自动将应用程序注册到Azure AD for SSO [英] Automate registering application to Azure AD for SSO

问题描述

我的组织有大约2000个应用程序，这些应用程序需要使用Azure AD SSO进行配置，因此需要对其进行注册并允许访问Azure AD上的用户.

my organization has around 2000 applications which are required to be configured With Azure AD SSO and for that they need to be registered and allowed access to users on Azure AD.

我知道如何手动执行操作，但是有什么方法可以使整个过程自动化，以便我可以注册该应用程序并授予用户所需的访问权限?

I know how to do it manually, but is there any way to automate this whole process so that, I can register the application and grant users access they required?

谢谢你 Dheeraj Kumar

thank you Dheeraj Kumar

推荐答案

您可以使用Microsoft Graph API或Azure AD Graph API自动创建(尽管在可能的情况下，您最好使用MS Graph). 在这种情况下，由于您基本上掌握了批处理方案，因此我认为PowerShell可能是一个不错的选择.

You can automate creation with Microsoft Graph API or Azure AD Graph API (though you should prefer MS Graph when possible). In this case since you have what is basically a batch scenario in your hands, I feel PowerShell might be a good option.

有一个用于管理Azure AD的PowerShell模块:

There is a PowerShell module for administering Azure AD:

• https://docs.microsoft.com/zh-CN/powershell/azure/active-directory/install-adv2?view=azureadps-2.0
• https://www.powershellgallery.com/packages/AzureADPreview/2.0.0.127

• https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0
• https://www.powershellgallery.com/packages/AzureADPreview/2.0.0.127

首先使用

Connect-AzureAD

然后我们可以创建一个应用程序:

Then we can create an Application:

$app = New-AzureADApplication -DisplayName 'Created from PS' -IdentifierUris @('https://mytenant.onmicrosoft.com/PSTest1')

然后我们需要创建服务主体，这通常是由门户网站完成的:

Then we need to create the service principal, this is normally done by the portal:

$sp = New-AzureADServicePrincipal -AppId $app.AppId -AppRoleAssignmentRequired $true

请注意AppRoleAssignmentRequired参数. 将其设置为true要求将用户分配给该应用，然后他们才能登录.

Note the AppRoleAssignmentRequired parameter. Setting it to true will require users to be assigned to the app before they can login.

如果您不想这么做，那就把它排除在外吧.

If you don't want that, just leave it out.

现在我们可以分配用户. 您将需要一个用户的ObjectId来将他们分配给应用程序. 您可以通过多种方式使用Get-AzureADUser来获取要分配的用户.

Now we can assign users. You will need a user's ObjectId to assign them to the app. You can use Get-AzureADUser in various ways to get the users you want to assign.

但是分配可以这样完成:

But the assignment can then be done like this:

New-AzureADUserAppRoleAssignment -Id '00000000-0000-0000-0000-000000000000' -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -ObjectId $user.ObjectId

如果您在应用中为用户指定了角色，则可以使用角色的ID而不是全零. 在门户中，全零将转换为默认访问权限".

If you had specified roles in your app for users, you could use the role's id instead of all zeros. All zeros translates to "Default access" in the portal.

这篇关于自动将应用程序注册到Azure AD for SSO的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！