英文:
Creating azure AD app using az powershell
问题
我正在创建一个 Azure AD 应用程序,生成一个客户端密码,并使用 az PowerShell 授予 Reader 角色。
我想要使用 PowerShell 授予 Microsoft Graph 的 Directory.readAll 权限给该应用程序,但不确定如何操作。有人能帮助吗?
以下是我编写的代码:
# 连接到 Azure AD
Connect-AzAccount -TenantId <tenant-id>
Connect-AzureAD
# 为应用程序设置变量
$appName = "test"
$secret = "MySecret"
# 创建应用程序
$app = New-AzureADApplication -DisplayName $appName -PublicClient $false
# 创建客户端密码
$bytes = [System.Text.Encoding]::Unicode.GetBytes($secret)
$base64 = [System.Convert]::ToBase64String($bytes)
$startDate = Get-Date
$endDate = $startDate.AddYears(1)
$secret = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId -CustomKeyIdentifier "MyCustomKeyIdentifier" -Value $base64 -StartDate $startDate -EndDate $endDate
# 检索租户 ID
$tenantId = (Get-AzureADTenantDetail).ObjectId
# 授予 Reader 角色
New-AzRoleAssignment -ObjectId $app.ObjectId -RoleDefinitionName "Reader" -PrincipalType "ServicePrincipal"
# 打印应用程序 ID、租户 ID 和客户端密码
Write-Host "App-ID: $($app.AppId)"
Write-Host "Tenant ID: $tenantId"
Write-Host "Client Secret: $($secret.Value)"
希望对你有所帮助。
英文:
I am creating an azure AD app, generating a client secret for it, and giving Reader role using az PowerShell
I want to give Microsoft Graph. Directory.readAll permission to the app, but not sure how to do using PowerShell. Can anyone help?
Here is the code I've written:
#Connect to Azure AD
Connect-AzAccount -TenantId <tenant-id>
Connect-AzureAD
#Set variables for the app
$appName = "test"
$secret = "MySecret"
#Create the app
$app = New-AzureADApplication -DisplayName $appName -PublicClient $false
#Create the client secret
$bytes = [System.Text.Encoding]::Unicode.GetBytes($secret)
$base64 = [System.Convert]::ToBase64String($bytes)
$startDate = Get-Date
$endDate = $startDate.AddYears(1)
$secret = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId -CustomKeyIdentifier "MyCustomKeyIdentifier" -Value $base64 -StartDate $startDate -EndDate $endDate
#Retrieve the tenant ID
$tenantId = (Get-AzureADTenantDetail).ObjectId
#giving Reader Role
New-AzRoleAssignment -ObjectId $app.ObjectId -RoleDefinitionName "Reader" -PrincipalType "ServicePrincipal"
#Print the App-ID, tenant ID, and client secret
Write-Host "App-ID: $($app.AppId)"
Write-Host "Tenant ID: $tenantId"
Write-Host "Client Secret: $($secret.Value)"
答案1
得分: 1
我尝试在我的环境中复制相同的操作,并获得了以下结果:
我运行了与您相同的PowerShell脚本,并获得了以下响应:
#连接到Azure AD
Connect-AzAccount -TenantId <tenantID>
Connect-AzureAD
#为应用程序设置变量
$appName = "test"
$secret = "MySecret"
#创建应用程序
$app = New-AzureADApplication -DisplayName $appName -PublicClient $false
#创建客户端密钥
$bytes = [System.Text.Encoding]::Unicode.GetBytes($secret)
$base64 = [System.Convert]::ToBase64String($bytes)
$startDate = Get-Date
$endDate = $startDate.AddYears(1)
$secret = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId -CustomKeyIdentifier "MyCustomKeyIdentifier" -Value $base64 -StartDate $startDate -EndDate $endDate
#检索租户ID
$tenantId = (Get-AzureADTenantDetail).ObjectId
#授予"Reader"角色
New-AzRoleAssignment -ObjectId $app.ObjectId -RoleDefinitionName "Reader" -PrincipalType "ServicePrincipal" -Scope "/subscriptions/<subID>/resourcegroups/<myRGname>"
#打印应用程序ID、租户ID和客户端密钥
Write-Host "App-ID: $($app.AppId)"
Write-Host "Tenant ID: $tenantId"
Write-Host "Client Secret: $($secret.Value)"
响应:
当我在门户中检查相同的操作时,成功创建了名为**test
**的应用程序,如下所示:
要向此应用程序添加Microsoft Graph的Directory.Read.All
