我正在尝试使用 PowerShell 创建以下内容:
这是我手写的当前脚本,但在设置原始服务器测试应用程序的范围时感到困惑 - 我已经尝试过这个,但是 -Id 和 -Type 的参数(我将在Portal)似乎不适用于 PS CLI,而且当我需要将 api:// 声明为范围时,这会失败,因为 Add-AzADAppPermission 元素不起作用。
Import-Module Az.Accounts
Import-Module Az.Resources
Connect-AzAccount
# create the server application registration
$serverApp = New-AzADApplication -DisplayName "Connection (Server, Test)" -AvailableToOtherTenants $false
# expose an API with details
$scopeName = "API.Access"
$scopeId = (New-Guid).Guid
$apiPermission = Add-AzADAppPermission -ApplicationId $serverApp.ApplicationId -Id $scopeId -Type "Scope" -Permission $scopeName -Description "API Access scope"
$serverApp = Set-AzADApplication -ObjectId $serverApp.ObjectId -IdentifierUris "api://$($serverApp.ApplicationId)" -ApiPermissions $apiPermission
Write-Host "The Server Application registration of Connection (Server, Test) has been created successfully! Note the following details:"
Write-Host "Server-Test Client ID: $($serverApp.ApplicationId)"
Write-Host "Server-Test Tenant ID: $tenantId"
Write-Host "Server-Test Application ID URL: api://$($serverApp.ApplicationId)"
# Creating client application after a delay to mkae sure the svr app has fully deployed
Write-Host "Creating Client Application... gathering resources..."
Start-Sleep -Seconds 10
$clientApp = New-AzADApplication -DisplayName "Connection (Client, Test)" -AvailableToOtherTenants $false
$clientSecret = New-AzADAppCredential -ObjectId $clientApp.ObjectId -EndDate (Get-Date).AddMonths(24)
$secretValue = $clientSecret.SecretText
# setapplication as a client application to the server
New-AzADServicePrincipal -ApplicationId $clientApp.ApplicationId
New-AzADAppPermissionGrant -ObjectId $clientApp.ObjectId -ApiId $serverApp.ApplicationId -ExpiryTime (Get-Date).AddMonths(24) -Scope $scopeName
# add authentication platform for client app
$redirectUri = "https://oauth.powerbi.com/views/oauthredirect.html"
New-AzADAppRedirectUri -ObjectId $clientApp.ObjectId -RedirectUri $redirectUri
Set-AzADApplication -ObjectId $clientApp.ObjectId -ReplyUrls $redirectUri -OAuth2AllowImplicitFlow $true -OAuth2AllowIdTokenImplicitFlow $true
Write-Host "Success! The applications of Connection (Server, Test) and Connection (Client, Test) have been created. Please make a note of the following details:"
Write-Host "Server-Test Client ID: $($serverApp.ApplicationId)"
Write-Host "Server-Test Tenant ID: $tenantId"
Write-Host "Client-Test Client ID: $($clientApp.ApplicationId)"
Write-Host "Client-Test Client Secret: $secretValue"
"
注册服务器应用程序:
#registering server application
$serverApp = New-AzADApplication -DisplayName "Connection (Server, Test)" -AvailableToOtherTenants $false
$AppId=$serverApp.AppId
Set-AzADApplication -ApplicationId $serverApp.AppId -IdentifierUris "api://$AppId"
$app = Get-AzAdApplication -ApplicationId "<AppId>"
公开服务器应用程序的 API 并注册客户端应用程序
#exposing an API
$permissionScop = New-Object Microsoft.Azure.Powershell.Cmdlets.Resources.MSGraph.Models.ApiV10.MicrosoftGraphPermissionScope
$permissionScop.Id = New-Guid
$permissionScop.AdminConsentDescription = "API.Access"
$permissionScop.AdminConsentDisplayName = "API.Access"
$permissionScop.IsEnabled = $true
$permissionScop.Type = "User"
$permissionScop.UserConsentDescription = "API.Access"
$permissionScop.UserConsentDisplayName = "API.Access"
$permissionScop.Value = "user_impersonation"
$api = $app.Api
#$api.Oauth2PermissionScope = $permissionScop
$api.Oauth2PermissionScope =$permissionScop
Update-AzADApplication -ApplicationId "<AppId>" -Api $api
Write-Host "The Server Application registration of Connection (Server, Test) has been created successfully! Note the following details:"
Write-Host "Server-Test Client ID: $($serverApp.AppId)"
$context = Get-AzContext
Write-Output "Tenant ID: $($context.Tenant.Id)"
Write-Host "Server-Test Tenant ID: $tenantId"
Write-Host "Server-Test Application ID URL: api://$($serverApp.AppId)"
# Creating client application after a delay to make sure the svr app has fully deployed
Write-Host "Creating Client Application... gathering resources..."
Start-Sleep -Seconds 10
#registering client-app
$displayName = "Connection (Client, Test)"
$redirectUri = "https://oauth.powerbi.com/views/oauthredirect.html"
$newApp = New-AzureADApplication -DisplayName $displayName
Set-AzureADApplication -ObjectId $newApp.ObjectId -ReplyUrls @($redirectUri)
Set-AzureADApplication -ObjectId $newApp.ObjectId -Oauth2AllowImplicitFlow $true
$clientSecret = New-AzADAppCredential -ObjectId $clientApp.ObjectId -EndDate (Get-Date).AddMonths(24)
$secretValue = $clientSecret.SecretText
New-AzADServicePrincipal -ApplicationId $newApp.AppId
Add-AzADAppPermission -ObjectId ObjectIDOfApp -ApiId Resource App ID -PermissionId Permission ID
通过使用powershell,我们无法授予管理员同意,可以通过门户或Azure cli来完成。
CLI 命令
az ad app permission admin-consent --id 00000000-0000-0000-0000-000000000000
。
Write-Host "Success! The applications of Connection (Server, Test) and Connection (Client, Test) have been created. Please make a note of the following details:"
Write-Host "Server-Test Client ID: $($serverApp.AppId)"
Write-Host "Client-Test Client ID: $($newApp.AppId)"
Write-Host "Client-Test Client Secret: $secretValue"
Write-Output "Tenant ID: $($context.Tenant.Id)"