无法设置“ preAuthorizedApplications” Azure Powershell通过新的应用程序注册模块中的对象 [英] Cannot set "preAuthorizedApplications" object in new App registrations module through Azure Powershell
问题描述
短场景:多租户前端javascript(React.JS)Web应用程序从浏览器中调用多租户ASP.NET Core 2.2 WebAPI。
身份验证:
-
前端应用程序中的ADAL.js负责用户登录时(根据用户原始的Azure Active Directory)从AzureAD1或AzureAD2或AzureAD3获取令牌...。
-
用户同意将前端Web App(范围:登录并读取用户个人资料)授权给前端Web应用。 WebAPI也是如此。 (表示用户也不需要同意WebAPI )
-
前端Web应用程序使用承载令牌来获取资源。
问题:我必须自动化新环境的部署。并相应地设置清单文件(这是一个SaaS解决方案)
- 在清单文件中,我需要为客户端应用程序()
如何使用Azure PowerShell将 preAuthorizedApplications部分添加到清单文件中?为什么它在门户中可用,但在PS中尚不可用?通常是另一回事...
2019年8月5日根据答案更新:
我正在通过服务主体获取访问令牌:
$ adTokenUrl = https:// login.microsoftonline.com/$TenantId/oauth2/token
$ resource = https://graph.windows.net/
$ body = @ {
grant_type = client_credentials
client_id = $ ServicePrincipalId
client_secret = $ ServicePrincipalKey
资源= $ resource
}
$ response = Invoke-RestMethod -Method'Post'-Uri $ adTokenUrl -ContentType application / x-www-form-urlencoded -Body $ body
$ token = $ response.access_token
根据文档:添加 preAuthorizedApplications部分,您可以尝试以下的powershell脚本。
我已经对我进行了测试,对我有用。
理论上,我称 Microsoft Graph API 来修改应用清单。如果您还有其他疑问,请随时告诉我。
$ AdAdminUserName =<-您的Azure广告管理员用户名->
$ AdAdminPass =<-您的Azure广告管理员密码->
$ AdAppObjId =<-您的应用obj id->
$ AdPreAuthAppId =<-需要预先认证的应用->
$ AdAppScopeId =<-您的应用范围ID->
$ tenantName =<-您的租户名称->
$ body = @ {
grant_type =密码;
``resource''= https://graph.microsoft.com/;
``client_id''= 1950a258-227b-4e31-a9cf-717495945fc2;
username = $ AdAdminUserName;
密码 = $ AdAdminPass
}
$ requrl = https://login.microsoftonline.com/\"+$tenantName+\"/oauth2/token
$ result =调用RestMethod -Uri $ requrl-方法POST-正文$ body
$ headers = New-Object'System.Collections.Generic.Dictionary [String,String]'
$ headers.Add( Content-Type, application / json)
$ headers.Add( Authorization, Bearer + $ result.access_token)
$ preAuthBody = {` api`:{` preAuthorizedApplications`:[{` appId`:` + $ AdPreAuthAppId +`,` permissionIds`:[` + $ AdAppScopeId +`]}}}
$ requrl = https://graph.microsoft.com/beta/applications/\"+$AdAppObjId
Invoke-RestMethod -Uri $ requrl -Method PATCH -Body $ preAuthBody -Headers $ headers
注意: ROPC不安全,因为Microsoft不建议使用它。它也不允许使用MFA,这就是为什么它很少
的危险。
Short Scenrario: A muti tenant front end javascript (React.JS) Web Application calls a multi tenant ASP.NET Core 2.2 WebAPI from the browser.
Authentication:
ADAL.js in the front end app takes care of getting a token from either AzureAD1 or AzureAD2 or AzureAD3... when the User signs-in (based on the User's original Azure Active Directory).
The User gives consent to the front end Web App (scope: Sign in and read user profile) which is delegated to the WebAPI too. (meaning the user does not need to consent to the WebAPI as well)
The front end Web App calls the WebAPI with the bearer token to get the resources.
Problem: I must automate the deployment of a new environment. And set the manifest file accordingly (It's a SaaS solution)
- In the manifest file I need to expose the WebAPI for the client application (https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis#expose-a-new-scope-through-the-ui)
- Setting "knownClientApplications" is not enough (due to previously described delegation)
- The new v2 endpoint (https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview) has a new App Registration feature. The old one is called "Legacy" now and will be deprecated starting May 2019.
