如何为我的租户授予我的应用程序对AAD Graph API的完全访问权限? [英] How can I grant my application full access to the AAD Graph API for my tenant?

问题描述

我已经在我的租户/目录中注册了一个AAD应用程序，并且我想在仅应用程序"上下文中调用Graph API. (使用客户端凭据流)

I have registered an AAD Application in my Tenant/Directory, and I want to call the Graph API in the App Only Context. (Using the Client Credential Flow)

进行某些AAD Graph API调用时，出现错误:

When making certain AAD Graph API calls, I get the error:

"odata.error":{
    "code":"Authorization_RequestDenied",
    "message":{
        "lang":"en","value":"Insufficient privileges to complete the operation."
    }
}

我想让我的租户在此应用程序中拥有对Graph API的完全访问权限.

I want to give this application full access to the Graph API in the context of my tenant.

或

我想将此应用程序权限授予我的租户，而AAD Graph API公开的权限当前不支持该权限.

I want to grant this application permissions to my tenant which are not currently supported with the permissions exposed by the AAD Graph API.

推荐答案

您可以通过将应用程序的服务主体添加到Company Administrator目录角色中来提高该应用程序在租户中的访问级别.这将为应用程序提供与公司管理员相同的权限，后者可以执行任何操作.对于任何类型的目录角色，您都可以按照这些相同的说明进行操作，具体取决于要授予此应用程序的访问级别.

You can elevate the level of access an Application has in your tenant by adding the service principal of that application to the Company Administrator Directory Role. This will give the Application the same level of permissions as the Company Administrator, who can do anything. You can follow these same instructions for any type of Directory Role depending on the level of access you want to give to this application.

请注意，这只会影响您的应用在租户中的访问权限.

您还必须已经是租户的公司管理员才能遵循这些说明.

为了进行更改，您将需要安装 Azure Active Directory PowerShell模块.

In order to make the change, you will need to install the Azure Active Directory PowerShell Module.

一旦安装了模块，请使用管理员帐户向租户进行身份验证:

Once you have the module installed, authenticate to your tenant with your Administrator Account:

Connect-MSOLService

然后，我们需要获取我们要提升的服务主体和租户的公司管理员角色的对象ID.

Then we need to get the Object ID of both the Service Principal we want to elevate, and the Company Administrator Role for your tenant.

通过App ID GUID搜索服务主体:

Search for Service Principal by App ID GUID:

$sp = Get-MsolServicePrincipal -AppPrincipalId <App ID GUID>

按名称搜索目录角色

$role = Get-MsolRole -RoleName "Company Administrator"

现在，我们可以使用Add-MsolRoleMember命令将此角色添加到服务主体中.

Now we can use the Add-MsolRoleMember command to add this role to the service principal.

Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId

要检查一切是否正常，请找回公司管理员角色的所有成员:

To check everything is working, lets get back all the members of the Company Administrator role:

Get-MsolRoleMember -RoleObjectId $role.ObjectId

您应该在该列表中看到您的应用程序，其中RoleMemberType是ServicePrincipal，而DisplayName是您的应用程序名称.

You should see your application in that list, where RoleMemberType is ServicePrincipal and DisplayName is the name of your application.

现在，您的应用程序应该能够使用客户端凭据流执行公司管理员可以执行的所有Graph API调用，而所有这些操作都无需用户登录.

Now your application should be able to perform any Graph API calls that the Company Administrator could do, all without a user signed-in, using the Client Credential Flow.

让我知道这是否有帮助！

Let me know if this helps!

这篇关于如何为我的租户授予我的应用程序对AAD Graph API的完全访问权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！