如何找到需要Microsoft Graph“读取目录数据"的Azure AD应用程序的管理员同意URL.允许? [英] How can I find the Admin Consent URL for an Azure AD App that requires Microsoft Graph "Read directory data" permission?

问题描述

我正在经历以下示例:

https://azure.microsoft.com/资源/样本/active-directory-dotnet-webapp-groupclaims/

要运行该示例，我需要对Microsoft Graph具有Directory.Read.All权限:

To run the sample, I need Directory.Read.All permission on Microsoft Graph:

为您的应用程序配置权限.就此而言， 设置菜单，选择所需权限"部分，然后， 点击添加，然后选择一个API，然后在 文本框.然后，单击选择权限"，然后选择 Directory.Read.All .

Configure Permissions for your application. To that extent, in the Settings menu, choose the 'Required permissions' section and then, click on Add, then Select an API, and type Microsoft Graph in the textbox. Then, click on Select Permissions and select Directory.Read.All.

Directory.Read.所有都需要Azure AD管理员的同意.
我的Azure AD应用程序没有Web用户界面.

Directory.Read.All needs Azure AD Admin consent.
My Azure AD Application does not have a web user interface.

要让我们的Azure AD管理员在不花太多时间的情况下提供同意，我有哪些选择?

What are my options to have our Azure AD admin provide consent without taking too much of his time?

我们的Azure AD管理员是一个忙碌且昂贵的资源.需要花费很多时间来预定他的时间，我希望在参与他之前可以排练同意过程.

Our Azure AD admin is a busy and expensive resource. It takes efforts to book his time and I am hoping that I can rehearse the consent process before I involve him.

推荐答案

您有两个选择:使用Azure门户或构建同意URL.

You have two options: using the Azure portal, or building the consent URL.

1. 使用Azure门户

如果该应用程序在您要获得许可的同一Azure AD租户中注册，则可以要求管理员在Azure门户中进行应用程序注册，然后导航到设置> 所需权限，然后点击授予权限:

If the app is registered in the same Azure AD tenant where you want the permission, then you can ask the admin to go the app registration in the Azure portal, and then navigate to Settings > Required permissions and click Grant permissions:

在新的(截至2018年11月14日)应用程序注册(预览)体验中，这是在 API下 权限> 授予管理员同意... :

In the new (as of 2018-11-14) App registrations (Preview) experience, this is under API permissions > Grant admin consent for...:

如果您自己进入此屏幕，则可以复制该URL并与管理员共享，以帮助他快速找到合适的刀片.

If you go to this screen yourself, you can copy the URL and share it with the admin to help him get to the right blade quickly.

构建同意URL

即使您的应用程序未提供网络体验，从技术上讲，您仍然可以构建URL来征求管理员的同意，尽管这种体验并不好.有关如何构造管理员同意URL的详细信息，请参见文档:

Even if your app doesn't host a web experience, you can technically still build the URL to request admin consent, though the experience isn't great. Details on how to construct the admin consent URL are in the documentation: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#request-the-permissions-from-a-directory-admin.

最简单的形式是:

https://login.microsoftonline.com/common/adminconsent?client_id={client-id}

使用这种方法，一旦管理员同意，他将被重定向到您在应用程序注册中配置的授权回复URL之一(如果使用redirect_uri参数，则将重定向到特定URL).如果该网址不存在，则浏览器将显示错误(例如404).如果没有为您的应用程序注册配置答复URL，Azure AD将显示错误(例如未配置答复URL").您应该警告管理员可能会发生这种情况，但是由于这些错误将在应用同意后 显示，因此可以忽略.

With this approach, once the admin has granted consent, he will be redirected to one of the authorized reply URLs configured in your app registration (or a specific URL, if you use the redirect_uri parameter). If this is a URL that doesn't exist, this will display an error by the browser (e.g. 404). If there are no reply URLs configured for your app registration, Azure AD will display an error (e.g. "no reply URLs configured"). You should warn the admin that this might happen, but since these errors will be displayed after consent has already been applied, they can be ignored.

这篇关于如何找到需要Microsoft Graph“读取目录数据"的Azure AD应用程序的管理员同意URL.允许?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！