Azure应用注册时的API权限问题 [英] API Permission Issue while Azure App Registration

问题描述

我有一个在Azure Active Directory->应用程序注册下注册的API应用程序.该API应用程序公开了端点，这些端点将由组织内部的客户端访问.客户端不是用户，而是将访问端点的后台服务.

I have an API App registered under Azure Active Directory -> App Registrations. This API App is exposing endpoints which will be accessed by clients from within the organization. The clients are not users but background services who will accessing the endpoints.

当我尝试授予客户端访问API应用程序的API权限时，我看到该应用程序权限为禁用/灰色.设置API权限时是否需要做一些其他事情.

When I am trying to grant API Permission for the clients to access the API App I see the Application Permission as disabled/greyed out. Do I need to do something different when setting the API Permissions.

请参阅所附图片.

有没有人遇到这个问题，或者我在做些愚蠢的事情.我们组织中的Azure管理员告诉我他对此无能为力，因为他之前从未见过这样的事情.

Has anyone come across this issue or am I doing something silly. Azure Admin in our organization told me he can't help with this as he hasn't see anything like this before.

推荐答案

很可能您没有为应用程序注册定义任何角色(即应用程序权限)，因此，当您尝试为客户端应用程序添加权限时，只会看到委派权限的选项.

Most probably you haven't defined any roles (i.e. Application Permissions) for your app registration and hence when you try to add permissions for the client application you only see an option for Delegated Permissions.

如何定义角色/应用程序权限

转到Azure门户> Azure AD>应用程序注册> API应用程序的注册>清单

Go to Azure Portal > Azure AD > App Registrations > Registration for your API application > Manifest

在清单JSON中找到"appRoles"集合，如果为空，请在此处添加您自己的appRoles.示例:

Find the "appRoles" collection in Manifest JSON and if it's empty, add your own appRoles here. Example:

"appRoles": [
        {
            "allowedMemberTypes": [
                "Application"
            ],
            "description": "Apps that have this role have the ability to invoke my API",
            "displayName": "Can invoke my API",
            "id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "MyAPIValidClient"
        }
    ]

请注意，我将"allowedMemberTypes"保留为"Application"，因此只能将其用作"Application Permission".另一种可能性是将用户"作为allowedMemberType，但这是当您想为用户分配角色时的另一种用例，而这并不是您想要的.

Notice that I have kept "allowedMemberTypes" as "Application" so that it can only be used as Application Permission. Other possibility is to have "User" as the allowedMemberType, but that is for a different use case when you want to assign roles to users and that's not what you're looking for.

现在，如果您要向其授予此角色的客户端应用程序注册(应用程序许可)，则应该能够看到应用程序许可"已启用.

Now if you go to the client application registration to which you want to grant this role (Application Permission), you should be able to see "Application Permissions" as enabled.

您还应该能够看到应用程序权限""MyAPIValidClient"及其描述，以供选择.现在，在上面的示例中，我仅定义了一个应用程序许可"，但是如您所见，它是一个数组，因此您也可以定义多个.只需确保您为每个应用程序许可生成新的GUID，并将其作为"id".

You should also be able to see the Application Permission "MyAPIValidClient" with it's description available to be selected. Now I have defined only one Application Permission in example above, but as you can see it's an array, so you can define multiple ones as well. Just make sure you generate new GUID's to be assigend as "id" for each Application Permission.

这篇关于Azure应用注册时的API权限问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！