- In the Azure Portal need to expose the API and add the front end WebApp as an "Authorized cient applications".
This step will add a new object in the manifest file:
"preAuthorizedApplications": [
{
"appId": "guid",
"permissionIds": [
"guid"
]
}
],
- But it's still not available throuh PowerShell! (https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureadapplication?view=azureadps-2.0)
How can I add this "preAuthorizedApplications" section into the manifest file using Azure PowerShell? Why is it available in the portal but not in PS yet? It's the other way around usually...
08-05-2019 Update based on the answer:
I am getting the access token via a Service Principal:
$adTokenUrl = "https://login.microsoftonline.com/$TenantId/oauth2/token"
$resource = "https://graph.windows.net/"
$body = @{
grant_type = "client_credentials"
client_id = "$ServicePrincipalId"
client_secret = "$ServicePrincipalKey"
resource = "$resource"
}
$response = Invoke-RestMethod -Method 'Post' -Uri $adTokenUrl -ContentType "application/x-www-form-urlencoded" -Body $body
$token = $response.access_token
According to the docs: https://docs.microsoft.com/en-us/graph/api/application-update?view=graph-rest-beta&tabs=cs
The Service Principal should have at least Application.ReadWrite.OwnedBy, and most Application.ReadWrite.All privileges.
Should I ask our AAD admin to grant the below rights to the Service Principal?
08-05-2019 Update 2: Service Principal has been granted with ALL of the highlighted rights above.
Attempt 1:
Step 1: getting an access_token via the Service Principal (Owner of the Api app to be updated)
$adTokenUrl = "https://login.microsoftonline.com/$(TenantId)/oauth2/token"
$resource = "https://graph.microsoft.com/"
$body = @{
grant_type = "client_credentials"
client_id = "$(ServicePrincipalId)"
client_secret = "$(ServicePrincipalKey)"
resource = "$resource"
}
$response = Invoke-RestMethod -Method 'Post' -Uri $adTokenUrl -ContentType "application/x-www-form-urlencoded" -Body $body
$token = $response.access_token
Step 2: using this access_token, building up my PATCH request as per Md Farid Uddin Kiron's suggestion, and
Result: The remote server returned an error: (403) Forbidden.
09-05-2019 Update 3: After some kind and detailed explanation and guidance, I got this to work and getting HTTP 204 for my Postman request. Only thing left is to integrate this steps into my pipeline.
See accepted answer. It works. If someone has the same issue, please read the other answer from Md Farid Uddin Kiron.
You are right, seems there is something faultiness exists in AzureAD powershell module. That not works for me too .
If you want to modify your app manifest using powershell to add "preAuthorizedApplications" section, you can try the powershell script below.
I have tested on my side and it works for me.
In theory, I have called Microsoft Graph API to modify the app manifest . If you have any further concerns, please feel free to let me know.
$AdAdminUserName = "<-your Azure ad admin username ->"
$AdAdminPass="<-your Azure ad admin password ->"
$AdAppObjId = "<-your app obj id->"
$AdPreAuthAppId = "<-the app that need to be pre authed ->"
$AdAppScopeId = "<-your app scope id->"
$tenantName = "<-your tenant name->"
$body=@{
"grant_type"="password";
"resource"="https://graph.microsoft.com/";
"client_id"="1950a258-227b-4e31-a9cf-717495945fc2";
"username"=$AdAdminUserName;
"password" = $AdAdminPass
}
$requrl = "https://login.microsoftonline.com/"+$tenantName+"/oauth2/token"
$result=Invoke-RestMethod -Uri $requrl -Method POST -Body $body
$headers = New-Object 'System.Collections.Generic.Dictionary[String,String]'
$headers.Add("Content-Type","application/json")
$headers.Add("Authorization","Bearer " + $result.access_token)
$preAuthBody = "{`"api`": {`"preAuthorizedApplications`": [{`"appId`": `"" + $AdPreAuthAppId + "`",`"permissionIds`": [`"" + $AdAppScopeId + "`"]}]}}"
$requrl= "https://graph.microsoft.com/beta/applications/"+$AdAppObjId
Invoke-RestMethod -Uri $requrl -Method PATCH -Body $preAuthBody -Headers $headers
Note: ROPC is not safe as Microsoft does not recommend to use that. It also does not allow to use MFA that is why it is little dangerous.
这篇关于无法设置“ preAuthorizedApplications” Azure Powershell通过新的应用程序注册模块中的对象的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
