Active Directory 中的管理员同意 [英] Administrator Consent in Active Directory

问题描述

我想我对 Azure AD 下的开发过程缺乏了解.我开发了一个网络应用，通过我们公司网络中的 AD 进行身份验证，并使用我们的一些服务(如 Sharepoint 和 PowerBI).

似乎对于 Sharepoint 的某些功能，我需要管理员同意(在应用程序权限中，我必须设置管理员:必需).当我尝试访问我的应用程序(位于本地主机上)时，它显示:

此应用程序需要另一个应用程序的应用程序权限.对应用程序权限的同意只能由管理员执行.注销并以管理员身份登录或联系您组织的管理员之一.

据我所知，全局管理员需要登录一次应用程序，以便其他用户(如我)可以登录.但是这个工作流程听起来有问题，我不能让我们的管理员去我的电脑登录(我在本地主机上有一个网络应用程序，所以我无法向他发送链接).此外，如果他在地理上位于另一个地方并且无法访问我的电脑怎么办?他也不准备仅仅因为这个而给我全局管理员权限.

这听起来很奇怪，我觉得我只是遗漏了一些明显的东西.人们如何在不要求 IT 每次更改身份验证逻辑时访问他们的 PC 的情况下实际开发此类东西?

解决方案

我同意 UX 在这方面并不出色.

仅以管理员身份登录是不够的.您必须使用设置为 admin_consent 的 prompt 查询参数登录.至少在使用 OAuth 端点时是这样.

所以你需要点击一个 URL，比如 https://login.microsoftonline.com/common/oauth2/authorize?client_id=your-client-id&redirect_uri=your-encoded-reply-url&response_mode=form_post&response_type=code+id_token&prompt=admin_consent.

将 your-client-id 替换为您应用的客户端 ID，并将 your-encoded-reply-url 替换为您应用的有效回复 URL.如果您的应用程序不是多租户，也将 common 替换为您的租户 ID/域名.

如果您想以简单的方式进行操作，请使用位于

I think I'm missing an understanding of a development process under Azure AD. I develop a web app, that is authenticated via AD in our corp network, and uses some of our services (like Sharepoint and PowerBI).

It seems like for some of the functionality of Sharepoint, I need administrator consent (In app permissions I had to set Admin: Required). When I try to go to my app (which is located on localhost), it displays this:

this application requires application permissions to another application. 
Consent for application permissions can only be performed by an administrator. 
Sign out and sign in as an administrator or
         contact one of your organization's administrators.

As I understood a Global Administrator need to sign in into an application once, so other users (like me) could log in. But this workflow sounds faulty, I cannot ask our admin to go to my pc and sign in (I have a web app on localhost, so I cannot send him the link). Futhermore, what to do if he is located geographically in another place and just cannot go to my pc? He is also not ready to give me global admin rights just because of this.

This just sounds weird, and I feel like I simply missing something obvious. How do people actually develop such things without asking IT to get to their PCs each time they change something in auth logic?

解决方案

I agree the UX is not phenomenal on this one.

Just logging in as an admin is not enough. You have to be logging in with the prompt query parameter set to admin_consent. At least when using the OAuth endpoint.

So you need to hit a URL such as https://login.microsoftonline.com/common/oauth2/authorize?client_id=your-client-id&redirect_uri=your-encoded-reply-url&response_mode=form_post&response_type=code+id_token&prompt=admin_consent.

Replace your-client-id with your app's client id, and your-encoded-reply-url with a valid reply URL for your app. Also replace common with your tenant id/domain name if your app is not multi-tenant.

If you want to do it the easy way, use Vittorio's nifty form at his blog. Just enter the tenant id (or common), reply URL, and your app's client id, tick the admin consent checkbox and click Go.

And yes, you need to be an admin in Azure AD to do this, so ask your admin to do this.

EDIT: With the newest update to the Azure Portal came the ability to grant permissions from the portal directly.

If you go to Azure Active Directory in the new portal, find your app registration there and click Grant Permissions under the Required permissions blade.

这篇关于Active Directory 中的管理员同意的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！