扩展Accestoken终身Azure AD应用程序
您好,我想延长Azure应用程序注册的访问令牌生存期。 我知道已经有很多这样的问题了,但似乎没有一个是有效的,所以我想我应该创造一个新的问题,而不是用我的问题回答每一个问题 我使用以下PowerShell代码创建Azure广告策略以延长生存期并将其附加到我的应用程序注册扩展Accestoken终身Azure AD应用程序,azure,azure-active-directory,Azure,Azure Active Directory,您好,我想延长Azure应用程序注册的访问令牌生存期。 我知道已经有很多这样的问题了,但似乎没有一个是有效的,所以我想我应该创造一个新的问题,而不是用我的问题回答每一个问题 我使用以下PowerShell代码创建Azure广告策略以延长生存期并将其附加到我的应用程序注册 # import the azure ad module Import-Module AzureADPreview # connect with an admin with proper priviledges Conne
# import the azure ad module
Import-Module AzureADPreview
# connect with an admin with proper priviledges
Connect-AzureAD
# specify the policyname and Azure application name
$policyName = "ExtendedLifeTimePolicyADAppRegistration"
$applicationName = "AzureTest"
Write-Host "Create a new policy"
$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"04:00:00","MaxInactiveTime":"04:00:00","MaxAgeMultiFactor":"04:00:00","MaxAgeSingleFactor":"04:00:00"}}') -DisplayName $policyName -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
# Get the Azure AD application
$app = Get-AzureADApplication -Filter "DisplayName eq '$applicationName'"
Write-Host "Apply the new policy"
Add-AzureADApplicationPolicy -Id $app.ObjectId -RefObjectId $policy.Id
Write-Host "Get assigned policies..."
Get-AzureADApplicationPolicy -Id $app.ObjectId
disconnect-azurermaccount
if(-not (Get-Module AzureRm.Profile)) {
Import-Module AzureRm.Profile
}
function Get-AzureRmCachedAccessToken()
{
$ErrorActionPreference = 'Stop'
if(-not (Get-Module AzureRm.Profile)) {
Import-Module AzureRm.Profile
}
$azureRmProfileModuleVersion = (Get-Module AzureRm.Profile).Version
# refactoring performed in AzureRm.Profile v3.0 or later
if($azureRmProfileModuleVersion.Major -ge 3) {
$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
if(-not $azureRmProfile.Accounts.Count) {
Write-Error "Ensure you have logged in before calling this function."
}
} else {
# AzureRm.Profile < v3.0
$azureRmProfile = [Microsoft.WindowsAzure.Commands.Common.AzureRmProfileProvider]::Instance.Profile
if(-not $azureRmProfile.Context.Account.Count) {
Write-Error "Ensure you have logged in before calling this function."
}
}
$currentAzureContext = Get-AzureRmContext
$currentAzureContext
$profileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($azureRmProfile)
Write-Debug ("Getting access token for tenant" + $currentAzureContext.Tenant.TenantId)
$currentAzureContext.TokenCache.ReadItems()
$token = $profileClient.AcquireAccessToken($currentAzureContext.Tenant.TenantId)
echo "####"
$token
echo "####"
}
$tenantId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ClientID = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ClientSecret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$passwd = ConvertTo-SecureString $ClientSecret -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential($ClientId, $passwd)
#Connect-AzurermAccount -Credential $pscredential -Tenant $tenantId
Add-AzureRmAccount -Credential $pscredential -TenantId $tenantId -ServicePrincipal
Get-AzureRmCachedAccessToken
未显示任何错误代码,Get-AzureADApplicationPolicy返回该策略已连接到我的azure ad应用程序
以下代码打印访问令牌和到期日期:
我使用此代码打印Azure AD应用程序注册中的访问令牌
# import the azure ad module
Import-Module AzureADPreview
# connect with an admin with proper priviledges
Connect-AzureAD
# specify the policyname and Azure application name
$policyName = "ExtendedLifeTimePolicyADAppRegistration"
$applicationName = "AzureTest"
Write-Host "Create a new policy"
$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"04:00:00","MaxInactiveTime":"04:00:00","MaxAgeMultiFactor":"04:00:00","MaxAgeSingleFactor":"04:00:00"}}') -DisplayName $policyName -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
# Get the Azure AD application
$app = Get-AzureADApplication -Filter "DisplayName eq '$applicationName'"
Write-Host "Apply the new policy"
Add-AzureADApplicationPolicy -Id $app.ObjectId -RefObjectId $policy.Id
Write-Host "Get assigned policies..."
