.
Example 2: Add a service principal as a super user
PS C:\>Add-AipServiceSuperUser -ServicePrincipalId "3C367900-44D1-4865-9379-9A3227042C25"
This command adds a service principal to your organization's super user list for Azure Information Protection, by specifying the service principal's AppPrincipalId.
Parameters
-EmailAddress
Specifies the email address of a user in your organization to grant this user super user privileges.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
EmailAddress
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-ServicePrincipalId
Specifies the AppPrincipalId of the service principal in your organization to grant this account super user privileges. Use the Get-MsolServicePrincipal cmdlet to get an existing service principal, or the New-MsolServicePrincipalCredential cmdlet to create a new service principal.
The service principal ID is converted to a pseudo-email address and added to the super user list for the organization. For example, Add-AipServiceSuperUser -ServicePrincipalId "3C367900-44D1-4865-9379-9A3227042C25" adds 3C367900-44D1-4865-9379-9A3227042C25@<AIPService tenant ID>.aipservice.na.aadrm.com to the super user list.
You can remove the service principal from the super user list by using the Remove-AipServiceSuperUser cmdlet and this pseudo-email address. You can use the Get-AipServiceSuperUser cmdlet to verify the email address.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
SvcPrincipalId
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.