azure - 如何使用 PowerShell 将 Api 权限添加到 Azure 应用注册
问题描述
我正在弄清楚 Azure PowerShell 中的命令,以将User.ReadApe 权限添加到我在 Azure 中的应用注册。
我可以使用 找到一些示例*Azure,但更喜欢使用*Az命令的示例,例如https://docs.microsoft.com/en-us/powershell/azure/?view=azps-2.8.0。
想知道是否有人知道如何做到这一点?谢谢!
解决方案
目前只能使用Azure AD PowerShell来实现。请注意, Azure AD PowerShell和Azure PowerShell之间存在差异。Azure AD PowerShell不仅仅是旧的 Azure PowerShell模块。Azure AD PowerShell 是一个单独的模块。Azure AD 还没有“AZ*”。只有几个最常用的命令具有 Azure 资源提供程序实现。Azure PowerShell 具有一组有限的功能用于使用 Azure AD。如果您需要更多功能,例如您提到的功能,则必须使用 Azure AD PowerShell。Azure AD PowerShell不是已弃用,是官方支持的用于与 Azure AD 一起使用的 PowerShell 模块。
您可以通过Set-AzureAdApplication cmdlet管理这些所需的权限并传递适当的-RequiredResourceAccess对象。
为了构造这个对象,您必须首先获得对“公开”权限的引用。因为权限是由其他服务主体公开的。
由于我无法上传整个文件,这里是一个 PowerShell 脚本,它创建了一个示例应用程序,该应用程序具有对某些 MS Graph 和某些 Power BI 权限的所需权限。
Function GetToken
{
param(
[String] $authority = "https://login.microsoftonline.com/dayzure.com/oauth2/token",
[String] $clientId,
[String] $clientSecret,
[String] $resourceId = "https://graph.windows.net"
)
$scope = [System.Web.HttpUtility]::UrlEncode($resourceId)
$encSecret = [System.Web.HttpUtility]::UrlEncode($clientSecret)
$body = "grant_type=client_credentials&resource=$($scope)&client_id=$($clientId)&client_secret=$($encSecret)"
$res = Invoke-WebRequest -Uri $authority -Body $body -Method Post
$authResult = $res.Content | ConvertFrom-Json
return $authResult.access_token
}
#`
# -RequiredResourceAccess @($requiredResourceAccess)
#
Function CreateChildApp
{
param (
[string] $displayName,
[string] $tenantName
)
# create your new application
Write-Output -InputObject ('Creating App Registration {0}' -f $displayName)
if (!(Get-AzureADApplication -SearchString $displayName)) {
$app = New-AzureADApplication -DisplayName $displayName `
-Homepage "https://localhost" `
-ReplyUrls "https://localhost" `
-IdentifierUris ('https://{0}/{1}' -f $tenantName, $displayName)
# create SPN for App Registration
Write-Output -InputObject ('Creating SPN for App Registration {0}' -f $displayName)
# create a password (spn key)
$appPwd = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId
$appPwd
# create a service principal for your application
# you need this to be able to grant your application the required permission
$spForApp = New-AzureADServicePrincipal -AppId $app.AppId -PasswordCredentials @($appPwd)
}
else {
Write-Output -InputObject ('App Registration {0} already exists' -f $displayName)
$app = Get-AzureADApplication -SearchString $displayName
}
#endregion
return $app
}
Function GrantAllThePermissionsWeWant
{
param
(
[string] $targetServicePrincipalName,
$appPermissionsRequired,
$childApp,
$spForApp
)
$targetSp = Get-AzureADServicePrincipal -Filter "DisplayName eq '$($targetServicePrincipalName)'"
# Iterate Permissions array
Write-Output -InputObject ('Retrieve Role Assignments objects')
$RoleAssignments = @()
Foreach ($AppPermission in $appPermissionsRequired) {
$RoleAssignment = $targetSp.AppRoles | Where-Object { $_.Value -eq $AppPermission}
$RoleAssignments += $RoleAssignment
}
$ResourceAccessObjects = New-Object 'System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]'
foreach ($RoleAssignment in $RoleAssignments) {
$resourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess"
$resourceAccess.Id = $RoleAssignment.Id
$resourceAccess.Type = 'Role'
$ResourceAccessObjects.Add($resourceAccess)
}
$requiredResourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$requiredResourceAccess.ResourceAppId = $targetSp.AppId
$requiredResourceAccess.ResourceAccess = $ResourceAccessObjects
# set the required resource access
Set-AzureADApplication -ObjectId $childApp.ObjectId -RequiredResourceAccess $requiredResourceAccess
Start-Sleep -s 1
# grant the required resource access
foreach ($RoleAssignment in $RoleAssignments) {
Write-Output -InputObject ('Granting admin consent for App Role: {0}' -f $($RoleAssignment.Value))
New-AzureADServiceAppRoleAssignment -ObjectId $spForApp.ObjectId -Id $RoleAssignment.Id -PrincipalId $spForApp.ObjectId -ResourceId $targetSp.ObjectId
Start-Sleep -s 1
}
}
cls
#globaladminapp
$clientID = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
$key = "****"
$tenantId = "aaaaaaaa-bbbb-xxxx-yyyy-aaaaaaaaaaaa";
$TenantName = "customdomain.com";
$AppRegName = "globaladminChild-0003";
$token = GetToken -clientId $clientID -clientSecret $key
Disconnect-AzureAD
Connect-AzureAD -AadAccessToken $token -AccountId $clientID -TenantId $tenantId
$appPermissionsRequired = @('Application.ReadWrite.OwnedBy', 'Device.ReadWrite.All', 'Domain.ReadWrite.All')
$targetServicePrincipalName = 'Windows Azure Active Directory'
#$appPermissionsRequired = @('Files.ReadWrite.All','Sites.FullControl.All','Notes.ReadWrite.All')
#$targetServicePrincipalName = 'Microsoft Graph'
$app = CreateChildApp -displayName $AppRegName -tenantName $TenantName
$spForApp = Get-AzureADServicePrincipal -Filter "DisplayName eq '$($AppRegName)'"
$appPermissionsRequired = @('Tenant.ReadWrite.All')
$targetServicePrincipalName = 'Power BI Service'
GrantAllThePermissionsWeWant -targetServicePrincipalName $targetServicePrincipalName -appPermissionsRequired $appPermissionsRequired -childApp $app -spForApp $spForApp
$appPermissionsRequired = @('Files.ReadWrite.All','Sites.FullControl.All','Notes.ReadWrite.All')
$targetServicePrincipalName = 'Microsoft Graph'
GrantAllThePermissionsWeWant -targetServicePrincipalName $targetServicePrincipalName -appPermissionsRequired $appPermissionsRequired -childApp $app -spForApp $spForApp
有趣的部分是围绕“apppermissionrequired”和“targetserviceprincipalname”变量。
推荐阅读
- java - 从另一个 Fragment 获取值,然后将 Items 添加到自定义 recyclerview
- wso2 - WSO2 企业集成商 + WSO2 消息代理
- javascript - 使用 GET 传递参数传递空对象
- groovy - 如何使用 groovy 在 testSuite TearDown 中捕获请求和响应
- git - 在递归 git repo 中断开子模块的链接并使它们独立于原始引用
- reactjs - 是的,填写的字段之一
- c# - 如何将 ASP.NET Core 应用程序和 Redis 一起 dockerize?
- python - Xarray Dataarray查找最大值行
- azure - 在 Azure 容器服务中停止和启动数据时,如何将数据保留在容器中?
- c - 如何修复结构返回函数中的“预期标识符”或“(”之前的“int”错误