Azure 服务主体:为服务主体授予 appRoleAssignment 确实会更新原始权限的状态 [英] Azure service principal: Grant an appRoleAssignment for a service principal does update the original permission's status
问题描述
我正在尝试授予管理员对使用 Microsoft 图形 API 分配的权限的同意.我执行的步骤如下:
创建具有appRoles"的应用程序数组定义.
使用 appId 创建服务主体.
为服务主体授予 appRoleAssignment.我运行了 http post 请求:
即使appRoleId"相同,为什么它不授予原始权限?我想授予原始权限,有人可以告诉我吗?谢谢.
当然不会授予原来的权限,当你创建应用并暴露API权限时,这个权限和Exchange中的权限 完全是来自不同 API 的两种不同权限,无论它们使用什么 appRoleId.
要为您的应用授予full_access_as_app 应用程序权限,请按照以下步骤操作.
1.在门户中导航到您的 AD 应用程序 ->清单 ->requiredResourceAccess,获取resourceAppId和id,记下id为appRoleId.
2.导航到门户中的Azure Active Directory ->企业应用程序 ->搜索第 1 步得到的 resourceAppId,然后你会找到 Office 365 Exchange Online ->点击它->概述->获取Object ID,记为resourceId.
注意:这个Object ID在不同的AAD租户中是不同的.
3.导航到您的 AD 应用程序 ->点击Managed application in local directory,然后获取Object ID,记为principalId.
4.然后调用您使用的 Microsoft Graph -
在门户中检查结果,它工作正常.
I am trying to grant admin consent to assigned permissions using Microsoft graph APIs. Steps i performed are as follows:
Create application having "appRoles" array defined.
create service principal with appId.
Grant an appRoleAssignment for a service principal. I ran http post request:
https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
- In Azure portal, instead of granting originally present permission, i see it is creating another permission and granting consent to it as displayed in the picture below.
Why it is not granting original permission, even though the 'appRoleId' is same? I want to grant original permission, can some one tell me? Thanks.
Of course, it will not grant the original permission, when you create an application and expose the API permission, this permission and the permission in Exchange are totally two different permissions from different APIs, no matter what the appRoleId they used.
To grant the full_access_as_app Application permission for your app, please follow the steps below.
1.Navigate to your AD App in the portal -> Manifest -> requiredResourceAccess, get the resourceAppId and id, note the id down as appRoleId.
2.Navigate to the Azure Active Directory in the portal -> Enterprise applications -> search for the resourceAppId got in step 1, then you will find the Office 365 Exchange Online -> click it -> Overview-> get the Object ID, note it down as resourceId.
Note: This Object ID is different in different AAD tenants.
3.Navigate to your AD App -> click the Managed application in local directory, then get the Object ID, note it down as principalId.
4.Then call the Microsoft Graph you used - Grant an appRoleAssignment for a service principal, use the values got before.
POST https://graph.microsoft.com/v1.0/servicePrincipals/<resourceId>/appRoleAssignedTo
{
"principalId": "<principalId>",
"resourceId": "<resourceId>",
"appRoleId": "<appRoleId>"
}
I test it in the Graph Explorer:
Check the result in the portal, it works fine.
这篇关于Azure 服务主体:为服务主体授予 appRoleAssignment 确实会更新原始权限的状态的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
