使用AZ CLI创建Azure应用注册时出现问题 [英] Issue creating Azure App Registration with AZ CLI

问题描述

我正在尝试创建具有可访问Windows Azure AD的更新清单的Azure AD应用.我已经能够成功创建/配置新的应用注册，但是在尝试配置清单时遇到问题.

I am trying to create an Azure AD app with an updated manifest that has access to Windows Azure AD. I have been able to successfully create / configure a new App Registration but run into issues when i try to configure the Manifest.

我尝试使用MS提供的示例代码(

I have tried using the sample code provided my MS (https://docs.microsoft.com/en-us/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-create) with an updated 'resourceAppId' from an already existing App Registration however bash throws an error

az ad app create --display-name myTest --homepage https://blah.test.com --reply-urls https://blah.test.com/.auth/login/add/callback --required-resource-accesses @manifest.json("manifest.json" contains the following content)

[{"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
                    {
                     "id": "a42657d6-7f20-40e3-b6f0-cee03008a62a-test",
                     "type": "Scope"
                    }
                  ]
}]

当我复制了示例代码并刚刚更新了一些参数时，我希望它可以运行. TIA提出任何建议

As I've copied the sample code and just updated a few params i would expect it to run. TIA for any suggestions

这是我通过门户网站运行时收到的错误

This is the error i recieve when running via the portal

推荐答案

由于您提供的有用信息太少，所以我不确定您遇到了什么错误.

Because you provide too little useful information, I am not sure what the error you got.

我已经测试了您的脚本，但下面出现错误.

I have tested your script, and I got an error below.

az ad app create --display-name 'myTest' --homepage 'https://blah.test.com --reply-urls https://blah.test.com/.auth/login/add/callback' --required-resource-accesses 'C:\Users\joyw\Desktop\manifest.json'
az : ERROR: '--identifier-uris' is required for creating an application
    At line:1 char:1
    + az ad app create --display-name 'myTest' --homepage 'https://blah.tes ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (ERROR: '--ident... an application:String) [], RemoteException
        + FullyQualifiedErrorId : NativeCommandError

如果您也遇到此错误，只需添加类似--identifier-uris 'https://mytestapp.websites.net'的参数，完整的命令将类似于:

If you also get this error, just add the parameter like --identifier-uris 'https://mytestapp.websites.net', the complete command will be like :

az ad app create --display-name 'myTest' --homepage 'https://blah.test.com' --reply-urls 'https://blah.test.com/.auth/login/add/callback' --identifier-uris 'https://mytestapp.websites.net' --required-resource-accesses 'C:\Users\joyw\Desktop\manifest.json'

然后它将正常工作.

据我了解，您可能会认为manifest.json中的resourceAppId有问题.如果您没有收到上述错误，则可以按照以下信息进行故障排除，并确保使用manifest.json中正确的属性.

Per my understand, you may think some wrong with the resourceAppId in your manifest.json. If you do not get the error above, you could follow the information below to troubleshoot and make sure you use the correct properties in the manifest.json.

我的manifest.json文件:

My manifest.json file:

   [{
      "resourceAppId": "69ae001f-xxxxxxxx-375585ac983e",
      "resourceAccess": [
        {
          "id": "6833b2c6-9954-43e1-ac46-f54a26a3b693",
          "type": "Scope"
        },
        {
          "id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
          "type": "Role"
        }
      ]
    }]

resourceAppId是服务主体的应用程序ID(即AD App的应用程序ID)，因此您是正确的.

The resourceAppId is the application id of the service principal(i.e. the application id of the AD App), so you are correct.

在resourceAccess中，type是Scope或Role. Scope表示委派权限，Role表示应用程序权限.对于应用程序权限，可以在正在使用的AD App清单的appRoles中找到它(对于我的示例是应用程序69ae001f-xxxxxxxx-375585ac983e).对于委派的权限，您可以在清单的oauth2Permissions中找到它.然后将id放在相应的位置.

In the resourceAccess, the type is Scope or Role. The Scope represents Delegated permission, Role represents Application permission. For the Application permission, you can find it in the appRoles in the manifest of the AD App which you are using(for my sample is the app 69ae001f-xxxxxxxx-375585ac983e). For the Delegated permission, you can find it in the oauth2Permissions in the manifest. Then get the id in the corresponding position.

将其与我的示例AD App清单一起检查，注意id和对应关系，这将很清楚.

Check it along with my manifest of the sample AD App, note the id and correspondence, it will be clear.

appRoles:

"appRoles": [
    {
      "allowedMemberTypes": [
        "Application"
      ],
      "displayName": "SurveyCreator",
      "id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
      "isEnabled": true,
      "description": "Creators can create Surveys",
      "value": "SurveyCreator"
    }
  ]

oauth2Permissions

 "oauth2Permissions": [
    {
      "adminConsentDescription": "Allow the application to access joywebtest on behalf of the signed-in user.",
      "adminConsentDisplayName": "Access joywebtest",
      "id": "6833b2c6-9954-43e1-ac46-f54a26a3b693",
      "isEnabled": true,
      "type": "User",
      "userConsentDescription": "Allow the application to access joywebtest on your behalf.",
      "userConsentDisplayName": "Access joywebtest",
      "value": "user_impersonation"
    }
  ]

最后，我们可以检查刚刚在门户中创建的AD App.它将具有我们设置的所需权限.

At last, we could check the AD App which created just now in the portal. It will have the Required permissions we set.

有关更多详细信息，您还可以参见 Azure Active Directory应用清单.

For more details, you can also see Azure Active Directory app manifest.

这篇关于使用AZ CLI创建Azure应用注册时出现问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！