如何从外部应用程序管理Azure App角色

huangapple go评论72阅读模式
英文:

How to manage Azure App roles from external application

问题

I am building an application which uses role based access and have created custom app roles in Azure App Registration and have also assigned some users with roles in Enterprise Application. My Question is, can we do the removal & assignment of these custom app role to users via the application instead of using Azure?

我正在开发一个应用程序,它使用基于角色的访问控制,并在Azure应用程序注册中创建了自定义应用程序角色,并在企业应用程序中为一些用户分配了角色。我的问题是,我们是否可以通过应用程序而不是使用Azure来执行这些自定义应用程序角色的移除和分配操作?

I've tried using Microsoft Graph API to solve this problem. In the frontend(React) I was making Graph API calls to achieve this & is working fine. But it requires "AppRoleAssignment.ReadWrite.All" permission to be enabled which seems so high level for the task I'm doing since it can assign any roles(custom or AAD roles) to any users, application and doesn't feel secure to give this scope to my end users even though only admin role would be performing this task. Is there any better way to implement this. Also is there a way to assign one of the custom roles as default to new users?. Appreciate the help!

我尝试使用Microsoft Graph API解决这个问题。在前端(React)中,我正在进行Graph API调用以实现这一点,并且工作正常。但它需要启用"AppRoleAssignment.ReadWrite.All"权限,这似乎对我正在进行的任务来说太高级了,因为它可以分配任何角色(自定义或AAD角色)给任何用户、应用程序,即使只有管理员角色会执行此任务,也不安全。是否有更好的实现方法?还有一种方法可以将自定义角色中的一个分配为新用户的默认角色吗?感谢帮助!

英文:

I am building an application which uses role based access and have created custom app roles in Azure App Registration and have also assigned some users with roles in Enterprise Application. My Question is, can we do the removal & assignment of these custom app role to users via the application instead of using Azure?

I've tried using Microsoft Graph API to solve this problem. In the frontend(React) I was making Graph API calls to achieve this & is working fine. But it requires "AppRoleAssignment.ReadWrite.All" permission to be enabled which seems so high level for the task I'm doing since it can assign any roles(custom or AAD roles) to any users, application and doesn't feel secure to give this scope to my end users even though only admin role would be performing this task. Is there any better way to implement this. Also is there a way to assign one of the custom roles as default to new users?. Appreciate the help!

答案1

得分: 1

我尝试在我的环境中使用Powershell分配应用程序角色给用户。

您可以按照以下步骤获取用户Object ID和应用程序Object ID

用户Object ID:

进入Azure门户 > Azure活动目录 > 用户 > 选择用户

如何从外部应用程序管理Azure App角色

应用程序Object ID:

进入Azure门户 > Azure活动目录 > 企业应用程序 > 选择您的应用程序

如何从外部应用程序管理Azure App角色

Powershell脚本:

Connect-AzureAD
$user = Get-AzureADUser -ObjectId "userobjectID"
$servicePrincipal = Get-AzureADServicePrincipal -ObjectId "AppobjectID"
$role = $app.AppRoles | Where-Object {$_.DisplayName -eq "Reader";}
#检查Approle ID
$role.Id
New-AzureADUserAppRoleAssignment -ObjectId "userobjectID" -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id "ApproleID"
Remove-AzureADUserAppRoleAssignment -ObjectId "userobjectId" -AppRoleAssignmentId "ApprolID"

响应:

如何从外部应用程序管理Azure App角色

运行上述代码后,应用程序角色将添加到应用程序中,如下所示。

如何从外部应用程序管理Azure App角色

还有一种方法可以将自定义角色之一分配为新用户的默认角色吗?

创建动态组以将应用程序角色分配给用户,当新用户入职时。

进入Azure门户 > Azure活动目录 > 组 > 新建组。

如何从外部应用程序管理Azure App角色

创建组后,将应用程序角色分配给用户,如下所示。

进入Azure门户 > Azure活动目录 > 企业应用程序 > 所有应用程序 > 选择您的应用程序

如何从外部应用程序管理Azure App角色

参考链接:New-AzureADUserAppRoleAssignmentRemove-AzureADUserAppRoleAssignment

英文:

I tried to reproduce the same in my environment to assign App roles to the user using Powershell.

You can fetch user Object ID and Application Object Id by following the steps.

User Object ID:

Go to Azure Portal > Azure Active Directory > Users > Select the user .

如何从外部应用程序管理Azure App角色

Application Object Id:

Go to Azure Portal > Azure Active Directory > Enterprise applications > Select your app

如何从外部应用程序管理Azure App角色

Powershell Script:

Connect-AzureAD
$user = Get-AzureADUser -ObjectId "userobjectID"
$servicePrincipal = Get-AzureADServicePrincipal -ObjectId "AppobjectID"
$role = $app.AppRoles | Where-Object {$_.DisplayName -eq "Reader"}
#Check Approle ID
$role.Id
New-AzureADUserAppRoleAssignment -ObjectId "userobjectID" -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id "ApproleID"
 Remove-AzureADUserAppRoleAssignment -ObjectId "userobjectId" -AppRoleAssignmentId "ApprolID"

Response:

如何从外部应用程序管理Azure App角色

Once ran the above code app role are added to the application as below.

如何从外部应用程序管理Azure App角色

> Also is there a way to assign one of the custom roles as default to new users?

Created Dynamic Group for assigning app roles to the user, when the new user is onboarded.

Go to Azure Portal > Azure Active Directory > Groups > New Group .

如何从外部应用程序管理Azure App角色

Once create the group, assign the app role to the user as below.

Go to Azure Portal > Azure Active Directory > Enterprise applications > All applications > Select your application

如何从外部应用程序管理Azure App角色

Reference: New-AzureADUserAppRoleAssignment & Remove-AzureADUserAppRoleAssignment

huangapple
  • 本文由 发表于 2023年2月26日 22:40:57
  • 转载请务必保留本文链接:https://go.coder-hub.com/75572720.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定