我目前有代码可以创建具有委派权限的应用程序。我也想添加应用程序权限。谁能举例说明如何添加两者?谢谢。
我的代码如下:
function Add-Permission {
param(
[string]$appName
)
$delegatedPermissions = @(
"AuditLog.Read.All",
"Directory.Read.All",
"User.Read.All",
"offline_access",
"Group.Read.All",
"GroupMember.Read.All",
"GroupMember.ReadWrite.All"
)
$filteredPermissions = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" `
-Property Oauth2PermissionScopes | Select-Object -ExpandProperty Oauth2PermissionScopes | `
Where-Object { $delegatedPermissions -contains $_.Value }
$azureServicePermission = @{
resourceAppId = "797f4846-ba00-4fd7-ba43-dac1f8f63013"
resourceAccess = @(
@{
id = "41094075-9dad-400e-a0bd-54e686782033"
type = "Scope"
}
)
}
$app = Get-MgApplication -Filter "DisplayName eq '$appName'"
$params = @{
requiredResourceAccess = @(
$azureServicePermission,
@{
resourceAppId = "00000003-0000-0000-c000-000000000000"
resourceAccess = $filteredPermissions | ForEach-Object {
@{
id = $_.Id
type = "Scope"
}
}
}
)
}
Update-MgApplication -ApplicationId $app.Id -BodyParameter $params
我会尝试获取应用程序权限,就像您获取委派权限一样,然后将其添加到参数中。
...
@{
resourceAppId = "00000003-0000-0000-c000-000000000000"
resourceAccess = @(
$filteredDelegatedPermissions | ForEach-Object {
@{
id = $_.Id
type = "Scope"
}
},
$filteredApplicationPermissions | ForEach-Object {
@{
id = $_.Id
type = "Role?"
}
}
)
}
您的函数开始得很好,但我会使用
New-MgServicePrincipalAppRoleAssignedTo
cmdlet 来添加应用程序角色分配。
function Add-Permission {
param(
[string]$appName
)
$delegatedPermissions = @(
"AuditLog.Read.All",
"Directory.Read.All",
"User.Read.All",
"offline_access",
"Group.Read.All",
"GroupMember.Read.All",
"GroupMember.ReadWrite.All"
)
$servicePrincipal = Get-MgServicePrincipal -Filter "DisplayName eq '$appName'"
$filteredPermissions = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" `
-Property Oauth2PermissionScopes | Select-Object -ExpandProperty Oauth2PermissionScopes | `
Where-Object { ($delegatedPermissions -contains $_.Value) -and ($_.Origin -eq "Application") }
foreach ($perm in $filteredPermissions) {
$params = @{
principalId = $servicePrincipal.Id
resourceId = $servicePrincipal.AppId
appRoleId = $perm.Id
}
New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $servicePrincipal.Id -BodyParameter $params
}
}
我稍微调整了您的过滤标准。