权限,您可以运行以下PowerShell脚本:
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = "00000003-0000-0000-c000-000000000000"
$DirectoryReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7ab1d382-f21e-4acd-a863-ba3e13f7da61","Role"
$Graph.ResourceAccess = $DirectoryReadAll
$app = Get-AzureADApplication -SearchString "test"
Set-AzureADApplication -ObjectId $app.ObjectId -RequiredResourceAccess $Graph
响应:
当我在门户中检查相同的操作时,成功向应用程序添加了**Directory.Read.All
**权限,如下所示:
要向上述权限授予管理员同意,您需要创建服务主体并运行以下PowerShell脚本:
$sp = New-AzureADServicePrincipal -AccountEnabled $true -AppId $app.AppId -AppRoleAssignmentRequired $true -DisplayName "test"
$graphsp = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
New-AzureADServiceAppRoleAssignment `
-Id $DirectoryReadAll.Id `
-ObjectId $sp.ObjectId `
-PrincipalId $sp.ObjectId `
-ResourceId $graphsp.ObjectId
响应:
要确认这一点,您可以在门户中检查,管理员同意已成功授予,如下所示:
英文:
I tried to reproduce the same in my environment and got below results:
I ran same PowerShell script as you and got response like below:
#Connect to Azure AD
Connect-AzAccount -TenantId <tenantID>
Connect-AzureAD
#Set variables for the app
$appName = "test"
$secret = "MySecret"
#Create the app
$app = New-AzureADApplication -DisplayName $appName -PublicClient $false
#Create the client secret
$bytes = [System.Text.Encoding]::Unicode.GetBytes($secret)
$base64 = [System.Convert]::ToBase64String($bytes)
$startDate = Get-Date
$endDate = $startDate.AddYears(1)
$secret = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId -CustomKeyIdentifier "MyCustomKeyIdentifier" -Value $base64 -StartDate $startDate -EndDate $endDate
#Retrieve the tenant ID
$tenantId = (Get-AzureADTenantDetail).ObjectId
#giving Reader Role
New-AzRoleAssignment -ObjectId $app.ObjectId -RoleDefinitionName "Reader" -PrincipalType "ServicePrincipal" -Scope "/subscriptions/<subID>/resourcegroups/<myRGname>"
#Print the App-ID, tenant ID, and client secret
Write-Host "App-ID: $($app.AppId)"
Write-Host "Tenant ID: $tenantId"
Write-Host "Client Secret: $($secret.Value)"
Response:
When I checked the same in Portal, application named test
created successfully like below:
To add Microsoft Graph Directory.Read.All
permission to this application, you can run below PowerShell script:
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = "00000003-0000-0000-c000-000000000000"
$DirectoryReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7ab1d382-f21e-4acd-a863-ba3e13f7da61","Role"
$Graph.ResourceAccess = $DirectoryReadAll
$app = Get-AzureADApplication -SearchString "test"
Set-AzureADApplication -ObjectId $app.ObjectId -RequiredResourceAccess $Graph
Response:
When I checked the same in Portal, Directory.Read.All
permission added to the application successfully like below:
To grant admin consent to above permission, you need to create service principal and run PowerShell script like below:
$sp = New-AzureADServicePrincipal -AccountEnabled $true -AppId $app.AppId -AppRoleAssignmentRequired $true -DisplayName "test"
$graphsp = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
New-AzureADServiceAppRoleAssignment `
-Id $DirectoryReadAll.Id `
-ObjectId $sp.ObjectId `
-PrincipalId $sp.ObjectId `
-ResourceId $graphsp.ObjectId
Response:
To confirm that, you can check Portal where admin consent is granted successfully like below:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论