新的 Azure AD 应用程序在通过管理门户更新之前无法运行 [英] New Azure AD application doesn't work until updated through management portal

问题描述

我使用 AAD Graph API 在 Azure AD 中创建了一个新应用程序.(代码)

I have created a new application in Azure AD using the AAD Graph API. (code)

不幸的是，在我访问 Azure 管理门户中的应用程序配置页面并进行外观更改并保存之前，它不允许我的客户端访问请求的资源.删除更改并再次保存后，它仍然有效.更改 + 回退步骤之前和之后的应用程序清单文件完全相同(正如 diff.exe 中所说的一样).

Unfortunately it doesn't let my client access the requested resources until I have been to the application's configuration page in the Azure management portal and made a cosmetic change, and then saved it. After removing the change and saving again, it still works. The application manifest files before the change + change back steps and after them are completely identical (as in diff.exe says they are the same).

比较应用程序认证时返回的 JWT 令牌时，表明更改后访问令牌包含角色"部分.在将应用程序保存到管理门户之前返回的访问令牌中不存在整个角色"部分.

When comparing the JWT tokens returned when the application authenticates, it shows that the post-change access token includes the "roles" section. The entire "roles" section is not present in the access token returned before saving the application in the management portal.

因此，在保存更改时，Azure 管理门户似乎对应用程序做了某些事情".问题是它是什么，我可以使用 AAD 图形 API 做同样的事情吗?

So it seems the Azure management portal does "something" to the application when saving changes. The question is what it is, and can I do the same using the AAD graph API?

推荐答案

有几个问题.Azure 后端的一些错误，现在已经修复，还有一些我不知道的对 API 的缺失调用是必要的.多亏了 MS Support 的一些非常乐于助人的人，我们才得以让它发挥作用.

There were several issues. Some bugs in the backend on Azure, which have now been fixed, and also some missing calls to the API which I didn't know were necessary. Thanks to some very helpful people at MS Support, we were able to get it to work.

在创建应用程序时，您需要执行以下操作:

When creating an application, you need to do the following:

1. 创建一个 应用程序对象.
2. 设置 RequiredResourceAccess，即.应用程序对 Azure Graph API 等具有哪些权限.这是在门户的对其他应用程序的权限"设置中配置的内容.您可以通过手动配置权限来获取必要的 GUID，然后查看应用程序的 AAD 清单文件.
3. 创建一个 应用程序的服务主体.
4. 添加 AppRoleAssignments 到服务主体.

1. Create an application object.
2. Setup the RequiredResourceAccess for the application, ie. which permissions the appliation has to Azure Graph API etc. This is what is configured in the portal's "permissions to other applications" settings. You can get the necessary GUIDs by configuring the permissions manually, and then looking in the application's AAD manifest file.
3. Create a service principal for the application.
4. Add AppRoleAssignments to the service principal.

最后一部分是我之前缺少的.即使您在应用程序对象上配置了RequiredResourceAccess，服务主体仍然需要 AppRoleAssignments 才能真正拥有访问资源的权限.

The final part is what I was missing before. Even though you have configured RequiredResourceAccess on the application object, the service principal still needs the AppRoleAssignments to actually have permission to access the resources.

在创建 AppRoleAssignments 时，要确定要分配哪个 PrincipalId 有点棘手，因为那是其他资源的服务主体的 AAD ObjectId.

When creating the AppRoleAssignments it is a little bit tricky to figure out which PrincipalId to assign, since that is the AAD ObjectId of the service principal for the other resource.

这里是添加 AppRoleAssignment 以访问 Azure AD Graph API 的片段.client 是一个 ActiveDirectoryClient实例，而 sp 是我的应用程序的 ServicePrincipal:

Here is a snippet for adding the AppRoleAssignment to access the Azure AD Graph API. client is an ActiveDirectoryClient instance, and sp is the ServicePrincipal for my application:

// find the azure ad service principal
var aadsp =
     client.ServicePrincipals.Where(csp => csp.AppId == "00000002-0000-0000-c000-000000000000")
     .ExecuteSingleAsync().Result;

// create the app role assignment
var azureDirectoryReadAssignment = new AppRoleAssignment
{
    PrincipalType = "ServicePrincipal",
    PrincipalId = Guid.Parse(sp.ObjectId), //
    Id = Guid.Parse("5778995a-e1bf-45b8-affa-663a9f3f4d04"), // id for Directory.Read
    // azure active directory resource ID
    ResourceId = Guid.Parse(aadsp.ObjectId) // azure active directory resource ID
};
// add it to the service principal
sp.AppRoleAssignments.Add(azureDirectoryReadAssignment);
// update the service principal in AAD
await sp.UpdateAsync();

我的经验是，在新创建的对象在 AAD 中有效之前，您需要等待很短的时间，可能是 2-3 分钟，然后您才能使用新应用程序进行身份验证.

My experience is that you need to wait a short time, maybe 2-3 minutes, before the newly created objects are valid in AAD, and then you can authenticate using the new application.

这篇关于新的 Azure AD 应用程序在通过管理门户更新之前无法运行的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！