Active Directory中的管理员同意 [英] Administrator Consent in Active Directory

问题描述

我认为我缺少对Azure AD下开发过程的理解。我开发了一个Web应用程序，该Web应用程序通过公司网络中的AD进行了身份验证，并使用了我们的某些服务（例如Sharepoint和PowerBI）。

Sharepoint的功能，我需要管理员同意（在应用程序权限中，我必须设置Admin：必需）。当我尝试转到位于本地主机上的应用程序时，它显示以下内容：

 此应用程序需要具有以下应用程序权限另一个应用程序。 
只能由管理员执行获得应用程序许可的同意。 
以管理员身份退出并登录，或者
与您组织的一位管理员联系。 
  

据我了解，全局管理员需要登录一次应用程序，因此其他用户（例如我） ）可以登录。但是此工作流程听起来有问题，我不能要求管理员进入我的电脑并登录（我在本地主机上有一个Web应用程序，因此无法向他发送链接）。此外，如果他在地理位置上位于另一个地方而无法去我的电脑该怎么办？仅仅因为这个原因，他还没有准备授予我全局管理员权限。

这听起来很奇怪，我觉得我只是想念明显的东西。人们如何真正开发这样的东西，而不必每次更改身份验证逻辑时都要求IT进入其PC？

解决方案

I

仅以管理员身份登录还不够。您必须使用 prompt 查询参数设置为 admin_consent 登录。至少在使用OAuth端点时。

因此，您需要点击以下URL，例如 https://login.microsoftonline.com/common/ oauth2 / authorize？client_id =您的客户端ID& redirect_uri =您的编码的回复URL& response_mode = form_post&response_type = code + id_token& prompt = admin_consent 。

将 your-client-id 替换为应用程序的客户端ID，并将 your-encoded-reply-url 替换为应用程序的有效回复URL 。如果您的应用程序不是多租户，还可以用租户ID /域名替换 common 。

如果您想通过简单的方法来做到这一点，请在

I think I'm missing an understanding of a development process under Azure AD. I develop a web app, that is authenticated via AD in our corp network, and uses some of our services (like Sharepoint and PowerBI).

It seems like for some of the functionality of Sharepoint, I need administrator consent (In app permissions I had to set Admin: Required). When I try to go to my app (which is located on localhost), it displays this:

this application requires application permissions to another application. 
Consent for application permissions can only be performed by an administrator. 
Sign out and sign in as an administrator or
         contact one of your organization's administrators.

As I understood a Global Administrator need to sign in into an application once, so other users (like me) could log in. But this workflow sounds faulty, I cannot ask our admin to go to my pc and sign in (I have a web app on localhost, so I cannot send him the link). Futhermore, what to do if he is located geographically in another place and just cannot go to my pc? He is also not ready to give me global admin rights just because of this.

This just sounds weird, and I feel like I simply missing something obvious. How do people actually develop such things without asking IT to get to their PCs each time they change something in auth logic?

解决方案

I agree the UX is not phenomenal on this one.

Just logging in as an admin is not enough. You have to be logging in with the prompt query parameter set to admin_consent. At least when using the OAuth endpoint.

So you need to hit a URL such as https://login.microsoftonline.com/common/oauth2/authorize?client_id=your-client-id&redirect_uri=your-encoded-reply-url&response_mode=form_post&response_type=code+id_token&prompt=admin_consent.

Replace your-client-id with your app's client id, and your-encoded-reply-url with a valid reply URL for your app. Also replace common with your tenant id/domain name if your app is not multi-tenant.

If you want to do it the easy way, use Vittorio's nifty form at his blog. Just enter the tenant id (or common), reply URL, and your app's client id, tick the admin consent checkbox and click Go.

And yes, you need to be an admin in Azure AD to do this, so ask your admin to do this.

EDIT: With the newest update to the Azure Portal came the ability to grant permissions from the portal directly.

If you go to Azure Active Directory in the new portal, find your app registration there and click Grant Permissions under the Required permissions blade.

这篇关于Active Directory中的管理员同意的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！