office 365 利用api提权普通账号为管理员账号

荣誉会员

加个权限吧，免费被撸翻车
有什么用：
        仅仅可以拿来预防微软封禁管理员，也就是你自己的管理员账号被微软限制登陆了，但是子账号可以用，就通过api提升普通账号为管理员，重新获得对全局的控制权

前提：
        自己开通了权限，主要是RoleManagement.ReadWrite.Directory（务必保证权限正确开启），而且你的SPO没有被封禁（子账号的onedrive可以正常使用）
附上权限图：



官方api教程：
        https://docs.microsoft.com/en-us ... view=graph-rest-1.0

脚本运行说明：
        下载代码自己修改参数，代码需要修改的地方都有备注，自行修改即可，需要安装requests库，python3运行代码，返回204就代表成功，然后登陆子账号就可以了

测试图：






roleTemplateId可以自己修改，我设置默认为用户管理员，可以自己修改为全局管理员，

荣誉会员

1. PS C:\> Get-MsolRole
   
2. 
   
3. ObjectId                               Name                             Description
   
4. --------                               ----                             -----------
   
5. 17315797-102d-40b4-93e0-432062caca18   Compliance Administrator         Compliance administrator.
   
6. 29232cdf-9323-42fd-ade2-1d097af3e4de   Exchange Service Administrator   Exchange Service Administrator.
   
7. 4ba39ca4-527c-499a-b93d-d9b492c50246   Partner Tier1 Support            Allows ability to perform tier1 support tasks.
   
8. 62e90394-69f5-4237-9190-012177145e10   Company Administrator            Company Administrator role has full access to perform any operation in the company scope.
   
9. 729827e3-9c14-49f7-bb1b-9608f156bbb8   Helpdesk Administrator           Helpdesk Administrator has access to perform common helpdesk related tasks.
   
10. 75941009-915a-4869-abe7-691bff18279e   Lync Service Administrator       Lync Service Administrator.
    
11. 88d8e3e3-8f55-4a1e-953a-9b9898b8876b   Directory Readers                Allows access to various read only tasks in the directory.
    
12. 9360feb5-f418-4baa-8175-e2a00bac4301   Directory Writers                Allows access read tasks and a subset of write tasks in the directory.
    
13. 9c094953-4995-41c8-84c8-3ebb9b32c93f   Device Join                      Device Join
    
14. 9f06204d-73c1-4d4c-880a-6edb90606fd8   Device Administrators            Device Administrators
    
15. b0f54661-2d74-4c50-afa3-1ec803f12efe   Billing Administrator            Billing Administrator has access to perform common billing related tasks.
    
16. c34f683f-4d5a-4403-affd-6615e00e3a7f   Workplace Device Join            Workplace Device Join
    
17. d405c6df-0af8-4e3b-95e4-4d06e542189e   Device Users                     Device Users
    
18. e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8   Partner Tier2 Support            Allows ability to perform tier2 support tasks.
    
19. f023fd81-a637-4b56-95fd-791ac0226033   Service Support Administrator    Service Support Administrator has access to perform common support tasks.
    
20. f28a1f50-f6e7-4571-818b-6a12f2af6b6c   SharePoint Service Administrator SharePoint Service Administrator.
    
21. fe930be7-5e62-47db-91af-98c3a49a38b1   User Account Administrator       User Account Administrator has access to perform common user management related tasks.

复制代码

荣誉会员

1. fe930be7-5e62-47db-91af-98c3a49a38b1   
   
2. User Account Administrator      
   
3. User Account Administrator has access to perform common user management related tasks.

复制代码

1. 62e90394-69f5-4237-9190-012177145e10
   
2. Global Administrator      
   
3. Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.      

