如何找到需要 Microsoft Graph“读取目录数据"的 Azure AD 应用程序的管理员同意 URL允许? [英] How can I find the Admin Consent URL for an Azure AD App that requires Microsoft Graph "Read directory data" permission?

问题描述

我正在通过以下示例:

在新的(截至 2018 年 11 月 14 日)应用注册(预览版)体验中，这是在 API 下权限 > 授予管理员同意...:

如果您自己进入此屏幕，您可以复制 URL 并与管理员共享，以帮助他快速找到正确的刀片.

构建同意 URL

即使您的应用不提供 Web 体验，您仍然可以在技术上构建 URL 以请求管理员同意，尽管体验不是很好.有关如何构建管理员同意 URL 的详细信息，请参阅文档:https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#request-the-permissions-from-a-directory-admin.

最简单的形式是:

https://login.microsoftonline.com/common/adminconsent?client_id={client-id}

使用这种方法，一旦管理员同意，他将被重定向到您的应用注册中配置的授权回复 URL 之一(或特定 URL，如果您使用 redirect_uri 参数).如果这是一个不存在的 URL，浏览器将显示错误(例如 404).如果没有为您的应用注册配置回复 URL，Azure AD 将显示错误(例如未配置回复 URL").您应该警告管理员这可能会发生，但由于这些错误将在 已应用同意后显示，因此可以忽略它们.

I am going through the following example:

https://azure.microsoft.com/resources/samples/active-directory-dotnet-webapp-groupclaims/

To run the sample, I need Directory.Read.All permission on Microsoft Graph:

Configure Permissions for your application. To that extent, in the Settings menu, choose the 'Required permissions' section and then, click on Add, then Select an API, and type Microsoft Graph in the textbox. Then, click on Select Permissions and select Directory.Read.All.

Directory.Read.All needs Azure AD Admin consent.
My Azure AD Application does not have a web user interface.

What are my options to have our Azure AD admin provide consent without taking too much of his time?

Our Azure AD admin is a busy and expensive resource. It takes efforts to book his time and I am hoping that I can rehearse the consent process before I involve him.

解决方案

You have two options: using the Azure portal, or building the consent URL.

1. With the Azure portal

   If the app is registered in the same Azure AD tenant where you want the permission, then you can ask the admin to go the app registration in the Azure portal, and then navigate to Settings > Required permissions and click Grant permissions:

   In the new (as of 2018-11-14) App registrations (Preview) experience, this is under API permissions > Grant admin consent for...:

   If you go to this screen yourself, you can copy the URL and share it with the admin to help him get to the right blade quickly.

2. Build the consent URL

   Even if your app doesn't host a web experience, you can technically still build the URL to request admin consent, though the experience isn't great. Details on how to construct the admin consent URL are in the documentation: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#request-the-permissions-from-a-directory-admin.

   The simplest form of this is:

   https://login.microsoftonline.com/common/adminconsent?client_id={client-id}
   

   With this approach, once the admin has granted consent, he will be redirected to one of the authorized reply URLs configured in your app registration (or a specific URL, if you use the redirect_uri parameter). If this is a URL that doesn't exist, this will display an error by the browser (e.g. 404). If there are no reply URLs configured for your app registration, Azure AD will display an error (e.g. "no reply URLs configured"). You should warn the admin that this might happen, but since these errors will be displayed after consent has already been applied, they can be ignored.

这篇关于如何找到需要 Microsoft Graph“读取目录数据"的 Azure AD 应用程序的管理员同意 URL允许?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！