Share via


Add-AipServiceSuperUser

Adds a super user to Azure Information Protection.

Syntax

Add-AipServiceSuperUser
   -EmailAddress <String>
   [<CommonParameters>]
Add-AipServiceSuperUser
   -ServicePrincipalId <String>
   [<CommonParameters>]

Description

The Add-AipServiceSuperUser cmdlet adds an individual account to the super user list for your organization. This operation makes the account an owner for all content that is protected by your organization. This means that these super users can decrypt this rights-protected content and remove rights-protection from it, even if an expiration date has been set and expired. Typically, this level of access is required for legal eDiscovery and by auditing teams.

However, before a super user can do these operations, the super user feature for Azure Information Protection must be enabled by using the Enable-AipServiceSuperUserFeature cmdlet. By default, the super user feature is not enabled.

Specify the account by email address or service principal ID. To specify a user who does not have an email address, specify their User Principal Name instead. For more information, see Preparing users and groups for Azure Information Protection.

To specify a group rather than individual users, use the Set-AipServiceSuperUserGroup cmdlet instead of this Add-AipServiceSuperUser cmdlet.

You must use PowerShell to configure super users; you cannot do this configuration by using a management portal.

Examples

Example 1: Add a user as a super user

PS C:\>Add-AipServiceSuperUser -EmailAddress "[email protected]"

This command adds an individual user to your organization's super user list for Azure Information Protection, by specifying the user's email address.

Example 2: Add a service principal as a super user

PS C:\>Add-AipServiceSuperUser -ServicePrincipalId "3C367900-44D1-4865-9379-9A3227042C25"

This command adds a service principal to your organization's super user list for Azure Information Protection, by specifying the service principal's AppPrincipalId.

Parameters

-EmailAddress

Specifies the email address of a user in your organization to grant this user super user privileges.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-ServicePrincipalId

Specifies the AppPrincipalId of the service principal in your organization to grant this account super user privileges. Use the Get-MsolServicePrincipal cmdlet to get an existing service principal, or the New-MsolServicePrincipalCredential cmdlet to create a new service principal.

The service principal ID is converted to a pseudo-email address and added to the super user list for the organization. For example, Add-AipServiceSuperUser -ServicePrincipalId "3C367900-44D1-4865-9379-9A3227042C25" adds 3C367900-44D1-4865-9379-9A3227042C25@<AIPService tenant ID>.aipservice.na.aadrm.com to the super user list.

You can remove the service principal from the super user list by using the Remove-AipServiceSuperUser cmdlet and this pseudo-email address. You can use the Get-AipServiceSuperUser cmdlet to verify the email address.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False