Add-AadrmSuperUser
Adds a super user to Rights Management.
Syntax
Add-AadrmSuperUser
-EmailAddress <String>
[<CommonParameters>] Add-AadrmSuperUser
-ServicePrincipalId <String>
[<CommonParameters>] Description
Note
This cmdlet from the AADRM module is now deprecated. After July 15, 2020, this cmdlet name will be supported only as an alias to its replacement in the AIPService module.
For more information, see the overview page.
The Add-AadrmSuperUser cmdlet adds an individual account to the super user list for your organization. This operation makes the account a Rights Management owner for all content that is protected by your organization. This means that these super users can decrypt this rights-protected content and remove rights-protection from it, even if an expiration date has been set and expired. Typically, this level of access is required for legal eDiscovery and by auditing teams.
However, before a super user can do these operations, the super user feature for Azure Rights Management must be enabled by using the Enable-AadrmSuperUserFeature cmdlet. By default, the super user feature is not enabled.
Specify the account by email address or service principal ID. To specify a user who does not have an email address, specify their User Principal Name instead. For more information, see Preparing users and groups for Azure Information Protection.
To specify a group rather than individual users, use the Set-AadrmSuperUserGroup cmdlet instead of this Add-AadrmSuperUser cmdlet.
You must use PowerShell to configure super users; you cannot do this configuration by using a management portal.
Examples
Example 1: Add a user as a super user
PS C:\>Add-AadrmSuperUser -EmailAddress "EvanNarvaez@Contoso.com"This command adds an individual user to your organization's super user list for the Azure Rights Management service, by specifying the user's email address.
Example 2: Add a service principal as a super user
PS C:\>Add-AadrmSuperUser -ServicePrincipalId "3C367900-44D1-4865-9379-9A3227042C25"This command adds a service principal to your organization's super user list for the Azure Rights Management service, by specifying the service principal's AppPrincipalId.
Parameters
-EmailAddress
Specifies the email address of a user in your organization to grant this user super user privileges.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ServicePrincipalId
Specifies the AppPrincipalId of the service principal in your organization to grant this account super user privileges. Use the Get-MsolServicePrincipal cmdlet to get an existing service principal, or the New-MsolServicePrincipalCredential cmdlet to create a new service principal.
The service principal ID is converted to a pseudo-email address and added to the super user list for the organization. For example, Add-AadrmSuperUser -ServicePrincipalId "3C367900-44D1-4865-9379-9A3227042C25" adds 3C367900-44D1-4865-9379-9A3227042C25@<rms tenant ID>.rms.na.aadrm.com to the super user list.
You can remove the service principal from the super user list by using the Remove-AadrmSuperUser cmdlet and this pseudo-email address. You can use the Get-AadrmSuperUser cmdlet to verify the email address.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |