Add-AipServiceSuperUser (AIPService)

The Add-AipServiceSuperUser cmdlet adds an individual account to the super user list for your organization. This operation makes the account an owner for all content that is protected by your organization. This means that these super users can decrypt this rights-protected content and remove rights-protection from it, even if an expiration date has been set and expired. Typically, this level of access is required for legal eDiscovery and by auditing teams. However, before a super user can do these operations, the super user feature for Azure Information Protection must be enabled by using the Enable-AipServiceSuperUserFeature cmdlet. By default, the super user feature is not enabled. Specify the account by email address or service principal ID. To specify a user who does not have an email address, specify their User Principal Name instead. For more information, see Preparing users and groups for Azure Information Protection. To specify a group rather than individual users, use the Set-AipServiceSuperUserGroup cmdlet instead of this Add-AipServiceSuperUser cmdlet. You must use PowerShell to configure super users; you cannot do this configuration by using a management portal.