使用AZ CLI创建Azure应用注册时出现问题 [英] Issue creating Azure App Registration with AZ CLI
问题描述
我正在尝试创建具有可访问Windows Azure AD的更新清单的Azure AD应用.我已经能够成功创建/配置新的应用注册,但是在尝试配置清单时遇到问题.
I am trying to create an Azure AD app with an updated manifest that has access to Windows Azure AD. I have been able to successfully create / configure a new App Registration but run into issues when i try to configure the Manifest.
I have tried using the sample code provided my MS (https://docs.microsoft.com/en-us/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-create) with an updated 'resourceAppId' from an already existing App Registration however bash throws an error
az ad app create --display-name myTest --homepage https://blah.test.com --reply-urls https://blah.test.com/.auth/login/add/callback --required-resource-accesses @manifest.json("manifest.json" contains the following content)
[{"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "a42657d6-7f20-40e3-b6f0-cee03008a62a-test",
"type": "Scope"
}
]
}]
当我复制了示例代码并刚刚更新了一些参数时,我希望它可以运行. TIA提出任何建议
As I've copied the sample code and just updated a few params i would expect it to run. TIA for any suggestions
这是我通过门户网站运行时收到的错误
This is the error i recieve when running via the portal
推荐答案
由于您提供的有用信息太少,所以我不确定您遇到了什么错误.
Because you provide too little useful information, I am not sure what the error you got.
我已经测试了您的脚本,但下面出现错误.
I have tested your script, and I got an error below.
az ad app create --display-name 'myTest' --homepage 'https://blah.test.com --reply-urls https://blah.test.com/.auth/login/add/callback' --required-resource-accesses 'C:\Users\joyw\Desktop\manifest.json'
az : ERROR: '--identifier-uris' is required for creating an application
At line:1 char:1
+ az ad app create --display-name 'myTest' --homepage 'https://blah.tes ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (ERROR: '--ident... an application:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
如果您也遇到此错误,只需添加类似--identifier-uris 'https://mytestapp.websites.net'
的参数,完整的命令将类似于:
If you also get this error, just add the parameter like --identifier-uris 'https://mytestapp.websites.net'
, the complete command will be like :
az ad app create --display-name 'myTest' --homepage 'https://blah.test.com' --reply-urls 'https://blah.test.com/.auth/login/add/callback' --identifier-uris 'https://mytestapp.websites.net' --required-resource-accesses 'C:\Users\joyw\Desktop\manifest.json'
然后它将正常工作.
据我了解,您可能会认为manifest.json
中的resourceAppId
有问题.如果您没有收到上述错误,则可以按照以下信息进行故障排除,并确保使用manifest.json
中正确的属性.
Per my understand, you may think some wrong with the resourceAppId
in your manifest.json
. If you do not get the error above, you could follow the information below to troubleshoot and make sure you use the correct properties in the manifest.json
.
我的manifest.json
文件:
My manifest.json
file:
[{
"resourceAppId": "69ae001f-xxxxxxxx-375585ac983e",
"resourceAccess": [
{
"id": "6833b2c6-9954-43e1-ac46-f54a26a3b693",
"type": "Scope"
},
{
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"type": "Role"
}
]
}]
resourceAppId
是服务主体的应用程序ID(即AD App的应用程序ID),因此您是正确的.
The resourceAppId
is the application id of the service principal(i.e. the application id of the AD App), so you are correct.
在resourceAccess
中,type
是Scope
或Role
. Scope
表示委派权限,Role
表示应用程序权限.对于应用程序权限,可以在正在使用的AD App清单的appRoles
中找到它(对于我的示例是应用程序69ae001f-xxxxxxxx-375585ac983e
).对于委派的权限,您可以在清单的oauth2Permissions
中找到它.然后将id
放在相应的位置.
In the resourceAccess
, the type
is Scope
or Role
. The Scope
represents Delegated permission, Role
represents Application permission. For the Application permission, you can find it in the appRoles
in the manifest of the AD App which you are using(for my sample is the app 69ae001f-xxxxxxxx-375585ac983e
). For the Delegated permission, you can find it in the oauth2Permissions
in the manifest. Then get the id
in the corresponding position.
将其与我的示例AD App清单一起检查,注意id
和对应关系,这将很清楚.
Check it along with my manifest of the sample AD App, note the id
and correspondence, it will be clear.
appRoles:
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "SurveyCreator",
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"isEnabled": true,
"description": "Creators can create Surveys",
"value": "SurveyCreator"
}
]
oauth2Permissions
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access joywebtest on behalf of the signed-in user.",
"adminConsentDisplayName": "Access joywebtest",
"id": "6833b2c6-9954-43e1-ac46-f54a26a3b693",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access joywebtest on your behalf.",
"userConsentDisplayName": "Access joywebtest",
"value": "user_impersonation"
}
]
最后,我们可以检查刚刚在门户中创建的AD App.它将具有我们设置的所需权限.
At last, we could check the AD App which created just now in the portal. It will have the Required permissions we set.
有关更多详细信息,您还可以参见 Azure Active Directory应用清单.
For more details, you can also see Azure Active Directory app manifest.
这篇关于使用AZ CLI创建Azure应用注册时出现问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!