我正在将我的 Azure Powershell 代码中的
Set-AzureADApplication
转换为 Update-MgApplication
。我正在使用这些命令向 Azure 中的应用程序添加权限。请参阅下面我的代码。
function Add-Application {
param(
[string]$appName
)
$ReplyURL = Read-Host "Enter your redirect URI"
#$App = New-AzureADApplication -DisplayName $appName -ReplyUrls $ReplyURL
$App = New-MgApplication -DisplayName $AppName -DefaultRedirectUri $ReplyURL
#New-AzureADServicePrincipal -AppId $App.AppId
New-MgServicePrincipal -AppId $App.AppId
}
# -------------------------------------------------------------
# Function to Add Permissions
function Add-Permission {
param(
[string]$appName
)
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = "00000003-0000-0000-c000-000000000000" # Microsoft Graph API
$Azure = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Azure.ResourceAppId = "797f4846-ba00-4fd7-ba43-dac1f8f63013" # Azure Service Management API
$UserReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "a154be20-db9c-4678-8ab7-66f6cc099a59","Scope"
$GroupReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "5f8c59db-677d-491f-a6b8-5f174b11ec1d","Scope"
$GroupMemberReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "bc024368-1153-4739-b217-4326f2e966d0","Scope"
$GroupMemberReadWriteAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "f81125ac-d3b7-4573-a3b2-7099cc39df9e","Scope"
$DirectoryReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "06da0dbc-49e2-44d2-8312-53f166ab848a","Scope"
$AuditLogReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20","Scope"
$offlineaccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7427e0e9-2fba-42fe-b0c0-848c9e6a8182","Scope"
$Graph.ResourceAccess = $UserReadAll, $GroupReadAll, $GroupMemberReadAll, $GroupMemberReadWriteAll, $DirectoryReadAll, $AuditLogReadAll, $offlineaccess
$userimpersonation = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "41094075-9dad-400e-a0bd-54e686782033","Scope"
$Azure.ResourceAccess = $userimpersonation
#$App = Get-AzureADApplication -Filter "DisplayName eq '$($appName)'"
$App = Get-MgApplication -Filter "DisplayName eq '$($appName)'"
#Set-AzureADApplication -ObjectId $App.ObjectId -RequiredResourceAccess $Graph, $Azure
Update-MgApplication -ObjectId $App.Id -RequiredResourceAccess $Graph, $Azure
}
当我运行此代码时,我收到此新错误:
所以我明白这与这部分代码有关:
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess" $Graph.ResourceAppId = "00000003-0000-0000-c000-000000000000" # Microsoft Graph API
但是我该如何解决这个错误呢?我想一个更广泛的问题是如何使用
Update-MgApplication
命令向应用程序添加权限?
您可以使用以下modified脚本使用Update-MgApplication
命令添加
Deleerated权限:
function Add-Application {
param(
[string]$appName
)
$ReplyURL = Read-Host "Enter your redirect URI"
$App = New-MgApplication -DisplayName $AppName -Web @{ RedirectUris = @($ReplyURL) }
New-MgServicePrincipal -AppId $App.AppId
}
# -------------------------------------------------------------
# Function to Add Permissions
function Add-Permission {
param(
[string]$appName
)
$delegatedPermissions = @(
"AuditLog.Read.All",
"Directory.Read.All",
"User.Read.All",
"offline_access",
"Group.Read.All",
"GroupMember.Read.All",
"GroupMember.ReadWrite.All"
)
$filteredPermissions = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" -Property Oauth2PermissionScopes | Select -ExpandProperty Oauth2PermissionScopes | Where-Object { $delegatedPermissions -contains $_.Value }
$azureServicePermission = @{
resourceAppId = "797f4846-ba00-4fd7-ba43-dac1f8f63013"
resourceAccess = @(
@{
id = "41094075-9dad-400e-a0bd-54e686782033"
type = "Scope"
}
)
}
$app = Get-MgApplication -Filter "DisplayName eq '$appName'"
$params = @{
requiredResourceAccess = @(
$azureServicePermission,
@{
resourceAppId = "00000003-0000-0000-c000-000000000000"
resourceAccess = $filteredPermissions | ForEach-Object {
@{
id = $_.Id
type = "Scope"
}
}
}
)
}
Update-MgApplication -ApplicationId $app.Id -BodyParameter $params
}
为了调用这些函数,我运行了 PowerShell 命令并得到了响应,如下所示:
Add-Application -appName "SriDemoApp"
Add-Permission -appName "SriDemoApp"
回复:
当我在门户中检查相同内容时,使用
API permissions
创建的新应用程序注册已成功添加,如下所示: