Add-​Aadrm​Super​User

Adds a super user to Rights Management.

Syntax

Add-AadrmSuperUser
   -EmailAddress <String>
   [<CommonParameters>]
Add-AadrmSuperUser
   -ServicePrincipalId <String>
   [<CommonParameters>]

Description

The Add-AadrmSuperUser cmdlet adds an individual account to the super user list for your organization. This operation makes the account a Rights Management owner for all content that is protected by your organization. This means that these super users can decrypt this rights-protected content and remove rights-protection from it, even if an expiration date has been set and expired. Typically, this level of access is required for legal eDiscovery and by auditing teams.

However, before a super user can do these operations, the super user feature for Azure Rights Management must be enabled by using the Enable-AadrmSuperUserFeature cmdlet. By default, the super user feature is not enabled.

Specify the account by email address or service principal ID. To specify a user who does not have an email address, specify their User Principal Name instead. For more information, see Preparing users and groups for Azure Information Protection.

To specify a group rather than individual users, use the Set-AadrmSuperUserGroup cmdlet instead of this Add-AadrmSuperUser cmdlet.

You must use PowerShell to configure super users; you cannot do this configuration by using a management portal.

Examples

Example 1: Add a user as a super user

PS C:\>Add-AadrmSuperUser -EmailAddress "EvanNarvaez@Contoso.com"

This command adds an individual user to your organization's super user list for the Azure Rights Management service, by specifying the user's email address.

Example 2: Add a service principal as a super user

PS C:\>Add-AadrmSuperUser -ServicePrincipalId "3C367900-44D1-4865-9379-9A3227042C25"

This command adds a service principal to your organization's super user list for the Azure Rights Management service, by specifying the service principal's AppPrincipalId.

Required Parameters

-EmailAddress

Specifies the email address of a user in your organization to grant this user super user privileges.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ServicePrincipalId

Specifies the AppPrincipalId of the service principal in your organization to grant this account super user privileges. Use the Get-MsolServicePrincipal cmdlet to get an existing service principal, or the New-MsolServicePrincipalCredential cmdlet to create a new service principal.

The service principal ID is converted to a pseudo-email address and added to the super user list for the organization. For example, Add-AadrmSuperUser -ServicePrincipalId "3C367900-44D1-4865-9379-9A3227042C25" adds 3C367900-44D1-4865-9379-9A3227042C25@<rms tenant ID>.rms.na.aadrm.com to the super user list.

You can remove the service principal from the super user list by using the Remove-AadrmSuperUser cmdlet and this pseudo-email address. You can use the Get-AadrmSuperUser cmdlet to verify the email address.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False