New-AzureADPolicy：在Windows PowerShell中执行NewPolicy时发生错误

Question

我正在尝试按照Microsoft网站（https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes）上的说明配置自定义令牌到期政策。

但是我收到一条难以理解的错误消息。它似乎不是一个暂时的错误，因为我在过去几天尝试了几次。

我已尝试将Powershell作为正常版和“作为管理员”运行，但它对结果没有任何影响。

PS C:\Users\sheakbar> New-AzureADPolicy -Definition @(‘{“TokenLifetimePolicy”:{“Version”:1,”MaxInactiveTime”:”14.00:00:00″,”MaxAgeSing
leFactor”:”90.00:00:00″,”MaxAgeMultiFactor”:”90.00:00:00″,”MaxAgeSessionSingleFactor”:”until-revoked”,”MaxAgeSessionMultiFactor”:”unti
l-revoked”}}’) -DisplayName “OrganizationDefaultPolicyScenario” -IsOrganizationDefault $true -Type “TokenLifetimePolicy”
New-AzureADPolicy : Error occurred while executing NewPolicy
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
InnerError:
  RequestId: 4c0f01de-96b4-4483-8a19-43b411149880
  DateTimeStamp: Thu, 07 Jun 2018 04:28:08 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ New-AzureADPolicy -Definition @(‘{“TokenLifetimePolicy”:{“Version”:1, ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADPolicy], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.NewPolicy

Answer 1

根据错误消息，您的帐户似乎不是您的租户中的全局管理员，并且没有足够的权限来执行此powershell命令。

<强>解决方案：

运行“连接”命令Connect-AzureAD以登录 Azure AD管理员帐户。

Answer 2

如果我们使用global administrator（ xxx.onmicrosoft.com ）帐户来连接AzureAD。

然后我们可以使用New-AzureADPolicy，并使用以下命令在我这边测试它

New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxInactiveTime":"14.00:00:00","MaxAgeSingleFactor":"90.00:00:00","MaxAgeMultiFactor":"90.00:00:00","MaxAgeSessionSingleFactor":"until-revoked","MaxAgeSessionMultiFactor":"until-revoked"}}') -DisplayName "OrganizationDefaultPolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"