问题:如何删除“安全管理员”角色?
我正在使用 Java API 来分配“安全管理员”。
java代码如下所示。
final DirectoryObject dirObjectCreated = Objects.requireNonNull(graphClient
.directoryRoles(ROLE_TEMPLATE_ID + "=" + SECURITY_ADMIN_TEMPLATE_ID)
.members()
.references())
.buildRequest()
.post(directoryObject);
这个效果很好。
当我尝试删除此“安全管理员”时,我收到错误
Removing self from Global Administrator built-in role is not allowed.
我尝试以下网址
方法:删除
URL:https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments/y-RKG-FULL-ID
好像不允许删除角色。我在此链接中查看了示例 11 https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-assign-graph
示例 11 中的链接表示
We prevent users from deleting their own Global Administrator role to avoid a scenario where a tenant has zero Global Administrators. Removing other roles assigned to self is allowed.
我的代币有以下作用
"roles": [
"Mail.ReadWrite",
"Domain.ReadWrite.All",
"Group.Read.All",
"Directory.Read.All",
"User.Read.All",
"Domain.Read.All",
"RoleManagement.ReadWrite.Directory",
"Application.Read.All"
]
我相信你所做的一切都是正确的,但在我看来这就像一个错误。我可以重现这个问题。如果您很紧急,我建议您开一张支持票。