Fatal编程技术网

Azure active directory Dynamics 365商务中心地形范围

azure-active-directory terraform

Azure active directory Dynamics 365商务中心地形范围,azure-active-directory,terraform,dynamics-business-central,Azure Active Directory,Terraform,Dynamics Business Central,我正在尝试创建一个terraform脚本,它将在Azure AD中注册一个应用程序 我成功地生成了一个只从Microsoft Graph作用域读取的脚本。但我很难弄清楚在BusinessCentral(云版本)中这些作用域的等价物是什么 对于Microsoft Graph,我拥有以下权限: 电子邮件 脱机访问 openid 侧面图 Financials.ReadWrite.All 用户阅读 我在terraform中这样读它们: provider "azuread" {

我正在尝试创建一个terraform脚本,它将在Azure AD中注册一个应用程序

我成功地生成了一个只从Microsoft Graph作用域读取的脚本。但我很难弄清楚在BusinessCentral(云版本)中这些作用域的等价物是什么

对于Microsoft Graph,我拥有以下权限:

  • 电子邮件
  • 脱机访问
  • openid
  • 侧面图
  • Financials.ReadWrite.All
  • 用户阅读
我在terraform中这样读它们:

provider "azuread" {
  # Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
  version         = "~> 0.10"
  subscription_id = var.subscription_id
}

data "azuread_service_principal" "graph-api" {
  display_name = "Microsoft Graph"
}

locals {
  MAIL_PERMISSION                  = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("email"))[0]}"
  USER_READ_PERMISSION             = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("User.Read"))[0]}"
  FINANCIALS_READ_WRITE_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("Financials.ReadWrite.All"))[0]}"
  OFFLINE_PERMISSION               = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("offline_access"))[0]}"
  OPENID_PERMISSION                = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("openid"))[0]}"
  PROFILE_PERMISSION               = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("profile"))[0]}"
}
看起来效果不错。我只是在努力寻找类似的方法来为客户做这件事

我对这些感兴趣:

  • 应用程序访问
  • Financials.ReadWrite.All
  • 用户模拟
有人知道端点可能是什么样子吗?文件非常有限

编辑:

这是任何对设置Business Central应用程序注册感兴趣的人的最终脚本

variable "subscription_id" {
  type = string
}
variable "app_name" {
  type = string
}
variable "app_homepage" {
  type = string
}
variable "app_reply_urls" {
  type = list(string)
}

provider "azuread" {
  # Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
  version         = "~> 0.10"
  subscription_id = var.subscription_id
}

data "azuread_service_principal" "graph-api" {
  display_name = "Microsoft Graph"
}

data "azuread_service_principal" "d365bc" {
  display_name = "Dynamics 365 Business Central"
}

locals {
  APP_ACCESS_PERMISSION                 = "${matchkeys(data.azuread_service_principal.d365bc.app_roles.*.id, data.azuread_service_principal.d365bc.app_roles.*.value, list("app_access"))[0]}"
  USER_IMPERSONATION_PERMISSION         = "${matchkeys(data.azuread_service_principal.d365bc.oauth2_permissions.*.id, data.azuread_service_principal.d365bc.oauth2_permissions.*.value, list("user_impersonation"))[0]}"
  BC_FINANCIALS_READ_WRITE_PERMISSION   = "${matchkeys(data.azuread_service_principal.d365bc.oauth2_permissions.*.id, data.azuread_service_principal.d365bc.oauth2_permissions.*.value, list("Financials.ReadWrite.All"))[0]}"
  GRAPH_FINANCIAL_READ_WRITE_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("Financials.ReadWrite.All"))[0]}"
  MAIL_READ_PERMISSION                  = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("User.Read"))[0]}"
  MAIL_PERMISSION                       = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("email"))[0]}"
  OFFLINE_PERMISSION                    = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("offline_access"))[0]}"
  OPENID_PERMISSION                     = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("openid"))[0]}"
  PROFILE_PERMISSION                    = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("profile"))[0]}"
}

resource "azuread_application" "businessCentral" {
  name                       = var.app_name
  homepage                   = var.app_homepage
  identifier_uris            = []
  reply_urls                 = var.app_reply_urls
  available_to_other_tenants = true
  type                       = "webapp/api"

  required_resource_access {
    resource_app_id = data.azuread_service_principal.graph-api.application_id
    resource_access {
      id   = local.GRAPH_FINANCIAL_READ_WRITE_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.MAIL_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.MAIL_READ_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.OFFLINE_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.OPENID_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.PROFILE_PERMISSION
      type = "Scope"
    }
  }

  required_resource_access {
    resource_app_id = data.azuread_service_principal.d365bc.application_id
    resource_access {
      id   = local.APP_ACCESS_PERMISSION
      type = "Role"
    }
    resource_access {
      id   = local.USER_IMPERSONATION_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.BC_FINANCIALS_READ_WRITE_PERMISSION
      type = "Scope"
    }
  }

  app_role {
    allowed_member_types = [
      "Application"
    ]
    description  = "Admins can manage roles and perform all task actions"
    display_name = "Admin"
    is_enabled   = true
    value        = "Admin"
  }
}
需要注意的是,
app\u访问
角色
,其余的API权限是
范围

您可以通过以下方式调用上述地形:

terraform plan -var="subscription_id={your_scription_id}" -var='app_reply_urls={your_urls_array}' -var="app_name={your_app_name}" -var="app_homepage={your_app_homepage}"
试试这个:

provider "azuread" {
  # Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
  version = "=0.10.0"
}

data "azuread_service_principal" "d365bc" {
  application_id = "996def3d-b36c-4153-8607-a6fd3c01b89f"
}

locals {
  APP_ACCESS_PERMISSION            = "${matchkeys(data.azuread_service_principal.d365bc.app_roles.*.id, data.azuread_service_principal.d365bc.app_roles.*.value, list("app_access"))[0]}"
  USER_IMPERSONATION_PERMISSION    = "${matchkeys(data.azuread_service_principal.d365bc.oauth2_permissions.*.id, data.azuread_service_principal.d365bc.oauth2_permissions.*.value, list("user_impersonation"))[0]}"
  FINANCIALS_READ_WRITE_PERMISSION = "${matchkeys(data.azuread_service_principal.d365bc.oauth2_permissions.*.id, data.azuread_service_principal.d365bc.oauth2_permissions.*.value, list("Financials.ReadWrite.All"))[0]}"
}

996def3d-b36c-4153-8607-a6fd3c01b89f
是Microsoft Dynamics 365 BC服务主体的客户端id

app\u access
是app权限,因此我们需要在此处使用“app\u角色”而不是“oauth2\u权限”。

非常感谢。这真的很有帮助。您是如何找到d365b的主要id的?仅供将来参考。@KristianBarrett将D365 BC权限(例如
Financials.ReadWrite.All
)添加到Azure门户上的Azure广告应用程序中。并查看AAD应用程序的清单文件,您将找到D365 BC的资源id。