Azure 应用注册时的 API 权限问题 [英] API Permission Issue while Azure App Registration

问题描述

我在 Azure Active Directory -> 应用注册下注册了一个 API 应用.此 API 应用程序公开了将由组织内的客户端访问的端点.客户端不是用户，而是将访问端点的后台服务.

当我尝试授予客户端访问 API 应用程序的 API 权限时，我看到应用程序权限已禁用/灰显.设置 API 权限时是否需要做一些不同的事情.

请看附图.

有没有人遇到过这个问题，或者我在做什么傻事.我们组织中的 Azure 管理员告诉我，他对此无能为力，因为他以前从未见过这样的事情.

解决方案

很可能您还没有为您的应用注册定义任何角色(即应用程序权限)，因此当您尝试为客户端应用程序添加权限时，您只会看到委托权限的一个选项.

如何定义角色/应用程序权限

转到 Azure 门户 > Azure AD > 应用注册 > API 应用程序注册 > 清单

在 Manifest JSON 中找到appRoles"集合，如果它为空，请在此处添加您自己的 appRoles.示例:

"appRoles": [{allowedMemberTypes":[应用"],"description": "具有此角色的应用程序可以调用我的 API","displayName": "可以调用我的 API","id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",已启用":真，朗":空，起源":应用"，价值":MyAPIValidClient"}]

请注意，我将allowedMemberTypes"保留为应用程序"，因此它只能用作应用程序权限.其他可能性是将用户"作为 allowedMemberType，但这是针对不同的用例，当您想为用户分配角色时，这不是您要寻找的.

现在，如果您转到要授予此角色(应用程序权限)的客户端应用程序注册，您应该能够看到应用程序权限"已启用.

您还应该能够看到应用程序权限MyAPIValidClient"及其描述可供选择.现在我在上面的示例中只定义了一个应用程序权限，但正如您所见，它是一个数组，因此您也可以定义多个.只需确保为每个应用程序权限生成新的 GUID 以分配为id".

I have an API App registered under Azure Active Directory -> App Registrations. This API App is exposing endpoints which will be accessed by clients from within the organization. The clients are not users but background services who will accessing the endpoints.

When I am trying to grant API Permission for the clients to access the API App I see the Application Permission as disabled/greyed out. Do I need to do something different when setting the API Permissions.

Please see the attached picture.

Has anyone come across this issue or am I doing something silly. Azure Admin in our organization told me he can't help with this as he hasn't see anything like this before.

解决方案

Most probably you haven't defined any roles (i.e. Application Permissions) for your app registration and hence when you try to add permissions for the client application you only see an option for Delegated Permissions.

How to define Roles/Application Permissions

Go to Azure Portal > Azure AD > App Registrations > Registration for your API application > Manifest

Find the "appRoles" collection in Manifest JSON and if it's empty, add your own appRoles here. Example:

"appRoles": [
        {
            "allowedMemberTypes": [
                "Application"
            ],
            "description": "Apps that have this role have the ability to invoke my API",
            "displayName": "Can invoke my API",
            "id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "MyAPIValidClient"
        }
    ]

Notice that I have kept "allowedMemberTypes" as "Application" so that it can only be used as Application Permission. Other possibility is to have "User" as the allowedMemberType, but that is for a different use case when you want to assign roles to users and that's not what you're looking for.

Now if you go to the client application registration to which you want to grant this role (Application Permission), you should be able to see "Application Permissions" as enabled.

You should also be able to see the Application Permission "MyAPIValidClient" with it's description available to be selected. Now I have defined only one Application Permission in example above, but as you can see it's an array, so you can define multiple ones as well. Just make sure you generate new GUID's to be assigend as "id" for each Application Permission.

这篇关于Azure 应用注册时的 API 权限问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！