Get-AzureADApplicationPolicy -Id $app.ObjectId
disconnect-azurermaccount
if(-not (Get-Module AzureRm.Profile)) {
Import-Module AzureRm.Profile
}
function Get-AzureRmCachedAccessToken()
{
$ErrorActionPreference = 'Stop'
if(-not (Get-Module AzureRm.Profile)) {
Import-Module AzureRm.Profile
}
$azureRmProfileModuleVersion = (Get-Module AzureRm.Profile).Version
# refactoring performed in AzureRm.Profile v3.0 or later
if($azureRmProfileModuleVersion.Major -ge 3) {
$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
if(-not $azureRmProfile.Accounts.Count) {
Write-Error "Ensure you have logged in before calling this function."
}
} else {
# AzureRm.Profile < v3.0
$azureRmProfile = [Microsoft.WindowsAzure.Commands.Common.AzureRmProfileProvider]::Instance.Profile
if(-not $azureRmProfile.Context.Account.Count) {
Write-Error "Ensure you have logged in before calling this function."
}
}
$currentAzureContext = Get-AzureRmContext
$currentAzureContext
$profileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($azureRmProfile)
Write-Debug ("Getting access token for tenant" + $currentAzureContext.Tenant.TenantId)
$currentAzureContext.TokenCache.ReadItems()
$token = $profileClient.AcquireAccessToken($currentAzureContext.Tenant.TenantId)
echo "####"
$token
echo "####"
}
$tenantId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ClientID = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ClientSecret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$passwd = ConvertTo-SecureString $ClientSecret -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential($ClientId, $passwd)
#Connect-AzurermAccount -Credential $pscredential -Tenant $tenantId
Add-AzureRmAccount -Credential $pscredential -TenantId $tenantId -ServicePrincipal
Get-AzureRmCachedAccessToken
断开azurermaccount
if(-not(获取模块AzureRm.Profile)){
导入模块AzureRm.Profile
}
函数Get-AzureRmCachedAccessToken()
{
$ErrorActionPreference='Stop'
if(-not(获取模块AzureRm.Profile)){
导入模块AzureRm.Profile
}
$azureRmProfileModuleVersion=(获取模块AzureRm.Profile)。版本
#在AzureRm.Profile v3.0或更高版本中执行的重构
if($azureRmProfileModuleVersion.Major-ge 3){
$azureRmProfile=[Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
if(-not$azureRmProfile.Accounts.Count){
写入错误“请确保在调用此函数之前已登录。”
}
}否则{
#AzureRm.Profile
首先,我认为捕获访问令牌的代码不够有效,因为它是缓存的,所以我在postman中尝试了以下来自MS doc的代码。但这与以前的PowerShell代码具有相同的输出。这与默认的1小时到期时间相同
在前面的SO问题中,我看到将IsOrganizationDefault变量更改为“true”的人确实使广告策略工作。
对此有两点意见:
有没有人看到我遗漏了什么、忘记做了什么或我做错了什么。根据我的测试,它只适用于当前的
-isoorganizationdefault$true
,无论使用添加AzureADServicePrincipalPolicy
还是添加AzureADApplicationPolicy
,如果-isoorganizationDefault$false
,两者都不起作用
您应该注意,该功能处于预览状态,您使用的powershell命令也仅在
AzureADPreview
中。我认为该功能可能尚未完全实现,因此导致了问题。谢谢您的回答。我知道这是一个预览功能,但如果它只与选项一起工作“isorganizationdefault$true”。Add AzureADApplicationPolicy或AzureADServicePrincipalPolicy命令的要点是什么。IsOrganizationDefault将在整个组织上设置策略。@achahbar我认为该功能尚未实现,Microsoft应该在将来实现它。