如何通过 Powershell 配置新的 Azure AD 应用程序? [英] How to configure a new Azure AD application through Powershell?
问题描述
我正在通过 Powershell 创建一个新的 Azure AD 应用程序.我已成功创建应用程序并使用以下 PowerShell 命令分配了 client_secret
:
I am creating a new Azure AD application through Powershell. I have successfully created the application and assigned a client_secret
with the following PowerShell command:
$app = New-AzureRmADApplication -DisplayName "PowerShell-Test-POC2" -HomePage "http://www.microsoft.com" -IdentifierUris "http://kcuraonedrive.onmicrosoft.com/PowerShell-Test-POC2" -AvailableToOtherTenants $true
我的问题是如何通过 Powershell 配置这个新创建的应用程序(即所需的权限和回复 URL)?
My question is how do I go about configuring this newly created application through Powershell, (i.e. Required permissions and Reply URLs)?
推荐答案
我建议使用新的 Azure AD v2 cmdlet:https://docs.microsoft.com/en-us/powershell/azuread/v2/azureactivedirectory.
I would suggest to rather use the new Azure AD v2 cmdlets: https://docs.microsoft.com/en-us/powershell/azuread/v2/azureactivedirectory.
它们比 ARM 的更通用,并且允许您指定诸如密钥、回复 URL 之类的内容.
They are more versatile than the ARM ones, and allow you to specify things like keys, reply URLs more easily.
例如,添加回复网址:
Set-AzureADApplication -ObjectId 1048db5f-f5ff-419b-8103-1ce26f15db31 -ReplyUrls @("https://localhost:8080","https://localhost:8081")
要添加所需的权限,您必须了解一些事项.定义权限的服务主体,您将需要其 appId.(我从我的租户那里找到了 Microsoft Graph API 主体)然后您需要找到您想要的 appRole 或 oauth2Permission.您将需要它的 ID.
To add a required permission, you have to find out a couple things. The service principal on which the permissions are defined, you will need its appId. (I found the Microsoft Graph API principal from my tenant) Then you need to find the appRole or oauth2Permission that you want to require. You will need its id.
然后添加委托权限:
$req = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$acc1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope"
$acc2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "798ee544-9d2d-430c-a058-570e29e34338","Role"
$req.ResourceAccess = $acc1,$acc2
$req.ResourceAppId = "00000003-0000-0000-c000-000000000000"
Set-AzureADApplication -ObjectId 1048db5f-f5ff-419b-8103-1ce26f15db31 -RequiredResourceAccess $req
ResourceAppId 是 Microsoft Graph API 的服务主体的 appId.本例中的 ResourceAccess 对象包含两个要求.第一个包含我想要的 oauth2Permission 的 id,并指定它是委托权限.第二个包含一个app权限,id是appRole的对象id.
The ResourceAppId is the appId of the service principal for the Microsoft Graph API. The ResourceAccess object in this case contains two requirements. First one holds the id of the oauth2Permission I want to require, as well as specifying that it is a delegated permission. The second contains an app permission, the id is the object id of the appRole.
范围 = 委托权限
角色 = 应用权限
要查找您需要的服务主体,您可以运行:
To find the service principal you need, you can run:
Get-AzureADServicePrincipal
ObjectId AppId DisplayName
-------- ----- -----------
f004dde9-b40f-4259-91be-e257009a444a 00000003-0000-0000-c000-000000000000 Microsoft Graph
然后获取主体并列出委托的权限:
Then get the principal and list out delegated permissions:
$msGraph = Get-AzureADServicePrincipal -ObjectId f004dde9-b40f-4259-91be-e257009a444a
$msGraph.Oauth2Permissions | select Id,AdminConsentDisplayName,Value
Id AdminConsentDisplayName Value
-- ----------------------- -----
e1fe6dd8-ba31-4d61-89e7-88639da4683d Sign in and read user profile User.Read
或者如果您需要应用权限:
Or if you need an app permission:
$msGraph.AppRoles | select Id,DisplayName,Value
Id DisplayName Value
-- ----------- -----
798ee544-9d2d-430c-a058-570e29e34338 Read calendars in all mailboxes Calendars.Read
Id 很重要.
对于脚本来说,好消息是 MS 服务的应用程序 ID 总是相同的.所有租户的权限 ID 也相同.例如:
For scripts the nice thing is that the application id for MS services is always same. The permission ids are also same in all tenants. So for example:
- 微软图形 API
- 应用 ID:00000003-0000-0000-c000-000000000000
- 应用 ID:00000002-0000-0000-c000-000000000000
这篇关于如何通过 Powershell 配置新的 Azure AD 应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!