通过管理门户进行更新之前,新的Azure AD应用程序无法正常工作 [英] New Azure AD application doesn't work until updated through management portal
问题描述
我已使用AAD Graph API在Azure AD中创建了一个新应用程序. (代码)
I have created a new application in Azure AD using the AAD Graph API. (code)
不幸的是,直到我进入Azure管理门户中的应用程序的配置页面并进行了外观上的更改,然后将其保存之后,它才允许我的客户端访问所请求的资源.删除更改并再次保存后,它仍然可以工作. 更改+后退步骤之前和之后的应用程序清单文件完全相同(如diff.exe中所述,它们是相同的).
Unfortunately it doesn't let my client access the requested resources until I have been to the application's configuration page in the Azure management portal and made a cosmetic change, and then saved it. After removing the change and saving again, it still works. The application manifest files before the change + change back steps and after them are completely identical (as in diff.exe says they are the same).
当比较应用程序认证时返回的JWT令牌时,它表明更改后的访问令牌包括角色"部分.在将应用程序保存在管理门户中之前,返回的访问令牌中没有完整的角色"部分.
When comparing the JWT tokens returned when the application authenticates, it shows that the post-change access token includes the "roles" section. The entire "roles" section is not present in the access token returned before saving the application in the management portal.
因此,当保存更改时,Azure管理门户似乎对应用程序执行了某些操作".问题是什么,我可以使用AAD图形API进行同样的操作吗?
So it seems the Azure management portal does "something" to the application when saving changes. The question is what it is, and can I do the same using the AAD graph API?
推荐答案
有几个问题. Azure后端中的一些错误现已修复,并且缺少一些我不知道的对API的调用是不必要的. 多亏了MS支持小组一些非常乐于助人的人,我们才能够使它正常工作.
There were several issues. Some bugs in the backend on Azure, which have now been fixed, and also some missing calls to the API which I didn't know were necessary. Thanks to some very helpful people at MS Support, we were able to get it to work.
创建应用程序时,您需要执行以下操作:
When creating an application, you need to do the following:
- Create an application object.
- Setup the RequiredResourceAccess for the application, ie. which permissions the appliation has to Azure Graph API etc. This is what is configured in the portal's "permissions to other applications" settings. You can get the necessary GUIDs by configuring the permissions manually, and then looking in the application's AAD manifest file.
- Create a service principal for the application.
- Add AppRoleAssignments to the service principal.
最后一部分是我之前所缺少的.即使您已在应用程序对象上配置了RequiredResourceAccess,服务主体仍需要AppRoleAssignments才能真正具有访问资源的权限.
The final part is what I was missing before. Even though you have configured RequiredResourceAccess on the application object, the service principal still needs the AppRoleAssignments to actually have permission to access the resources.
在创建AppRoleAssignments时,要确定要分配的PrincipalId有点棘手,因为这是其他资源的服务主体的AAD ObjectId.
When creating the AppRoleAssignments it is a little bit tricky to figure out which PrincipalId to assign, since that is the AAD ObjectId of the service principal for the other resource.
以下是用于添加AppRoleAssignment来访问Azure AD Graph API的代码段. client是一个 ActiveDirectoryClient 实例和
Here is a snippet for adding the AppRoleAssignment to access the Azure AD Graph API. client is an ActiveDirectoryClient instance, and sp is the ServicePrincipal for my application:
// find the azure ad service principal
var aadsp =
client.ServicePrincipals.Where(csp => csp.AppId == "00000002-0000-0000-c000-000000000000")
.ExecuteSingleAsync().Result;
// create the app role assignment
var azureDirectoryReadAssignment = new AppRoleAssignment
{
PrincipalType = "ServicePrincipal",
PrincipalId = Guid.Parse(sp.ObjectId), //
Id = Guid.Parse("5778995a-e1bf-45b8-affa-663a9f3f4d04"), // id for Directory.Read
// azure active directory resource ID
ResourceId = Guid.Parse(aadsp.ObjectId) // azure active directory resource ID
};
// add it to the service principal
sp.AppRoleAssignments.Add(azureDirectoryReadAssignment);
// update the service principal in AAD
await sp.UpdateAsync();
我的经验是,您需要等待一小段时间(也许是2-3分钟),然后新创建的对象才能在AAD中生效,然后才能使用新应用进行身份验证.
My experience is that you need to wait a short time, maybe 2-3 minutes, before the newly created objects are valid in AAD, and then you can authenticate using the new application.
这篇关于通过管理门户进行更新之前,新的Azure AD应用程序无法正常工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
