时间戳

首页 > 解决方案 > 无法通过 PowerShell 将角色添加到 Azure 应用注册

powershell - 无法通过 PowerShell 将角色添加到 Azure 应用注册

问题描述

我正在使用 Powershell 将角色添加到 Azure 中的现有应用注册。我正在使用这个命令:

Set-AzureADApplication -ObjectId $myApp.ObjectId -AppRoles $newAppRoles

$newAppROles是一个数组Microsoft.Open.AzureAD.Model.AppRole

当我执行上述命令时,我收到此错误:

Set-AzureADApplication:无法将“System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.AppRole]”转换为参数“AppRoles”所需的“Microsoft.Open.AzureAD.Model.AppRole”类型。不支持指定的方法。

的文档SetAzureADApplication说它需要一个应用程序角色列表;但我收到了这个错误。似乎没有其他文档可以帮助我。有人可以告诉我我做错了什么。

以下是完整代码

Connect-AzureAD
$myApp = ""
$appName = "Narasimham POC Powershell - Multiple reply URLs"
if (!($myApp = Get-AzureADApplication -Filter "DisplayName eq '$($appName)'"  -ErrorAction SilentlyContinue)) {
    Write-Output "Application $appName not found"
}
else {
    Write-Output $myApp

    $currentAppRoles = $myApp.AppRoles

    $appRole = New-Object -TypeName Microsoft.Open.AzureAD.Model.AppRole
    $appRole.IsEnabled = $true
    $appRole.DisplayName = "Read Role"
    $appRole.Value = "Reader"
    $appRole.AllowedMemberTypes = "User"
    $appRole.Id = New-Guid
    $appRole.Description = "Reader Role for Narasimham POC Powershell"

    $newAppRoles = @($currentAppRoles, $appRole)
    Write-Output $newAppRoles
    Set-AzureADApplication -ObjectId $myApp.ObjectId -AppRoles $newAppRoles
}

标签: powershellazure-active-directory

解决方案

我认为问题在于脚本中为当前角色添加新角色的部分。

尝试从您的问题中替换这部分脚本:

$newAppRoles = @($currentAppRoles, $appRole)
Write-Output $newAppRoles
Set-AzureADApplication -ObjectId $myApp.ObjectId -AppRoles $newAppRoles

用这样的东西代替:

$currentAppRoles.Add($appRole)
Write-Output $currentAppRoles
Set-AzureADApplication -ObjectId $myApp.ObjectId -AppRoles $currentAppRoles

这是我之前用来回答一个非常相似的 SO 问题的完整脚本,以防这对您更有帮助。这会为现有的注册应用程序添加一个新的应用程序角色:

Connect-AzureAD -TenantId <Tenant GUID>

# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
    $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
    $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
    $appRole.AllowedMemberTypes.Add("User");
    $appRole.DisplayName = $Name
    $appRole.Id = New-Guid
    $appRole.IsEnabled = $true
    $appRole.Description = $Description
    $appRole.Value = $Name;
    return $appRole
}

# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles

$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"
$appRoles.Add($newRole)

Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles

完成上述脚本以添加 AppRole 后,为用户分配角色非常简单,并且可以使用直接命令。这是一个示例脚本 -

# Assign the values to the variables
$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"

# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }

# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id

推荐阅读