&引用；应为一元运算符“；使用Azure Cloud Shell部署ps1脚本时出错

我有一个powershell脚本，用于创建Azure应用程序注册和服务主体，并在管理组中授予其权限。它的大部分功能正常；我在脚本中遇到的问题是对应用程序注册授予的权限授予管理员同意

在下面的脚本中，您会注意到我将尝试通过

az rest

命令调用api，但这将返回一个

一元运算符预期的'-'

。有没有人在Azure Cloud Shell中使用az cli并通过编程方式授予应用程序注册的管理员许可

#!/usr/local/bin/pwsh
# This powershell script creates an app registration and assigns it the owner role to a management group

# Command used to run script ./test-appregistration.ps1 -ManagementGroupName <Management Group Name> -AppRegistrationName <App Name> -ReplyURL <Redirect URL>

# Input Variable(s)
param(
  [Parameter(Mandatory = $true)]
  [string] $ManagementGroupName,
  [Parameter(Mandatory = $true)]
  [string] $AppRegistrationName,
  [Parameter(Mandatory = $true)]
  [string] $ReplyURL
)

### Permission endpoints in the $permissions array variable
# UserRead = "06da0dbc-49e2-44d2-8312-53f166ab848a=Scope"
# DirectoryReadAll = "e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope"
# UserReadAll = "62a82d76-70ea-41e2-9197-370581804d09=Role"
# GroupsReadWriteAll = "df021288-bdef-4463-88db-98f22de89214=Role"

# Variables
$MSGraphId = "00000003-0000-0000-c000-000000000000"
$permissions = @("06da0dbc-49e2-44d2-8312-53f166ab848a=Scope", "e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope", "62a82d76-70ea-41e2-9197-370581804d09=Role", "df021288-bdef-4463-88db-98f22de89214=Role")

# Confirming AZ CLI is installed on localhost
Write-Host "Verifying AZ CLI is installed..."
$azcli = az version --query '\"azure-cli\"'

if ($null -eq $azcli) {
  throw "Azure CLI not installed. Please install the Azure CLI and try again"
  Write-Host "AZ CLI not installed; aborting script execution."
  Exit    
}
else {
  Write-Host "Azure CLI version $azcli is installed on localhost; moving forward with script execution"
}
Start-Sleep -s 3

# Check if logged into Azure
$azContext = az account show --query '[environmentName,tenantId,user.name]' -o tsv 2>&1
if ($azContext -match "ERROR: Please run 'az login' to setup account.") {
  Write-Host "Logging into Azure"
  az login
}
else {
  Write-Host "You are already logged in, your current context is $azContext"
}

#Create Client Secret
$pwArr = "!?@#$%^&*0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz".tochararray() 
$Password = ($pwArr | Get-Random -Count 20) -Join ''

# App Registration Creation
$appId = az ad app create --display-name $AppRegistrationName --reply-urls $ReplyURL --password $Password --credential-description "CT Secret" --end-date '2299-12-12' --query "appId" -o tsv
Write-Host "App Registration $AppRegistrationName created with Client Id $appId"
Start-Sleep -s 10

# Create a Service Principal for the App Registration
$appSP = az ad sp create --id $appId --query "objectId" -o tsv
Write-Host "Service principal for App Registration $AppRegistrationName created with ID $appSP."

az role assignment create --role "User Access Administrator" --assignee-object-id $appSP
az ad app permission grant --id $appId --api $MSGraphId --debug

# Add API Permissions to App Registration
foreach ($permission in $permissions) {
  az ad app permission add --id $appId --api $MSGraphId --api-permissions $permission
}
Write-Host "Microsoft Graph Permissions with Id $MSGraphId added to App Registration"
Start-Sleep -s 10

foreach($permission in $permissions){ 

  az rest --method POST --uri https://graph.microsoft.com/beta/servicePrincipals/$MSGraphId/appRoleAssignments --header Content-Type=application/json --body '{
          "principalId": $appSP,
          "resourceId": $MSGraphId,
          "appRoleId": $permissions
        }' 
}

# Retrieve Object Id from Service Principal
$spId = az ad sp show --id $appId --query "objectId" -o tsv
Write-Host "$AppRegistrationName Service Principal Object Id is $spId"
Start-Sleep -s 5

