Azure服务主体:为服务主体授予appRoleAssignment确实会更新原始权限的状态 [英] Azure service principal: Grant an appRoleAssignment for a service principal does update the original permission's status
问题描述
我正在尝试使用Microsoft图形API向管理员授予分配的权限的同意.我执行的步骤如下:
-
创建具有"appRoles"的应用,数组已定义.
-
使用appId创建服务主体.
-
为服务主体授予appRoleAssignment.我运行了http发布请求:
为什么即使'appRoleId'相同,它也不授予原始权限?我想授予原始权限,有人可以告诉我吗?谢谢.
当然,当您创建应用程序并公开API权限,此权限和 Exchange 完全是来自不同API的两种不同权限,无论它们使用了什么 appRoleId .
要为您的应用授予 full_access_as_app 应用许可,请按照以下步骤操作.
1.在门户中导航到您的AD App->清单-> requiredResourceAccess ,获取 resourceAppId 和 id ,记下 id 作为 appRoleId .
2.在门户中导航至 Azure Active Directory ->企业应用程序->搜索步骤1中获得的 resourceAppId ,然后您将找到 Office 365 Exchange Online ->.单击它->概述->获取 Object ID ,将其记为 resourceId .
注意:此 Object ID 在不同的AAD租户中是不同的.
3.导航到您的AD应用->单击本地目录中的 Managed Application ,然后获取 Object ID ,将其记为 principalId .
4.然后调用您使用的Microsoft Graph-
在门户中检查结果,效果很好.
I am trying to grant admin consent to assigned permissions using Microsoft graph APIs. Steps i performed are as follows:
Create application having "appRoles" array defined.
create service principal with appId.
Grant an appRoleAssignment for a service principal. I ran http post request:
https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
- In Azure portal, instead of granting originally present permission, i see it is creating another permission and granting consent to it as displayed in the picture below.
Why it is not granting original permission, even though the 'appRoleId' is same? I want to grant original permission, can some one tell me? Thanks.
Of course, it will not grant the original permission, when you create an application and expose the API permission, this permission and the permission in Exchange are totally two different permissions from different APIs, no matter what the appRoleId they used.
To grant the full_access_as_app Application permission for your app, please follow the steps below.
1.Navigate to your AD App in the portal -> Manifest -> requiredResourceAccess, get the resourceAppId and id, note the id down as appRoleId.
2.Navigate to the Azure Active Directory in the portal -> Enterprise applications -> search for the resourceAppId got in step 1, then you will find the Office 365 Exchange Online -> click it -> Overview-> get the Object ID, note it down as resourceId.
Note: This Object ID is different in different AAD tenants.
3.Navigate to your AD App -> click the Managed application in local directory, then get the Object ID, note it down as principalId.
4.Then call the Microsoft Graph you used - Grant an appRoleAssignment for a service principal, use the values got before.
POST https://graph.microsoft.com/v1.0/servicePrincipals/<resourceId>/appRoleAssignedTo
{
"principalId": "<principalId>",
"resourceId": "<resourceId>",
"appRoleId": "<appRoleId>"
}
I test it in the Graph Explorer:
Check the result in the portal, it works fine.
这篇关于Azure服务主体:为服务主体授予appRoleAssignment确实会更新原始权限的状态的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
