如何为 Azure AD 用户管理 Azure AD 应用角色 [英] How to manage Azure AD App Roles for Azure AD Users

问题描述

1:是否有人知道可以为 Azure AD 中的企业应用程序管理 Azure AD 用户角色的分配(清单中定义的 appRoles)的工具?

我正在谈论如何将角色(特定于应用程序)分配给现有 Azure AD 用户.使用 Azure 门户的过程非常缓慢.

当然，我们可以创建这个工具，但如果这样的工具已经存在就更好了.目前拥有许多 Azure AD 企业应用的大型组织都在使用什么?

2:在门户中手动编辑清单文件真的是最佳实践吗?将文件(AppRoles 部分)与应用程序代码放在 git 中会更有意义.

解决方案

是否有人知道可以为 Azure AD 用户管理角色的工具

AFAIK，没有任何特定工具可用于管理应用程序角色.

总体而言，您应该能够使用以下选项来添加/编辑/更新与应用程序角色相关的选项并将权限分配给现有 AD 用户:

注意:还要知道，如果您要与大量用户打交道，您可以考虑将安全组分配给应用角色，而不是为单个用户执行此操作.这是一个值得考虑的选项，尽管它需要 Azure AD 高级许可证.(更新 - 另请参阅此答案末尾 Philippe Signoret 关于将组分配给应用角色、委派管理分配的组和

您可以使用 AppRoleAssignment Entity 将这些角色分配给现有的 Azure AD 用户等.

Microsoft Graph API -

此处的文档 - 请注意，这仅在 beta 版本中可用 - 所以它还不适用于生产应用程序.

在此处查找 与应用角色分配

对于您的生产应用程序，您可以从 json 文件(源代码控制的一部分，如 git 等)读取应用程序角色，并将其提供给 PowerShell 或 Azure AD Graph API 等编程选项之一.

这是 PowerShell 脚本.还可以查看这些 SO Post，我们在其中讨论了类似但仅在 PowerShell 范围内的内容.

所以发布 1

SO Post 2(此问题讨论解析 json 文件和更新应用程序使用 PowerShell 清单)

Connect-AzureAD -TenantId <Tenant GUID># 创建给定名称和描述的应用程序角色函数 CreateAppRole([string] $Name, [string] $Description){$appRole = 新对象 Microsoft.Open.AzureAD.Model.AppRole$appRole.AllowedMemberTypes = 新对象 System.Collections.Generic.List[string]$appRole.AllowedMemberTypes.Add("用户");$appRole.DisplayName = $Name$appRole.Id = 新向导$appRole.IsEnabled = $true$appRole.Description = $描述$appRole.Value = $名称；返回 $appRole}# 来自 AzureAD 中应用注册的应用程序的 ObjectId$appObjectId = "<您的应用程序对象 ID>"$app = 获取 AzureADApplication -ObjectId $appObjectId$appRoles = $app.AppRoles写入主机添加新角色之前的应用角色.."写入主机 $appRoles$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "这是我的新应用程序角色"$appRoles.Add($newRole)设置-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles

完成上述脚本以添加 AppRole 后，为用户分配角色非常简单，并且可以使用直接命令.这是一个示例脚本 -

# 给变量赋值$username = "<你用户的 UPN>"$app_name = "<您的应用程序的显示名称>"$app_role_name = "<应用角色显示名称>"# 获取要分配的用户，以及要分配给应用程序的服务主体$user = Get-AzureADUser -ObjectId "$username"$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"$appRole = $sp.AppRoles |Where-Object { $_.DisplayName -eq $app_role_name }# 将用户分配给应用角色新 AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId$user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id

1: Is anyone aware of a tool that can manage the assignment of Roles for Azure AD Users (the appRoles defined in the manifest) for Enterprise Applications in Azure AD?

I am talking about how to Assign Roles (app specific) to existing Azure AD Users. It’s a very slow process using the Azure Portal for this.

Of course, we could create this tool, but would be nice if such a tool already exists. What are large organizations with many Azure AD Enterprise Apps using today?

2: Is it really best practice to manually edit the manifest file in the portal? Would make more sense to have the file (the AppRoles section) in git along the application code.

解决方案

Is anyone aware of a tool that can manage Roles for Azure AD Users

AFAIK, there isn't any specific tool available to manage Application roles.

Overall, you should be able to use following options for add/edit/update options related to application roles and assigning permissions to existing AD Users:

NOTE: Also know in case you are dealing with a large number of users, you could consider assigning security groups to app roles instead of doing it for individual users. It's an option worth considering, although it requires an Azure AD premium license. (Update - Also see comment from Philippe Signoret at the end of this answer about assigning groups to app roles, delegating management of the assigned groups and self-service group management)

1. Azure Portal by editing application manifest json (you're aware of this already)

2. PowerShell -

   I've added a script for this one at the end. You can do this while creating a new app using New-AzureADApplication or for an existing application using Set-AzureADApplication.

   For assigning these roles to existing users, you can use New-AzureADUserAppRoleAssignment as I have shown below with the updated script.

3. Azure AD Graph API -

   You can work with AppRole Type and Application entity for managing app roles themselves. Documentation here

   You can work with AppRoleAssignment Entity for assigning these roles to existing Azure AD users etc. Documentation here

4. Microsoft Graph API -

   Documentation here - Please notice this is available only in beta version - so it's not yet good for production applications.

   Look here for working with App Role Assignments

For your production applications, you could read application roles from a json file (part of source control like git etc.) and feed that into one of the programmatic options like PowerShell or Azure AD Graph API.

Here is the PowerShell script. Also take a look at these SO Post where we discussed something similar but only in scope of PowerShell.

SO Post 1

SO Post 2 (This question discusses parsing json file and updating Application manifest using PowerShell)

Connect-AzureAD -TenantId <Tenant GUID>

# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
    $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
    $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
    $appRole.AllowedMemberTypes.Add("User");
    $appRole.DisplayName = $Name
    $appRole.Id = New-Guid
    $appRole.IsEnabled = $true
    $appRole.Description = $Description
    $appRole.Value = $Name;
    return $appRole
}

# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles

$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"
$appRoles.Add($newRole)

Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles

Once you are done with above script to add AppRole, then assigning roles to a user is pretty simple and a direct command is available. Here's a sample script for that -

# Assign the values to the variables
$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"

# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }

# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId 
$user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id

这篇关于如何为 Azure AD 用户管理 Azure AD 应用角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！