使用AzureAD模块检索服务主体的应用程序权限 [英] Retrieve application permissions of a service principal using the AzureAD module

问题描述

使用 AzureAD 模块，我可以使用Get-AzureADServicePrincipalOAuth2PermissionGrant cmdlet检索服务主体的所有委派的权限.但是，在此模块中，我找不到类似的cmdlet来检索服务主体的应用程序权限.

Using the AzureAD module, I can retrieve all delegated permissions for a service principal using the Get-AzureADServicePrincipalOAuth2PermissionGrant cmdlet. However, I can't find a similar cmdlet to retrieve the application permissions for a service principal in this module.

AzureAD 模块是否提供一种检索服务主体的应用程序权限的方法?

Does the AzureAD module provide a way to retrieve application permissions for a service principal?

推荐答案

应用程序权限分配在目录中表示为 appRoleAssignments .从字面上为应用程序的服务主体分配角色.

Application permission assignments are represented as appRoleAssignments in the directory. Literally assigning a role to the app's service principal.

使用V2模块:

有两种获取角色的方法.

There are two ways to approach getting the roles.

已为主体A分配了哪些权限?

Get-AzureADServiceAppRoleAssignedTo -ObjectId eea0d6cd-20e2-4b81-97ca-5b0cbffac985 | fl

在这里，我正在为该主体分配哪些应用程序权限.

Here I am getting what app permissions have been assigned to this principal.

谁拥有主体A的权限?

Get-AzureADServiceAppRoleAssignment -ObjectId f004dde9-b40f-4259-91be-e257009a444a | fl

此处，对象ID适用于Microsoft Graph.它列出了已为其分配了任何应用程序权限的所有主体.

Here the object id is for Microsoft Graph. It lists out all principals who have been assigned any app permissions on it.

无论哪种方式，您仍然可以获得AppRoleAssignments的列表.

Either way you still get a list of AppRoleAssignments.

• Id =分配的AppRole的ID
• PrincipalId =权限分配给的服务主体的ObjectId
• ResourceId =提供权限的服务主体的ObjectId

您将需要自己加入具有正确角色的作业.您可以打印出应用角色，例如MS Graph非常容易提供:

You will need to join the assignments with the right roles yourself. You can print out the app roles e.g. MS Graph offers quite easily:

$msGraph = Get-AzureADServicePrincipal -ObjectId f004dde9-b40f-4259-91be-e257009a444a
$msGraph.AppRoles | fl

示例:

AllowedMemberTypes : {Application}
Description        : (Preview) Allows the app to read all files in all site collections without a signed in user.
DisplayName        : Read files in all site collections (preview)
Id                 : 01d4889c-1287-42c6-ac1f-5d1e02578ef6
IsEnabled          : True
Value              : Files.Read.All

这篇关于使用AzureAD模块检索服务主体的应用程序权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！