Fatal编程技术网
  • azure/
  • 扩展Accestoken终身Azure AD应用程序

扩展Accestoken终身Azure AD应用程序

azure azure-active-directory

扩展Accestoken终身Azure AD应用程序,azure,azure-active-directory,Azure,Azure Active Directory,您好,我想延长Azure应用程序注册的访问令牌生存期。 我知道已经有很多这样的问题了,但似乎没有一个是有效的,所以我想我应该创造一个新的问题,而不是用我的问题回答每一个问题 我使用以下PowerShell代码创建Azure广告策略以延长生存期并将其附加到我的应用程序注册 # import the azure ad module Import-Module AzureADPreview # connect with an admin with proper priviledges Conne

您好,我想延长Azure应用程序注册的访问令牌生存期。 我知道已经有很多这样的问题了,但似乎没有一个是有效的,所以我想我应该创造一个新的问题,而不是用我的问题回答每一个问题

我使用以下PowerShell代码创建Azure广告策略以延长生存期并将其附加到我的应用程序注册

  # import the azure ad module
Import-Module AzureADPreview

# connect with an admin with proper priviledges
Connect-AzureAD

# specify the policyname and Azure application name

$policyName = "ExtendedLifeTimePolicyADAppRegistration"
$applicationName = "AzureTest"


Write-Host "Create a new policy"
$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"04:00:00","MaxInactiveTime":"04:00:00","MaxAgeMultiFactor":"04:00:00","MaxAgeSingleFactor":"04:00:00"}}') -DisplayName $policyName -IsOrganizationDefault $false -Type "TokenLifetimePolicy"

# Get the Azure AD application  
$app = Get-AzureADApplication -Filter "DisplayName eq '$applicationName'"
Write-Host "Apply the new policy"
Add-AzureADApplicationPolicy -Id $app.ObjectId -RefObjectId $policy.Id

Write-Host "Get assigned policies..."
Get-AzureADApplicationPolicy -Id $app.ObjectId

disconnect-azurermaccount
 if(-not (Get-Module AzureRm.Profile)) {
    Import-Module AzureRm.Profile
  }

function Get-AzureRmCachedAccessToken()
{
    $ErrorActionPreference = 'Stop'

    if(-not (Get-Module AzureRm.Profile)) {
        Import-Module AzureRm.Profile
    }
    $azureRmProfileModuleVersion = (Get-Module AzureRm.Profile).Version
    # refactoring performed in AzureRm.Profile v3.0 or later
    if($azureRmProfileModuleVersion.Major -ge 3) {
        $azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
        if(-not $azureRmProfile.Accounts.Count) {
            Write-Error "Ensure you have logged in before calling this function."    
        }
    } else {
        # AzureRm.Profile < v3.0
        $azureRmProfile = [Microsoft.WindowsAzure.Commands.Common.AzureRmProfileProvider]::Instance.Profile
        if(-not $azureRmProfile.Context.Account.Count) {
            Write-Error "Ensure you have logged in before calling this function."    
        }
    }

    $currentAzureContext = Get-AzureRmContext
    $currentAzureContext
    $profileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($azureRmProfile)
    Write-Debug ("Getting access token for tenant" + $currentAzureContext.Tenant.TenantId)
    $currentAzureContext.TokenCache.ReadItems()
    $token = $profileClient.AcquireAccessToken($currentAzureContext.Tenant.TenantId)
   echo "####"
    $token

     echo "####"
}
$tenantId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ClientID = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ClientSecret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"


    $passwd = ConvertTo-SecureString $ClientSecret -AsPlainText -Force
    $pscredential = New-Object System.Management.Automation.PSCredential($ClientId, $passwd)


    #Connect-AzurermAccount -Credential $pscredential -Tenant $tenantId 
    Add-AzureRmAccount -Credential $pscredential -TenantId $tenantId  -ServicePrincipal
    Get-AzureRmCachedAccessToken
未显示任何错误代码,Get-AzureADApplicationPolicy返回该策略已连接到我的azure ad应用程序

以下代码打印访问令牌和到期日期: 我使用此代码打印Azure AD应用程序注册中的访问令牌

  # import the azure ad module
Import-Module AzureADPreview

# connect with an admin with proper priviledges
Connect-AzureAD

# specify the policyname and Azure application name

$policyName = "ExtendedLifeTimePolicyADAppRegistration"
$applicationName = "AzureTest"


Write-Host "Create a new policy"
$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"04:00:00","MaxInactiveTime":"04:00:00","MaxAgeMultiFactor":"04:00:00","MaxAgeSingleFactor":"04:00:00"}}') -DisplayName $policyName -IsOrganizationDefault $false -Type "TokenLifetimePolicy"

