使用 az PowerShell 创建 Azure AD 应用程序

huangapple go评论62阅读模式
英文:

Creating azure AD app using az powershell

问题

我正在创建一个 Azure AD 应用程序,生成一个客户端密码,并使用 az PowerShell 授予 Reader 角色。
我想要使用 PowerShell 授予 Microsoft Graph 的 Directory.readAll 权限给该应用程序,但不确定如何操作。有人能帮助吗?
以下是我编写的代码:

# 连接到 Azure AD
Connect-AzAccount -TenantId <tenant-id>
Connect-AzureAD

# 为应用程序设置变量
$appName = "test"
$secret = "MySecret"

# 创建应用程序
$app = New-AzureADApplication -DisplayName $appName -PublicClient $false

# 创建客户端密码
$bytes = [System.Text.Encoding]::Unicode.GetBytes($secret)
$base64 = [System.Convert]::ToBase64String($bytes)
$startDate = Get-Date
$endDate = $startDate.AddYears(1)
$secret = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId -CustomKeyIdentifier "MyCustomKeyIdentifier" -Value $base64 -StartDate $startDate -EndDate $endDate

# 检索租户 ID
$tenantId = (Get-AzureADTenantDetail).ObjectId

# 授予 Reader 角色
New-AzRoleAssignment -ObjectId $app.ObjectId -RoleDefinitionName "Reader" -PrincipalType "ServicePrincipal"

# 打印应用程序 ID、租户 ID 和客户端密码
Write-Host "App-ID: $($app.AppId)"
Write-Host "Tenant ID: $tenantId"
Write-Host "Client Secret: $($secret.Value)"

希望对你有所帮助。

英文:

I am creating an azure AD app, generating a client secret for it, and giving Reader role using az PowerShell
I want to give Microsoft Graph. Directory.readAll permission to the app, but not sure how to do using PowerShell. Can anyone help?
Here is the code I've written:

#Connect to Azure AD
Connect-AzAccount -TenantId &lt;tenant-id&gt;
Connect-AzureAD
#Set variables for the app
$appName = &quot;test&quot;
$secret = &quot;MySecret&quot;

#Create the app
$app = New-AzureADApplication -DisplayName $appName -PublicClient $false

#Create the client secret
$bytes = [System.Text.Encoding]::Unicode.GetBytes($secret)
$base64 = [System.Convert]::ToBase64String($bytes)
$startDate = Get-Date
$endDate = $startDate.AddYears(1)
$secret = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId -CustomKeyIdentifier &quot;MyCustomKeyIdentifier&quot; -Value $base64 -StartDate $startDate -EndDate $endDate

#Retrieve the tenant ID
$tenantId = (Get-AzureADTenantDetail).ObjectId

#giving Reader Role
New-AzRoleAssignment -ObjectId $app.ObjectId -RoleDefinitionName &quot;Reader&quot; -PrincipalType &quot;ServicePrincipal&quot;

#Print the App-ID, tenant ID, and client secret
Write-Host &quot;App-ID: $($app.AppId)&quot;
Write-Host &quot;Tenant ID: $tenantId&quot;
Write-Host &quot;Client Secret: $($secret.Value)&quot;

答案1

得分: 1

我尝试在我的环境中复制相同的操作,并获得了以下结果:

我运行了与您相同的PowerShell脚本,并获得了以下响应

#连接到Azure AD
Connect-AzAccount -TenantId <tenantID>
Connect-AzureAD

#为应用程序设置变量
$appName = "test"
$secret = "MySecret"

#创建应用程序
$app = New-AzureADApplication -DisplayName $appName -PublicClient $false

#创建客户端密钥
$bytes = [System.Text.Encoding]::Unicode.GetBytes($secret)
$base64 = [System.Convert]::ToBase64String($bytes)
$startDate = Get-Date
$endDate = $startDate.AddYears(1)
$secret = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId -CustomKeyIdentifier "MyCustomKeyIdentifier" -Value $base64 -StartDate $startDate -EndDate $endDate

#检索租户ID
$tenantId = (Get-AzureADTenantDetail).ObjectId

#授予"Reader"角色
New-AzRoleAssignment -ObjectId $app.ObjectId -RoleDefinitionName "Reader" -PrincipalType "ServicePrincipal" -Scope "/subscriptions/<subID>/resourcegroups/<myRGname>"

#打印应用程序ID、租户ID和客户端密钥
Write-Host "App-ID: $($app.AppId)"
Write-Host "Tenant ID: $tenantId"
Write-Host "Client Secret: $($secret.Value)"

响应:

使用 az PowerShell 创建 Azure AD 应用程序

当我在门户中检查相同的操作时,成功创建了名为**test**的应用程序,如下所示:

使用 az PowerShell 创建 Azure AD 应用程序

要向此应用程序添加Microsoft Graph的Directory.Read.All权限,您可以运行以下PowerShell脚本:

