如何将“offline_access”权限添加到 Azure AD 中的新应用程序注册?
问题描述 投票:0回答:1
请参阅我的代码,为新的应用程序注册添加权限:
# Define variables
$AppName = "Test Application 5"
$CertSubject = "CN=$AppName"
$StartDate = Get-Date
$EndDate = $StartDate.AddMonths(3) # Adjust certificate validity period as needed
# Create a new Azure AD application
$App = New-AzureADApplication -DisplayName $AppName -IdentifierUris "test9" -HomePage "https://yourapphomepage"
# Generate a new self-signed certificate
$Cert = New-SelfSignedCertificate -Subject $CertSubject -CertStoreLocation "Cert:\CurrentUser\My" -NotBefore $StartDate -NotAfter $EndDate
# Convert the certificate to a base64-encoded string
$CertBytes = [System.Convert]::ToBase64String($Cert.RawData)
$CertValue = [System.Text.Encoding]::UTF8.GetString([System.Text.Encoding]::ASCII.GetBytes($CertBytes))
# Create a new certificate credential for the application
New-AzureADApplicationKeyCredential -ObjectId $App.ObjectId -CustomKeyIdentifier "CertKey" -Type AsymmetricX509Cert -Usage Verify -Value $CertValue -StartDate $StartDate -EndDate $EndDate
# Create a new password credential for the application (secret)
$PasswordCredential = New-AzureADApplicationPasswordCredential -ObjectId $App.ObjectId -CustomKeyIdentifier "PasswordKey" -StartDate $StartDate -EndDate $EndDate
#-------------------------------------------------------------
# Add Permissions
$spForApp = New-AzureADServicePrincipal -AppId $App.AppId -PasswordCredentials @($PasswordCredential)
$appPermissionsRequired = @('offline_access','User.Read.All','Group.Read.All','GroupMember.ReadWrite.All','Directory.Read.All','AuditLog.Read.All')
$targetServicePrincipalName = 'Microsoft Graph'
$targetSp = Get-AzureADServicePrincipal -Filter "DisplayName eq '$($targetServicePrincipalName)'"
$RoleAssignments = @()
Foreach ($AppPermission in $appPermissionsRequired) {
$RoleAssignment = $targetSp.AppRoles | Where-Object { $_.Value -eq $AppPermission}
$RoleAssignments += $RoleAssignment
}
$ResourceAccessObjects = New-Object 'System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]'
foreach ($RoleAssignment in $RoleAssignments) {
$resourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess"
$resourceAccess.Id = $RoleAssignment.Id
$resourceAccess.Type = 'Role'
$ResourceAccessObjects.Add($resourceAccess)
}
$requiredResourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$requiredResourceAccess.ResourceAppId = $targetSp.AppId
$requiredResourceAccess.ResourceAccess = $ResourceAccessObjects
# set the required resource access
Set-AzureADApplication -ObjectId $App.ObjectId -RequiredResourceAccess $requiredResourceAccess
Start-Sleep -s 1
# grant the required resource access
foreach ($RoleAssignment in $RoleAssignments) {
Write-Output -InputObject ('Granting admin consent for App Role: {0}' -f $($RoleAssignment.Value))
New-AzureADServiceAppRoleAssignment -ObjectId $spForApp.ObjectId -Id $RoleAssignment.Id -PrincipalId $spForApp.ObjectId -ResourceId $targetSp.ObjectId
Start-Sleep -s 1
}
除“offline_access”之外的所有权限均已成功添加。
当我使用以下命令在命令行中查找应用程序角色时:
$targetSp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$targetSp.AppRoles
我在 Microsoft Graph 中获得了大量应用程序角色列表。我可以找到除“offline_access”之外的所有应用程序角色。就好像它不存在一样。但我可以在 azure 门户中手动添加它。
有谁知道我如何定位“offline_access”?我尝试使用权限 ID 但没有成功,但也许有人知道如何使用它。谢谢!
1个回答
0
投票
投票
注意:
是委托的API权限,而不是应用程序API权限。因此,您必须使用 Oauth2Permissions 而不是 AppRoles 列出它。Offline_access
要列出委派的 API 权限,使用以下命令:
$targetSp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$targetSp.Oauth2Permissions
要仅获取所需的委派 API 权限,请执行以下命令:
$targetSp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$offlineAccessId = $targetSp.Oauth2Permissions | Where-Object { $_.Value -eq 'offline_access' }
您可以使用以下代码添加
offline_access# Create a new Azure AD application
$myapp = New-AzureADApplication -DisplayName "RukApptest"
$myappId = $myapp.ObjectId
$MSGraph = Get-AzureADServicePrincipal -All $true | Where-Object { $_.DisplayName -eq "Microsoft Graph" }
# Retrieve the ID of the 'offline_access' permission from Microsoft Graph
$offlineAccessPermission = $MSGraph.Oauth2Permissions | Where-Object { $_.Value -eq 'offline_access' }
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = $MSGraph.AppId
$Per1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList $offlineAccessPermission.Id,"Scope"
$Graph.ResourceAccess = $Per1
Set-AzureADApplication -ObjectId $myappId -RequiredResourceAccess $Graph
最新问题
- 读取 FIFO 文件时避免 100% cpu
- (Vue3 / Vite)不渲染嵌套的外部vue组件
- svg 和其他元素之间的白线
- 循环线性相关函数不返回 F 统计量或 p 值
- 如何升级rubygems
- 在 SQLAlchemy 中获取表名
- ASP.NET Web API 密钥身份验证|天蓝色
- 如何将自定义“卡片”保存到 dart/flutter 中的共享首选项?
- 将数据从一个数据库复制到另一个数据库(.mdb 到 .accdb)
- 如何在Power BI中将多个散点图合并为一个?
- Perl Net::OpenSSH 连接到需要 RSA 和密码的服务器
- 为什么 TODAY() 函数不适用于 DATESBETWEEN?
- Jitterbit - 如何从重定向 URL 捕获响应标头(位置)
- 如何记录 sqlalchemy 中返回的 SQL 语句和行以帮助调试?
- 井字棋将随机执行获胜功能
- 使用Node Crawler时,一旦爬行完成,就没有进一步的链接。然后我如何触发代码来输出结果
- jit JAX 函数中的迭代器
- Google Play 预发布报告中的崩溃问题:java.lang.IllegalStateException
- Django 模板:翻译包含变量
- 为什么在 psycopg2 中占位符比文字更受欢迎?
© www.soinside.com 2019 - 2024. All rights reserved.