# Gets Management Group and assigns the Service Principal the Owner role on Management Group
az role assignment create --role "Owner" --assignee-object-id $spId --scope "/providers/Microsoft.Management/managementGroups/$ManagementGroupName"
Write-Host "$AppRegistrationName assigned Owner permissions to Management Group $ManagementGroupName"
Start-Sleep -s 5

# Gets Required Output from Script
Write-Output `n "Domain name(s) for Azure AD Tenant is/are $domain"
Write-Output `n "App Registration Client Id = $appId" 
Write-Output `n "Client Secret of App Registration = $Password"

#/usr/本地/bin/pwsh
#此powershell脚本创建应用程序注册，并将其所有者角色分配给管理组
#用于运行脚本的命令。/test-appregistration.ps1-ManagementGroupName-AppRegistrationName-ReplyURL
#输入变量
param(
[参数（必需=$true）]
[字符串]$ManagementGroupName，
[参数（必需=$true）]
[字符串]$AppRegistrationName，
[参数（必需=$true）]
[字符串]$ReplyURL
)
###$permissions数组变量中的权限终结点
#UserRead=“06da0dbc-49e2-44d2-8312-53f166ab848a=范围”
#DirectoryReadAll=“e1fe6dd8-ba31-4d61-89e7-88639da4683d=范围”
#UserReadAll=“62a82d76-70ea-41e2-9197-370581804d09=角色”
#GroupsReadWriteAll=“df021288-bdef-4463-88db-98f22de89214=角色”
#变数
$MSGraphId=“00000003-0000-0000-c000-000000000000”
$permissions=@（“06da0dbc-49e2-44d2-8312-53f166ab848a=范围”，“e1fe6dd8-ba31-4d61-89e7-88639da4683d=范围”，“62a82d76-70ea-41e2-9197-370581804d09=角色”，“df021288-bdef-4463-88db-98f22de89214=角色”）
#确认本地主机上已安装AZ CLI
写入主机“验证是否安装了AZ CLI…”
$azcli=az版本--查询'\'azure cli\''
如果（$null-eq$azcli）{
抛出“未安装Azure CLI。请安装Azure CLI并重试”
写入主机“未安装AZ CLI；正在中止脚本执行。”
出口
}
否则{
写入主机“Azure CLI版本$azcli安装在本地主机上；继续执行脚本”
}
开始睡眠-S3
#检查是否已登录Azure
$azContext=az帐户显示--查询'[environmentName，tenantId，user.name]'-o tsv 2>&1
如果（$azContext-match“错误：请运行'az登录'以设置帐户。”）{
写入主机“登录Azure”
az登录
}
否则{
写入主机“您已登录，当前上下文为$azContext”
}
#创建客户端机密
$pwArr=“！？@$%^&*0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ”abcdefghijklmnopqrstuvwxyz”。tochararray（）
$Password=（$pwArr |随机获取-计数20）-加入“”
#应用程序注册创建
$appId=az ad app create--显示名称$APPREGISTRIONNAME--回复URL$ReplyURL--密码$password--凭证说明“CT Secret”--结束日期“2299-12-12”--查询“appId”-o tsv
写入主机“应用程序注册$AppRegistrationName已创建，客户端Id为$appId”
开始睡眠-s10
#为应用注册创建服务主体
$appSP=az ad sp create--id$appId--query“objectId”-o tsv
写入主机“应用程序注册的服务主体$AppRegistrationName（使用ID$appSP创建）。”
az角色分配创建--角色“用户访问管理员”--受让人对象id$appSP
az ad应用程序权限授予--id$appId--api$MSGraphId--debug
#向应用程序注册添加API权限
foreach（$permissions中的权限）{
az ad应用程序权限添加--id$appId--api$MSGraphId--api权限$permission
}
写入主机“Id为$MSGraphId的Microsoft图形权限已添加到应用程序注册”
开始睡眠-s10
foreach（$permissions中的权限）{
az rest——方法POST——urihttps://graph.microsoft.com/beta/servicePrincipals/$MSGraphId/approvalsignments--header Content Type=application/json--body'{
“principalId”：$appSP，
“资源ID”：$MSGraphId，
“appRoleId”：$permissions
}' 
}
#从服务主体检索对象Id
$spId=az ad sp show--id$appId--query“objectId”-o tsv
写入主机“$AppRegistrationName服务主体对象Id为$spId”
开始睡眠-s5
#获取管理组并为服务主体分配管理组上的所有者角色
az角色分配创建--角色“所有者”--受让人对象id$spId--范围“/提供者/Microsoft.Management/managementGroups/$ManagementGroupName”
写入主机“$AppRegistrationName已将所有者权限分配给管理组$ManagementGroupName”
开始睡眠-s5
#从脚本获取所需的输出
写入输出`n“Azure AD租户的域名为/均为$Domain”
写入输出`n“应用程序注册客户端Id=$appId”
写入输出`n“应用注册的客户端密码=$Password”

