如何使用Azure Active Directory PowerShell V2授予权限 [英] How to 'Grant Permissions' Using Azure Active Directory PowerShell V2
问题描述
我已使用 Azure脚本化了Azure Active Directory应用程序的创建Active Directory PowerShell V2 ,并尝试使用隐式流在我的单页应用程序(SPA)中使用委派权限来调用已定义应用程序角色的API.
I've scripted the creation of my Azure Active Directory Application using Azure Active Directory PowerShell V2 and am trying to use Delegated Permissions in my Single Page Application (SPA) using implicit flow to call an API with Application Roles defined.
我需要使用什么PowerShell命令在Azure门户中的应用程序设置"下复制授予权限"按钮:
What PowerShell command do I need to use to replicate the 'Grant Permissions' button in the Azure Portal under the Applications Settings:
根据文档:
使用ADAL.js的单页应用程序(SPA)当前需要使用授予权限"按钮来授予明确的同意,因为在没有同意提示的情况下请求访问令牌,如果尚未获得同意,该访问令牌将失败.
Granting explicit consent using the Grant Permissions button is currently required for single page applications (SPA) using ADAL.js, as the access token is requested without a consent prompt, which will fail if consent is not already granted.
此外,您如何得知是否已授予权限?该按钮始终是可单击的?如果你问我,糟糕的用户体验.
Also, how do you tell if permissions have been granted or not? The button is always clickable? Terrible UX if you ask me.
推荐答案
此按钮实际上是在征得管理员同意.这将同意租户中的所有用户.对于您的情况,如果要避免 Azure Portal ,可以在SPA中而不是在PowerShell中强制同意.
This button is effectively doing admin consent. This will consent for all users in the tenant. For your case, you can force consent in the SPA rather than in PowerShell if you want to avoid the Azure Portal.
为此,您的SPA应在&prompt=consent或&prompt=admin_consent上添加到身份验证请求中.前者应在新用户首次登录时应用,而后者您可以进行一次(使用管理员帐户登录),并且所有用户都同意.
To do this, your SPA should append on the auth request either &prompt=consent or &prompt=admin_consent. The former should be applied each time a new user signs in for the first time, whereas the latter you could do one time (sign in w/ an admin account) and it would consent for all users.
结帐 查看全文
