如何通过Powershell配置新的Azure AD应用程序? [英] How to configure a new Azure AD application through Powershell?
问题描述
我正在通过Powershell创建一个新的Azure AD应用程序.我已经成功创建了应用程序,并使用以下PowerShell命令分配了client_secret:
I am creating a new Azure AD application through Powershell. I have successfully created the application and assigned a client_secret with the following PowerShell command:
$app = New-AzureRmADApplication -DisplayName "PowerShell-Test-POC2" -HomePage "http://www.microsoft.com" -IdentifierUris "http://kcuraonedrive.onmicrosoft.com/PowerShell-Test-POC2" -AvailableToOtherTenants $true
我的问题是如何通过Powershell配置这个新创建的应用程序(即必需的权限和Reply URL)?
My question is how do I go about configuring this newly created application through Powershell, (i.e. Required permissions and Reply URLs)?
推荐答案
I would suggest to rather use the new Azure AD v2 cmdlets: https://docs.microsoft.com/en-us/powershell/azuread/v2/azureactivedirectory.
它们比ARM的更具通用性,并且允许您指定诸如键之类的内容,更轻松地回复URL.
They are more versatile than the ARM ones, and allow you to specify things like keys, reply URLs more easily.
例如,要添加回复URL:
For example, to add reply URLs:
Set-AzureADApplication -ObjectId 1048db5f-f5ff-419b-8103-1ce26f15db31 -ReplyUrls @("https://localhost:8080","https://localhost:8081")
要添加必需的权限,您必须了解以下几点.在其上定义了权限的服务主体,您将需要其appId. (我从租户那里找到了Microsoft Graph API主体)然后,您需要找到所需的 appRole 或 oauth2Permission .您将需要它的ID.
To add a required permission, you have to find out a couple things. The service principal on which the permissions are defined, you will need its appId. (I found the Microsoft Graph API principal from my tenant) Then you need to find the appRole or oauth2Permission that you want to require. You will need its id.
然后添加委派权限:
$req = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$acc1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope"
$acc2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "798ee544-9d2d-430c-a058-570e29e34338","Role"
$req.ResourceAccess = $acc1,$acc2
$req.ResourceAppId = "00000003-0000-0000-c000-000000000000"
Set-AzureADApplication -ObjectId 1048db5f-f5ff-419b-8103-1ce26f15db31 -RequiredResourceAccess $req
ResourceAppId 是Microsoft Graph API的服务主体的appId.在这种情况下,ResourceAccess对象包含两个要求.第一个保存我想要的oauth2Permission的ID,并指定它是委派的权限.第二个包含应用程序权限,该id是appRole的对象ID.
The ResourceAppId is the appId of the service principal for the Microsoft Graph API. The ResourceAccess object in this case contains two requirements. First one holds the id of the oauth2Permission I want to require, as well as specifying that it is a delegated permission. The second contains an app permission, the id is the object id of the appRole.
范围=委托权限
角色=申请权限
要找到所需的服务主体,可以运行:
To find the service principal you need, you can run:
Get-AzureADServicePrincipal
ObjectId AppId DisplayName
-------- ----- -----------
f004dde9-b40f-4259-91be-e257009a444a 00000003-0000-0000-c000-000000000000 Microsoft Graph
然后获取主体并列出委托权限:
Then get the principal and list out delegated permissions:
$msGraph = Get-AzureADServicePrincipal -ObjectId f004dde9-b40f-4259-91be-e257009a444a
$msGraph.Oauth2Permissions | select Id,AdminConsentDisplayName,Value
Id AdminConsentDisplayName Value
-- ----------------------- -----
e1fe6dd8-ba31-4d61-89e7-88639da4683d Sign in and read user profile User.Read
或者如果您需要应用权限:
Or if you need an app permission:
$msGraph.AppRoles | select Id,DisplayName,Value
Id DisplayName Value
-- ----------- -----
798ee544-9d2d-430c-a058-570e29e34338 Read calendars in all mailboxes Calendars.Read
ID很重要.
对于脚本而言,妙处在于MS服务的应用程序ID始终相同.所有租户的许可ID也相同.例如:
For scripts the nice thing is that the application id for MS services is always same. The permission ids are also same in all tenants. So for example:
- Microsoft Graph API
- AppId:00000003-0000-0000-c000-000000000000
- Microsoft Graph API
- AppId: 00000003-0000-0000-c000-000000000000
- AppId:00000002-0000-0000-c000-000000000000
这篇关于如何通过Powershell配置新的Azure AD应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