如果要使用Azure CLI完成Azure AD管理员同意，可以使用命令

az AD app permission admin Approve

。有关更多详细信息，请参阅

比如说

# Variables
$MSGraphId = "00000003-0000-0000-c000-000000000000"
$permissions = @("06da0dbc-49e2-44d2-8312-53f166ab848a=Scope", "e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope", "62a82d76-70ea-41e2-9197-370581804d09=Role", "df021288-bdef-4463-88db-98f22de89214=Role")

# Confirming AZ CLI is installed on localhost
Write-Host "Verifying AZ CLI is installed..."
$azcli = az version --query '\"azure-cli\"'

if ($null -eq $azcli) {
  throw "Azure CLI not installed. Please install the Azure CLI and try again"
  Write-Host "AZ CLI not installed; aborting script execution."
  Exit    
}
else {
  Write-Host "Azure CLI version $azcli is installed on localhost; moving forward with script execution"
}
Start-Sleep -s 3

# Check if logged into Azure
$azContext = az account show --query '[environmentName,tenantId,user.name]' -o tsv 2>&1
if ($azContext -match "ERROR: Please run 'az login' to setup account.") {
  Write-Host "Logging into Azure"
  az login
}
else {
  Write-Host "You are already logged in, your current context is $azContext"
}

#Create Client Secret
$pwArr = "!?@#$%^&*0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz".tochararray() 
$Password = ($pwArr | Get-Random -Count 20) -Join ''

$AppRegistrationName="testapp458"
$ReplyURL="http://localhost"
# App Registration Creation
$appId = az ad app create --display-name $AppRegistrationName --reply-urls $ReplyURL --password $Password --credential-description "CT Secret" --end-date '2299-12-12' --query "appId" -o tsv
Write-Host "App Registration $AppRegistrationName created with Client Id $appId"
Start-Sleep -s 10

# Create a Service Principal for the App Registration
$appSP = az ad sp create --id $appId --query "objectId" -o tsv
Write-Host "Service principal for App Registration $AppRegistrationName created with ID $appSP."

az role assignment create --role "User Access Administrator" --assignee-object-id $appSP
az ad app permission grant --id $appId --api $MSGraphId 

# Add API Permissions to App Registration
foreach ($permission in $permissions) {
  az ad app permission add --id $appId --api $MSGraphId --api-permissions $permission
}
Write-Host "Microsoft Graph Permissions with Id $MSGraphId added to App Registration"
Start-Sleep -s 10

az ad app permission admin-consent --id $appId

---

您是如何确定错误是在

az rest

抛出的？有多个

az

调用使用

--双虚线开关

-您是否可以共享完整的错误消息？顺便说一句，“预期一元运算符”似乎是由

bash

引发的错误，而不是

PowerShell

-您是否仔细检查了语言（左上角）在你的云壳里？我今天会测试确认。上一次我尝试使用

az-app-permission-admin-app-app-app-app-app-app-app-app-approval-id 6320b562-e4dbc-4ddd-85e4-d5eb6ee5aa67-api 0000000 3-0000-0000-c000-000000000000”时，我仍然收到一个错误，说明更改需要
。我是通过脚本来做这件事的，但可能是错误的，因为脚本似乎为你工作了？？将继续对其进行故障排除。@boyarmary_89在运行命令之前，我们需要运行命令
az-ad-app-permission-add
以添加权限：当运行
az-app-permission-admin-appress