如何使用 Azure Active Directory PowerShell V2“授予权限" [英] How to 'Grant Permissions' Using Azure Active Directory PowerShell V2

问题描述

我已使用

根据 文档:

<块引用>

目前使用 ADAL.js 的单页应用程序 (SPA) 需要使用授予权限"按钮授予明确同意，因为在没有同意提示的情况下请求访问令牌，如果尚未授予同意，这将失败.

另外，您如何判断是否已授予权限?按钮总是可点击的?如果你问我，用户体验很糟糕.

解决方案

此按钮实际上是在征得管理员同意.这将同意租户中的所有用户.对于您的情况，如果您想避免使用 Azure 门户，可以在 SPA 而不是 PowerShell 中强制同意.

为此，您的 SPA 应在身份验证请求上附加 &prompt=consent 或 &prompt=admin_consent.每次新用户第一次登录时都应应用前者，而后者您可以执行一次(使用管理员帐户登录)并且它会同意所有用户.

结帐了解管理员和用户同意.

I've scripted the creation of my Azure Active Directory Application using Azure Active Directory PowerShell V2 and am trying to use Delegated Permissions in my Single Page Application (SPA) using implicit flow to call an API with Application Roles defined.

What PowerShell command do I need to use to replicate the 'Grant Permissions' button in the Azure Portal under the Applications Settings:

According to the Docs:

Granting explicit consent using the Grant Permissions button is currently required for single page applications (SPA) using ADAL.js, as the access token is requested without a consent prompt, which will fail if consent is not already granted.

Also, how do you tell if permissions have been granted or not? The button is always clickable? Terrible UX if you ask me.

解决方案

This button is effectively doing admin consent. This will consent for all users in the tenant. For your case, you can force consent in the SPA rather than in PowerShell if you want to avoid the Azure Portal.

To do this, your SPA should append on the auth request either &prompt=consent or &prompt=admin_consent. The former should be applied each time a new user signs in for the first time, whereas the latter you could do one time (sign in w/ an admin account) and it would consent for all users.

Checkout understanding Admin and User Consent.

这篇关于如何使用 Azure Active Directory PowerShell V2“授予权限"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！