权限不足使用服务主体创建的Azure AD应用时即可完成操作 [英] Insufficient privileges to complete the operation when using service principal to create Azure AD Application
问题描述
继这里列出的code:
<$p$p><$c$c>https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console/blob/master/GraphConsoleAppV3/Program.cs#L810但使用服务主体试图创建应用程序时验证人会得到一个权限不足的错误
client.Applications.AddApplicationAsync(appObject).Wait();
与令牌交换这样的:
VAR背景=新AuthenticationContext($https://login.microsoftonline.com/{tenantId});
VAR令牌= context.AcquireToken(https://graph.windows.net,新ClientCredential(客户端ID,密码));
VAR的客户=新ActiveDirectoryClient(新的URI($https://graph.windows.net/{tenantId}),()=&GT; Task.FromResult(token.AccessToken));
其所需的应用程序已给出,目前似乎只能使用蔚蓝AD PowerShell的工具来添加管理员角色:的 https://msdn.microsoft.com/library/azure/jj151815.aspx#bkmk_installmodule
和使用连接 - msolservice
并在提示时使用您的Azure AD管理员用户登录。
-
连接 - msolservice
-
GET-MsolServicePrincipal -AppPrincipalId {APPID}
-
添加-MsolRoleMember -RoleMemberType ServicePrincipal -RoleName公司管理员-RoleMemberObjectId {OBJECTID}
其中OBJECTID为2命令的输出
Following the code outlined here:
https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console/blob/master/GraphConsoleAppV3/Program.cs#L810
but using a Service Principal to authenticate one will get a Insufficient Privileges error when trying to create the application on
client.Applications.AddApplicationAsync(appObject).Wait();
with token exchange like the following:
var context = new AuthenticationContext($"https://login.microsoftonline.com/{tenantId}");
var token = context.AcquireToken("https://graph.windows.net", new ClientCredential(clientId, secret));
var client = new ActiveDirectoryClient(new Uri($"https://graph.windows.net/{tenantId}"),()=>Task.FromResult(token.AccessToken));
its required that the application has been given the Administrator role that currently seem only possible to add using the powershell tools for azure AD: https://msdn.microsoft.com/library/azure/jj151815.aspx#bkmk_installmodule
and using connect-msolservice
and using your Azure Ad Administrator user login when prompted.
connect-msolservice
Get-MsolServicePrincipal –AppPrincipalId {appId}
Add-MsolRoleMember -RoleMemberType ServicePrincipal -RoleName ‘Company Administrator’ -RoleMemberObjectId {objectID}
where the objectID is the output of the 2 command
这篇关于权限不足使用服务主体创建的Azure AD应用时即可完成操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!