英文:
How to manage Azure App roles from external application
问题
I am building an application which uses role based access and have created custom app roles in Azure App Registration and have also assigned some users with roles in Enterprise Application. My Question is, can we do the removal & assignment of these custom app role to users via the application instead of using Azure?
我正在开发一个应用程序,它使用基于角色的访问控制,并在Azure应用程序注册中创建了自定义应用程序角色,并在企业应用程序中为一些用户分配了角色。我的问题是,我们是否可以通过应用程序而不是使用Azure来执行这些自定义应用程序角色的移除和分配操作?
I've tried using Microsoft Graph API to solve this problem. In the frontend(React) I was making Graph API calls to achieve this & is working fine. But it requires "AppRoleAssignment.ReadWrite.All" permission to be enabled which seems so high level for the task I'm doing since it can assign any roles(custom or AAD roles) to any users, application and doesn't feel secure to give this scope to my end users even though only admin role would be performing this task. Is there any better way to implement this. Also is there a way to assign one of the custom roles as default to new users?. Appreciate the help!
我尝试使用Microsoft Graph API解决这个问题。在前端(React)中,我正在进行Graph API调用以实现这一点,并且工作正常。但它需要启用"AppRoleAssignment.ReadWrite.All"权限,这似乎对我正在进行的任务来说太高级了,因为它可以分配任何角色(自定义或AAD角色)给任何用户、应用程序,即使只有管理员角色会执行此任务,也不安全。是否有更好的实现方法?还有一种方法可以将自定义角色中的一个分配为新用户的默认角色吗?感谢帮助!
英文:
I am building an application which uses role based access and have created custom app roles in Azure App Registration and have also assigned some users with roles in Enterprise Application. My Question is, can we do the removal & assignment of these custom app role to users via the application instead of using Azure?
I've tried using Microsoft Graph API to solve this problem. In the frontend(React) I was making Graph API calls to achieve this & is working fine. But it requires "AppRoleAssignment.ReadWrite.All" permission to be enabled which seems so high level for the task I'm doing since it can assign any roles(custom or AAD roles) to any users, application and doesn't feel secure to give this scope to my end users even though only admin role would be performing this task. Is there any better way to implement this. Also is there a way to assign one of the custom roles as default to new users?. Appreciate the help!
答案1
得分: 1
我尝试在我的环境中使用Powershell分配应用程序角色给用户。
您可以按照以下步骤获取用户Object ID和应用程序Object ID。
用户Object ID:
进入Azure门户 > Azure活动目录 > 用户 > 选择用户。
应用程序Object ID:
进入Azure门户 > Azure活动目录 > 企业应用程序 > 选择您的应用程序。
Powershell脚本:
Connect-AzureAD
$user = Get-AzureADUser -ObjectId "userobjectID"
$servicePrincipal = Get-AzureADServicePrincipal -ObjectId "AppobjectID"
$role = $app.AppRoles | Where-Object {$_.DisplayName -eq "Reader";}
#检查Approle ID
$role.Id
New-AzureADUserAppRoleAssignment -ObjectId "userobjectID" -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id "ApproleID"
Remove-AzureADUserAppRoleAssignment -ObjectId "userobjectId" -AppRoleAssignmentId "ApprolID"
响应:
运行上述代码后,应用程序角色将添加到应用程序中,如下所示。
还有一种方法可以将自定义角色之一分配为新用户的默认角色吗?
创建动态组以将应用程序角色分配给用户,当新用户入职时。
进入Azure门户 > Azure活动目录 > 组 > 新建组。
创建组后,将应用程序角色分配给用户,如下所示。
进入Azure门户 > Azure活动目录 > 企业应用程序 > 所有应用程序 > 选择您的应用程序。
参考链接:New-AzureADUserAppRoleAssignment 和 Remove-AzureADUserAppRoleAssignment
英文:
I tried to reproduce the same in my environment to assign App roles to the user using Powershell.
You can fetch user Object ID and Application Object Id by following the steps.
User Object ID:
Go to Azure Portal > Azure Active Directory > Users > Select the user .
Application Object Id:
Go to Azure Portal > Azure Active Directory > Enterprise applications > Select your app
Powershell Script:
Connect-AzureAD
$user = Get-AzureADUser -ObjectId "userobjectID"
$servicePrincipal = Get-AzureADServicePrincipal -ObjectId "AppobjectID"
$role = $app.AppRoles | Where-Object {$_.DisplayName -eq "Reader"}
#Check Approle ID
$role.Id
New-AzureADUserAppRoleAssignment -ObjectId "userobjectID" -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id "ApproleID"
Remove-AzureADUserAppRoleAssignment -ObjectId "userobjectId" -AppRoleAssignmentId "ApprolID"
Response:
Once ran the above code app role are added to the application as below.
> Also is there a way to assign one of the custom roles as default to new users?
Created Dynamic Group for assigning app roles to the user, when the new user is onboarded.
Go to Azure Portal > Azure Active Directory > Groups > New Group .
Once create the group, assign the app role to the user as below.
Go to Azure Portal > Azure Active Directory > Enterprise applications > All applications > Select your application
Reference: New-AzureADUserAppRoleAssignment & Remove-AzureADUserAppRoleAssignment
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论