如何为Azure AD用户管理Azure AD应用程序角色 [英] How to manage Azure AD App Roles for Azure AD Users
问题描述
1:是否有人知道可以为Azure AD中的企业应用程序管理Azure AD用户的角色分配(清单中定义的appRoles)的工具?
1: Is anyone aware of a tool that can manage the assignment of Roles for Azure AD Users (the appRoles defined in the manifest) for Enterprise Applications in Azure AD?
我正在谈论如何将角色(特定于应用程序)分配给现有的Azure AD用户.为此,使用Azure门户是一个非常缓慢的过程.
I am talking about how to Assign Roles (app specific) to existing Azure AD Users. It’s a very slow process using the Azure Portal for this.
当然,我们可以创建此工具,但是如果已经存在这样的工具,那就太好了.如今使用大型Azure AD Enterprise应用程序的大型组织是什么?
Of course, we could create this tool, but would be nice if such a tool already exists. What are large organizations with many Azure AD Enterprise Apps using today?
2:在门户网站中手动编辑清单文件真的是最佳实践吗?将git文件(AppRoles部分)和应用程序代码一起存储会更有意义.
2: Is it really best practice to manually edit the manifest file in the portal? Would make more sense to have the file (the AppRoles section) in git along the application code.
推荐答案
有人知道可以为Azure AD用户管理角色的工具
Is anyone aware of a tool that can manage Roles for Azure AD Users
AFAIK,没有任何可用于管理应用程序角色的特定工具.
AFAIK, there isn't any specific tool available to manage Application roles.
总体而言,您应该能够使用以下选项来添加/编辑/更新与应用程序角色相关的选项,并为现有AD用户分配权限:
Overall, you should be able to use following options for add/edit/update options related to application roles and assigning permissions to existing AD Users:
注意:另外,如果您要处理大量用户,也可以考虑将安全组分配给应用程序角色,而不是为单个用户执行此操作.尽管它需要Azure AD高级许可证,但它是一个值得考虑的选项. (更新-另请参见Philippe Signoret在此答案末尾的评论,内容涉及将组分配给应用程序角色,委派分配的组的管理以及
NOTE: Also know in case you are dealing with a large number of users, you could consider assigning security groups to app roles instead of doing it for individual users. It's an option worth considering, although it requires an Azure AD premium license. (Update - Also see comment from Philippe Signoret at the end of this answer about assigning groups to app roles, delegating management of the assigned groups and self-service group management)
-
Azure Portal,方法是编辑应用程序清单json(您已经知道了这一点)
Azure Portal by editing application manifest json (you're aware of this already)
PowerShell-
PowerShell -
最后我为此添加了一个脚本.您可以在使用New-AzureADApplication创建新应用时或在使用Set-AzureADApplication创建现有应用时执行此操作.
I've added a script for this one at the end. You can do this while creating a new app using New-AzureADApplication or for an existing application using Set-AzureADApplication.
要将这些角色分配给现有用户,您可以使用New-AzureADUserAppRoleAssignment,如下所示,其中包含更新的脚本.
For assigning these roles to existing users, you can use New-AzureADUserAppRoleAssignment as I have shown below with the updated script.
Azure AD Graph API-
Azure AD Graph API -
您可以使用AppRole类型和应用程序实体来自己管理应用程序角色. 此处的文档
You can work with AppRole Type and Application entity for managing app roles themselves. Documentation here
您可以使用AppRoleAssignment实体将这些角色分配给现有的Azure AD用户等.
You can work with AppRoleAssignment Entity for assigning these roles to existing Azure AD users etc. Documentation here
Microsoft Graph API-
Microsoft Graph API -
此处的文档-请注意,此功能仅在beta版中可用-因此尚不适用于生产应用程序.
Documentation here - Please notice this is available only in beta version - so it's not yet good for production applications.
在此处查找应用角色分配
对于生产应用程序,您可以从json文件(源控件的一部分,如git等)中读取应用程序角色,并将其提供给诸如PowerShell或Azure AD Graph API这样的编程选项之一.
For your production applications, you could read application roles from a json file (part of source control like git etc.) and feed that into one of the programmatic options like PowerShell or Azure AD Graph API.
这是PowerShell脚本.还可以看看这些SO Post,我们在其中讨论了类似的内容,但仅在PowerShell范围内.
Here is the PowerShell script. Also take a look at these SO Post where we discussed something similar but only in scope of PowerShell.
SO Post 2 (此问题讨论了解析json文件和更新Application清单使用PowerShell)
SO Post 2 (This question discusses parsing json file and updating Application manifest using PowerShell)
Connect-AzureAD -TenantId <Tenant GUID>
# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $Name
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = $Description
$appRole.Value = $Name;
return $appRole
}
# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles
$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"
$appRoles.Add($newRole)
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles
完成上述脚本后,即可添加AppRole,然后将角色分配给用户非常简单,并且可以使用直接命令.这是一个示例脚本-
Once you are done with above script to add AppRole, then assigning roles to a user is pretty simple and a direct command is available. Here's a sample script for that -
# Assign the values to the variables
$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"
# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId
$user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
这篇关于如何为Azure AD用户管理Azure AD应用程序角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
