使用 AzureAD 模块检索服务主体的应用程序权限 [英] Retrieve application permissions of a service principal using the AzureAD module

问题描述

使用 AzureAD 模块，我可以使用 Get-AzureADServicePrincipalOAuth2PermissionGrant cmdlet 检索服务主体的所有委派权限.但是，我找不到类似的 cmdlet 来检索此模块中服务主体的 应用程序权限.

Using the AzureAD module, I can retrieve all delegated permissions for a service principal using the Get-AzureADServicePrincipalOAuth2PermissionGrant cmdlet. However, I can't find a similar cmdlet to retrieve the application permissions for a service principal in this module.

AzureAD 模块是否提供了一种方法来检索服务主体的应用程序权限?

Does the AzureAD module provide a way to retrieve application permissions for a service principal?

推荐答案

应用程序权限分配在目录中表示为 appRoleAssignments.将角色分配给应用的服务主体.

Application permission assignments are represented as appRoleAssignments in the directory. Literally assigning a role to the app's service principal.

使用 V2 模块:

有两种方法可以获取角色.

There are two ways to approach getting the roles.

已为委托人 A 分配了哪些权限?

Get-AzureADServiceAppRoleAssignedTo -ObjectId eea0d6cd-20e2-4b81-97ca-5b0cbffac985 | fl

我在这里获取已分配给该主体的应用权限.

Here I am getting what app permissions have been assigned to this principal.

谁拥有委托人 A 的权限?

Get-AzureADServiceAppRoleAssignment -ObjectId f004dde9-b40f-4259-91be-e257009a444a | fl

这里的对象 ID 用于 Microsoft Graph.它列出了所有被分配了任何应用程序权限的主体.

Here the object id is for Microsoft Graph. It lists out all principals who have been assigned any app permissions on it.

无论哪种方式，您仍然可以获得 AppRoleAssignments 列表.

Either way you still get a list of AppRoleAssignments.

• Id = 分配的 AppRole 的 ID
• PrincipalId = 权限分配给的服务主体的 ObjectId
• ResourceId = 提供权限的服务主体的 ObjectId

您需要自己以正确的角色加入任务.您可以打印出应用角色，例如MS Graph 很容易提供:

You will need to join the assignments with the right roles yourself. You can print out the app roles e.g. MS Graph offers quite easily:

$msGraph = Get-AzureADServicePrincipal -ObjectId f004dde9-b40f-4259-91be-e257009a444a
$msGraph.AppRoles | fl

例子:

AllowedMemberTypes : {Application}
Description        : (Preview) Allows the app to read all files in all site collections without a signed in user.
DisplayName        : Read files in all site collections (preview)
Id                 : 01d4889c-1287-42c6-ac1f-5d1e02578ef6
IsEnabled          : True
Value              : Files.Read.All

这篇关于使用 AzureAD 模块检索服务主体的应用程序权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！