# Get the Azure AD application  
$app = Get-AzureADApplication -Filter "DisplayName eq '$applicationName'"
Write-Host "Apply the new policy"
Add-AzureADApplicationPolicy -Id $app.ObjectId -RefObjectId $policy.Id

Write-Host "Get assigned policies..."
Get-AzureADApplicationPolicy -Id $app.ObjectId

disconnect-azurermaccount
 if(-not (Get-Module AzureRm.Profile)) {
    Import-Module AzureRm.Profile
  }

function Get-AzureRmCachedAccessToken()
{
    $ErrorActionPreference = 'Stop'

    if(-not (Get-Module AzureRm.Profile)) {
        Import-Module AzureRm.Profile
    }
    $azureRmProfileModuleVersion = (Get-Module AzureRm.Profile).Version
    # refactoring performed in AzureRm.Profile v3.0 or later
    if($azureRmProfileModuleVersion.Major -ge 3) {
        $azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
        if(-not $azureRmProfile.Accounts.Count) {
            Write-Error "Ensure you have logged in before calling this function."    
        }
    } else {
        # AzureRm.Profile < v3.0
        $azureRmProfile = [Microsoft.WindowsAzure.Commands.Common.AzureRmProfileProvider]::Instance.Profile
        if(-not $azureRmProfile.Context.Account.Count) {
            Write-Error "Ensure you have logged in before calling this function."    
        }
    }

    $currentAzureContext = Get-AzureRmContext
    $currentAzureContext
    $profileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($azureRmProfile)
    Write-Debug ("Getting access token for tenant" + $currentAzureContext.Tenant.TenantId)
    $currentAzureContext.TokenCache.ReadItems()
    $token = $profileClient.AcquireAccessToken($currentAzureContext.Tenant.TenantId)
   echo "####"
    $token

     echo "####"
}
$tenantId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ClientID = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ClientSecret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"


    $passwd = ConvertTo-SecureString $ClientSecret -AsPlainText -Force
    $pscredential = New-Object System.Management.Automation.PSCredential($ClientId, $passwd)


    #Connect-AzurermAccount -Credential $pscredential -Tenant $tenantId 
    Add-AzureRmAccount -Credential $pscredential -TenantId $tenantId  -ServicePrincipal
    Get-AzureRmCachedAccessToken

断开azurermaccount
if(-not(获取模块AzureRm.Profile)){
导入模块AzureRm.Profile
}
函数Get-AzureRmCachedAccessToken()
{
$ErrorActionPreference='Stop'
if(-not(获取模块AzureRm.Profile)){
导入模块AzureRm.Profile
}
$azureRmProfileModuleVersion=(获取模块AzureRm.Profile)。版本
#在AzureRm.Profile v3.0或更高版本中执行的重构
if($azureRmProfileModuleVersion.Major-ge 3){
$azureRmProfile=[Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
if(-not$azureRmProfile.Accounts.Count){
写入错误“请确保在调用此函数之前已登录。”
}
}否则{
#AzureRm.Profile
首先,我认为捕获访问令牌的代码不够有效,因为它是缓存的,所以我在postman中尝试了以下来自MS doc的代码。但这与以前的PowerShell代码具有相同的输出。这与默认的1小时到期时间相同

在前面的SO问题中,我看到将IsOrganizationDefault变量更改为“true”的人确实使广告策略工作。 对此有两点意见:

  • 我无权将此值设置为true,因为这会影响整个租户
  • 我不想把这个设定为真。因为这也会影响创建应用注册和检索访问令牌的任何其他用户
    • 有没有人看到我遗漏了什么、忘记做了什么或我做错了什么。

    根据我的测试,它只适用于当前的
    -isoorganizationdefault$true
    ,无论使用
    添加AzureADServicePrincipalPolicy
    还是
    添加AzureADApplicationPolicy
    ,如果
    -isoorganizationDefault$false
    ,两者都不起作用

    您应该注意,该功能处于预览状态,您使用的powershell命令也仅在
    AzureADPreview
    中。我认为该功能可能尚未完全实现,因此导致了问题。

    谢谢您的回答。我知道这是一个预览功能,但如果它只与选项一起工作“isorganizationdefault$true”。Add AzureADApplicationPolicy或AzureADServicePrincipalPolicy命令的要点是什么。IsOrganizationDefault将在整个组织上设置策略。@achahbar我认为该功能尚未实现,Microsoft应该在将来实现它。