$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = "00000003-0000-0000-c000-000000000000"
$DirectoryReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7ab1d382-f21e-4acd-a863-ba3e13f7da61","Role"
$Graph.ResourceAccess = $DirectoryReadAll
$app = Get-AzureADApplication -SearchString "test" 
  
Set-AzureADApplication -ObjectId $app.ObjectId -RequiredResourceAccess $Graph

响应:

使用 az PowerShell 创建 Azure AD 应用程序

当我在门户中检查相同的操作时,成功向应用程序添加了**Directory.Read.All**权限,如下所示:

使用 az PowerShell 创建 Azure AD 应用程序

要向上述权限授予管理员同意,您需要创建服务主体并运行以下PowerShell脚本:

$sp = New-AzureADServicePrincipal -AccountEnabled $true -AppId $app.AppId -AppRoleAssignmentRequired $true -DisplayName "test"
$graphsp = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"

New-AzureADServiceAppRoleAssignment `
             -Id $DirectoryReadAll.Id `
             -ObjectId $sp.ObjectId `
             -PrincipalId $sp.ObjectId `
             -ResourceId $graphsp.ObjectId

响应:

使用 az PowerShell 创建 Azure AD 应用程序

确认这一点,您可以在门户中检查,管理员同意已成功授予,如下所示:

使用 az PowerShell 创建 Azure AD 应用程序

英文:

I tried to reproduce the same in my environment and got below results:

I ran same PowerShell script as you and got response like below:

#Connect to Azure AD
Connect-AzAccount -TenantId &lt;tenantID&gt;
Connect-AzureAD

#Set variables for the app
$appName = &quot;test&quot;
$secret = &quot;MySecret&quot;

#Create the app
$app = New-AzureADApplication -DisplayName $appName -PublicClient $false

#Create the client secret
$bytes = [System.Text.Encoding]::Unicode.GetBytes($secret)
$base64 = [System.Convert]::ToBase64String($bytes)
$startDate = Get-Date
$endDate = $startDate.AddYears(1)
$secret = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId -CustomKeyIdentifier &quot;MyCustomKeyIdentifier&quot; -Value $base64 -StartDate $startDate -EndDate $endDate

#Retrieve the tenant ID
$tenantId = (Get-AzureADTenantDetail).ObjectId

#giving Reader Role
New-AzRoleAssignment -ObjectId $app.ObjectId -RoleDefinitionName &quot;Reader&quot; -PrincipalType &quot;ServicePrincipal&quot; -Scope &quot;/subscriptions/&lt;subID&gt;/resourcegroups/&lt;myRGname&gt;&quot;

#Print the App-ID, tenant ID, and client secret
Write-Host &quot;App-ID: $($app.AppId)&quot;
Write-Host &quot;Tenant ID: $tenantId&quot;
Write-Host &quot;Client Secret: $($secret.Value)&quot;

Response:

使用 az PowerShell 创建 Azure AD 应用程序

When I checked the same in Portal, application named test created successfully like below:

使用 az PowerShell 创建 Azure AD 应用程序

To add Microsoft Graph Directory.Read.All permission to this application, you can run below PowerShell script:

$Graph = New-Object -TypeName &quot;Microsoft.Open.AzureAD.Model.RequiredResourceAccess&quot;
$Graph.ResourceAppId = &quot;00000003-0000-0000-c000-000000000000&quot;
$DirectoryReadAll = New-Object -TypeName &quot;Microsoft.Open.AzureAD.Model.ResourceAccess&quot; -ArgumentList &quot;7ab1d382-f21e-4acd-a863-ba3e13f7da61&quot;,&quot;Role&quot;
$Graph.ResourceAccess = $DirectoryReadAll
$app = Get-AzureADApplication -SearchString &quot;test&quot; 
  
Set-AzureADApplication -ObjectId $app.ObjectId -RequiredResourceAccess $Graph

Response:

使用 az PowerShell 创建 Azure AD 应用程序

When I checked the same in Portal, Directory.Read.All permission added to the application successfully like below:

使用 az PowerShell 创建 Azure AD 应用程序

To grant admin consent to above permission, you need to create service principal and run PowerShell script like below:

$sp = New-AzureADServicePrincipal -AccountEnabled $true -AppId $app.AppId -AppRoleAssignmentRequired $true -DisplayName &quot;test&quot;
$graphsp = Get-AzureADServicePrincipal -Filter &quot;AppId eq &#39;00000003-0000-0000-c000-000000000000&#39;&quot;

New-AzureADServiceAppRoleAssignment `
             -Id $DirectoryReadAll.Id `
             -ObjectId $sp.ObjectId `
             -PrincipalId $sp.ObjectId `
             -ResourceId $graphsp.ObjectId

Response:

使用 az PowerShell 创建 Azure AD 应用程序

To confirm that, you can check Portal where admin consent is granted successfully like below:

使用 az PowerShell 创建 Azure AD 应用程序

huangapple
  • 本文由 发表于 2023年3月3日 21:42:12
  • 转载请务必保留本文链接:https://go.coder-hub.com/75627830.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定