复制代码

skuid A1 教师 94763226-9b3c-4e75-a931-5c89701abe66 A1 学生 314c4481-f395-4525-be8b-2ec4bb1e9d91 A1P 教师 78e66a63-337a-4a9a-8959-41c6654dfb56 A1P 学生 e82ae690-a2d5-4d76-8d30-7c6e01e6022e 复制代码 PS C:\Users\Administrator> Connect-MsolService PS C:\Users\Administrator> Get-MsolRole ObjectId                               Name                              --------                               ----                              62e90394-69f5-4237-9190-012177145e10   Company Administrator             95e79109-95c0-4d8e-aee3-d01accf2d47b   Guest Inviter                     fe930be7-5e62-47db-91af-98c3a49a38b1   User Administrator                729827e3-9c14-49f7-bb1b-9608f156bbb8   Helpdesk Administrator            f023fd81-a637-4b56-95fd-791ac0226033   Service Support Administrator    b0f54661-2d74-4c50-afa3-1ec803f12efe   Billing Administrator             4ba39ca4-527c-499a-b93d-d9b492c50246   Partner Tier1 Support             e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8   Partner Tier2 Support             88d8e3e3-8f55-4a1e-953a-9b9898b8876b   Directory Readers                9360feb5-f418-4baa-8175-e2a00bac4301   Directory Writers                29232cdf-9323-42fd-ade2-1d097af3e4de   Exchange Administrator            f28a1f50-f6e7-4571-818b-6a12f2af6b6c   SharePoint Administrator          75941009-915a-4869-abe7-691bff18279e   Skype for Business Administrator d405c6df-0af8-4e3b-95e4-4d06e542189e   Device Users                      9f06204d-73c1-4d4c-880a-6edb90606fd8   Azure AD Joined Device Local ... 9c094953-4995-41c8-84c8-3ebb9b32c93f   Device Join                      c34f683f-4d5a-4403-affd-6615e00e3a7f   Workplace Device Join             17315797-102d-40b4-93e0-432062caca18   Compliance Administrator          d29b2b05-8046-44ba-8758-1e26182fcf32   Directory Synchronization Acc... 2b499bcd-da44-4968-8aec-78e1674fa64d   Device Managers                   9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3   Application Administrator         cf1c38e5-3621-4004-a7cb-879624dced7c   Application Developer             5d6b6bb7-de71-4623-b4af-96380a352509   Security Reader                   194ae4cb-b126-40b2-bd5b-6091b380977d   Security Administrator            e8611ab8-c189-46e8-94e1-60213ab1f814   Privileged Role Administrator    3a2c62db-5318-420d-8d74-23affee5d9d5   Intune Administrator             158c047a-c907-4556-b7ef-446551a6b5f7   Cloud Application Administrator   5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91   Customer LockBox Access Approver 44367163-eba1-44c3-98af-f5787879f96a   Dynamics 365 Administrator       a9ea8996-122f-4c74-9520-8edcd192826c   Power BI Administrator            b1be1c3e-b65d-4f19-8427-f6fa0d97feb9   Conditional Access Administrator 4a5d8f65-41da-4de4-8968-e035b65339cf   Reports Reader                   790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b   Message Center Reader             7495fdc4-34c4-4d15-a289-98788ce399fd   Azure Information Protection ... 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4   Desktop Analytics Administrator   4d6ac14f-3453-41d0-bef9-a3e0c569773a   License Administrator             7698a772-787b-4ac8-901f-60d6b08affd2   Cloud Device Administrator       c4e39bd9-1100-46d3-8c65-fb160da0071f   Authentication Administrator      7be44c8a-adaf-4e2a-84d6-ab2649e08a13   Privileged Authentication Adm... baf37b3a-610e-45da-9e62-d9d1e5e8914b   Teams Communications Administ... f70938a0-fc10-4177-9e90-2178f8765737   Teams Communications Support ... fcf91098-03e3-41a9-b5ba-6f0ec8188a12   Teams Communications Support ... 69091246-20e8-4a56-aa4d-066075b2a7a8   Teams Administrator               eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c   Insights Administrator            ac16e43d-7b2d-40e0-ac05-243ff356ab5b   Message Center Privacy Reader    6e591065-9bad-43ed-90f3-e9424366d2f0   External ID User Flow Adminis... 0f971eea-41eb-4569-a71e-57bb8a3eff1e   External ID User Flow Attribu... aaf43236-0c0d-4d5f-883a-6955382ac081   B2C IEF Keyset Administrator      3edaf663-341e-4475-9f94-5c398ef6c070   B2C IEF Policy Administrator      be2f45a1-457d-42af-a067-6ec1fa63bc45   External Identity Provider Ad... e6d1a23a-da11-4be4-9570-befc86d067a7   Compliance Data Administrator    5f2222b1-57c3-48ba-8ad5-d4759f1fde6f   Security Operator                74ef975b-6605-40af-a5d2-b9539d836353   Kaizala Administrator             f2ef992c-3afb-46b9-b7cf-a126ee74c451   Global Reader                     0964bb5e-9bdb-4d7b-ac29-58e794862a40   Search Administrator             8835291a-918c-4fd7-a9ce-faa49f0cf7d9   Search Editor                     966707d0-3269-4727-9be2-8c3a10f19b9d   Password Administrator            644ef478-e28f-4e28-b9dc-3fdde9aa0b1f   Printer Administrator             e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477   Printer Technician                0526716b-113d-4c15-b2c8-68e3c22b9f80   Authentication Policy Adminis... fdd7a751-b60b-444a-984c-02652fe8fa1c   Groups Administrator             11648597-926c-4cf3-9c36-bcebb0ba8dcc   Power Platform Administrator      e3973bdf-4987-49ae-837a-ba8e231c7286   Azure DevOps Administrator       8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2   Hybrid Identity Administrator    2b745bdf-0803-4d80-aa65-822c4493daac   Office Apps Administrator         d37c8bed-0711-4417-ba38-b4abe66ce4c2   Network Administrator             31e939ad-9672-4796-9c2e-873181342d2d   Insights Business Leader          3d762c5a-1b6c-493f-843e-55a3b42923d4   Teams Devices Administrator       c430b396-e693-46cc-96f3-db01bf8bb62a   Attack Simulation Administrator   9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f   Attack Payload Author             75934031-6c7e-415a-99d7-48dbd49e875e   Usage Summary Reports Reader      b5a8dcf3-09d5-43a9-a639-8e29ef291470   Knowledge Administrator          744ec460-397e-42ad-a462-8b3f9747a02c   Knowledge Manager                8329153b-31d0-4727-b945-745eb3bc5f31   Domain Name Administrator         31392ffb-586c-42d1-9346-e59415a2cc4e   Exchange Recipient Administrator 复制代码 62e90394-69f5-4237-9190-012177145e10   Company Administrator             Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. 62e90394-69f5-4237-9190-012177145e10   Global Administrator       Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.       https://docs.microsoft.com/en-us ... l-administrato.html Company Administrator 和 Global Administrator 是一回事儿

荣誉会员

你拿拥有user administrator权限的子号登陆，然后新建一个子号给予global administrator权限（我记得user administrator权限可以新建管理员账号）
或者置顶发了有global administrator的id，你修改一下就行（替换user administrator权限的id）