通过AZ广告应用添加Graph API权限失败 [英] Add Graph API via az ad app permission fails

问题描述

我正在尝试通过CLI 2.x添加Graph API.这是我正在运行的PowerShell脚本:

I'm attempting to add the Graph API via CLI 2.x. Here is the PowerShell script I'm running:

    #
    # (1) Register the app, replyUrl, enable implicitflow
    #
    Write-Host " -  Create Application " + $appName
    az ad app create --display-name "$appName" --reply-urls "$replyUrl" --oauth2-allow-implicit-flow true

    #
    # (2) get the app id into a variable
    #
    $appId=$(az ad app list --display-name $appName --query [].appId -o tsv)

    #
    # (3) API Permissions, add Graph API/Permission (delegated)
    
    #
    Write-Host " -  Add Graph API/Permission (delegated)"
    az ad app permission add --id $appid --api 00000002-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6=Scope
    
    #
    # (4) Grant permissions based on the error/warning from the previous step
    
    #
    Write-Host " -  Grant permissions"
    az ad app permission grant --id $appid --api 00000002-0000-0000-c000-000000000000

我从

I pulled the --api-permissions id from this link. The script line az ad app permission add throws this error (or warning):

az:调用 az广告应用程序权限授予--id xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --api 00000002-0000-0000-c000-000000000000 才能使更改生效在C:\ temp \ CP \ CreateAppRegistration.ps1:42 char:5az广告应用程序权限添加--id $ appid --api 00000002-0000-0000-c00 ...CategoryInfo:未指定:(调用"az ad ... hange有效:字符串)[]，RemoteExceptionFullyQualifiedErrorId:NativeCommandError

az : Invoking az ad app permission grant --id xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --api 00000002-0000-0000-c000-000000000000 is needed to make the change effective At C:\temp\CP\CreateAppRegistration.ps1:42 char:5 az ad app permission add --id $appid --api 00000002-0000-0000-c00 ... CategoryInfo : NotSpecified: (Invoking "az ad...hange effective:String) [], RemoteException FullyQualifiedErrorId : NativeCommandError

然后，我尝试在错误 az ad app权限授予中调用脚本，并得到以下错误:

I then attempt to call the script in the error az ad app permission grant and get the following error:

az:操作失败，状态:未找到".详细信息:404客户端错误:找不到URL:

az : Operation failed with status: 'Not Found'. Details: 404 Client Error: Not Found for url: https://graph.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/oauth2PermissionGrants?$filter=clientId%20eq%20%27e62c4745-cccc-cccc-cccc-71e5599261fc%27&api-version=1.6 At C:\temp\CP\CreateAppRegistration.ps1:45 char:5 az ad app permission grant --id $appid --api 00000002-0000-0000-c ... CategoryInfo : NotSpecified: (Operation faile...api-version=1.6:String) [], RemoteException FullyQualifiedErrorId : NativeCommandError

有人可以帮助我了解是否需要根据上面#3产生的错误执行脚本(上面#4)吗?
还是为什么上面的#3返回错误/警告?

Can someone help me understand if I need to execute the script (#4 above) per the error generated from #3 above??
Or why is #3 above returning an error/warning?

我之所以说警告，是因为似乎确实添加了Graph API，但我不确定每条错误消息它的状态都正确.

I say warning because the Graph API does seem to get added but I'm not sure it's in the proper state per the error message.

az广告应用程序权限授予--id xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --api 00000002-0000-0000-c000-000000000000 才能使更改生效

推荐答案

理论上，您需要根据上面#3生成的警告执行脚本(上面#4).

In theory, you need to execute the script (#4 above) per the warning generated from #3 above.

您会收到"404客户端错误:找不到url"表示端点 https://graph.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/oauth2PermissionGrants?$filter=clientId%20eq%20%27e62c4745-cccc-cccc-cccc-71e5599261fc%27&api-version=1.6 返回空结果.

You get "404 Client Error: Not Found for url" means the endpont https://graph.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/oauth2PermissionGrants?$filter=clientId%20eq%20%27e62c4745-cccc-cccc-cccc-71e5599261fc%27&api-version=1.6 returns null result.

cmd az广告应用程序权限授予将首先对其进行查询，然后插入新的权限.错误发生在查询步骤中.我认为这不合理.您的要求是添加一个权限授予，但是此cmd需要首先查询现有的权限授予.如果结果为空，则会阻止您添加它.

The cmd az ad app permission grant will query it first and then insert the new permission. The error occurs in the querying step. I don't think this is reasonable. Your requirement is to add a permission grant, but this cmd needs to query the existing permission grant first. If the result is empty, it prevents you from adding it.

因此，此cmd az广告应用许可授予的逻辑目前尚不完善.对于现有的Azure AD应用程序(具有服务主体)，它可能会更好，但对于新创建的Azure AD应用程序(不具有服务主体)，效果不佳.

So the logic for this cmd az ad app permission grant is not perfect currently. It may work better for an existing Azure AD app (which has a service principal), but not for a new created Azure AD app (which has no service principal).

一种解决方法是使用 az广告应用程序权限管理员同意--id $ appid 代替 az广告应用程序权限授予.请参阅参考此处.它涵盖了 az广告应用程序权限授予可以执行的操作.

A workaround is to use az ad app permission admin-consent --id $appid instead of az ad app permission grant. See reference here. It covers what az ad app permission grant can do.

一次执行 az ad应用程序权限管理员同意后，它将为Azure AD应用程序生成服务主体，然后您可以使用 az ad应用程序权限授予稍后.

After you execute az ad app permission admin-consent for once, it will generate a service principal for the Azure AD app and then you can use az ad app permission grant later.

这篇关于通过AZ广告应用添加Graph API权限失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！