如何通过代码设置Azure Active Directory服务主体的属性? [英] How to set properties of Azure Active Directory service principal from code?

问题描述

我已经从图库创建了AAD应用程序.应用程序注册部分有一个，企业应用程序中有一个.应用程序注册应用程序指向企业应用程序(本地目录中的托管应用程序).

I have created AAD application from gallery. There is one in app registrations section and one in enterprise applications. App registrations application points to the enterprise app (managed application in local directory).

我想为企业应用程序配置SAML SSO.必须设置一些必需的属性.

I want to configure SAML SSO for the enterprise app. There are a few required properties which have to be set.

我能够设置Sign on URL(使用图形API)，但是我不能设置Identifier (Entity ID)和Reply URL.我认为这可以完成工作:

I am able to set Sign on URL (using graph api), but I cannot set Identifier (Entity ID) and Reply URL. I thought that this will do the job:

Set-AzureADApplication -ObjectId <id of app from App registrations> 
         -IdentifierUris $Identifiers -ReplyUrls $ReplyUrls

，但企业应用未更改.另外，Set-AzureADServicePrincipal似乎对我不起作用.

but the enterprise app is untouched. Also Set-AzureADServicePrincipal doesn't seem to work for me.

没有错误.刷新后，门户网站上没有任何更改.我已连接到正确的租户，并安装了新模块.

There are no errors. Nothing changed on the portal after refresh. I am connected to correct tenant and have fresh modules installed.

我也尝试使用RM:Update-AzureRmADApplication，Set-AzureRmADApplication，Set-AzureRmADServicePrincipal，Update-AzureRmADServicePrincipal. 我也找不到有效的图形API.

I tried also with RM: Update-AzureRmADApplication, Set-AzureRmADApplication, Set-AzureRmADServicePrincipal, Update-AzureRmADServicePrincipal. I also couldn't find a working graph api.

有没有办法通过代码做到这一点?也许我只是做错了什么，对您有用吗?我将不胜感激.谢谢

Is there a way to do this from code? Maybe I am just doing something wrong and it's working for you? I would be grateful for some help. Thanks

推荐答案

但企业应用程序未受影响.

but enterprise app is untouched.

实际上，该企业已受到影响，我们可以在使用Set-AzureADApplication后通过Microsoft Graph对其进行检查，它只是没有出现在门户中，可能是一个错误，我不确定./p>

Actually, the enterprise has been affected, we could check it via Microsoft Graph after using Set-AzureADApplication, it just not appear in the portal, may be a bug, I am not sure.

$Identifiers = @(
    "http://www.tableau.com/products/server",
    "https://azure.idtest.link"
)
$ReplyUrls = @(
    "https://azure.rptest.link/wg/saml/SSO/index.html"
)
Set-AzureADApplication -ObjectId <object-id of the AD App> -IdentifierUris $Identifiers -ReplyUrls $ReplyUrls 

如果我们是第一次在门户中设置它们，然后再次运行命令，您会发现它可行.

If we set them in the portal at first time, then run the commands again, you will find it works.

并且看来没有办法通过powrshell或API设置Default Reply URL，如果我们设置的Reply URL与门户中的手动设置不同，则会显示如下提示.

And it looks there is no way to set the Default Reply URL via powrshell or API, if we set the Reply URL which is different from the one set manually in the portal, it will have a prompt like below.

但是，如果我们仔细研究，实际上会选中Default选项.

But if we look into it, actually the Default option is checked.

最终，我找到了窍门，这不是一个错误，我们只需要首先通过Microsoft Graph为服务主体设置preferredSingleSignOnMode，然后就无需在门户中手动配置它了.

Eventually, I find the trick, it is not a bug, we just need to set the preferredSingleSignOnMode for the service principal first via Microsoft Graph, then we won't need to configure that in the portal manually.

示例:

PATCH https://graph.microsoft.com/beta/servicePrincipals/<object-id of the service principal>

{
  "preferredSingleSignOnMode":"saml",
  "loginUrl": "https://azure.signtest.link"
}

这篇关于如何通过代码设置Azure Active Directory服务主体的属性?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！