是否使用Microsoft Graph SDK for Powershell将角色分配给应用程序服务主体?
我正在使用,因为我的脚本需要Powershell 7支持,AzureAD模块在Windows上除了Powershell 5之外的任何地方都有很多问题。基本上,我正在尝试在B2C租户中创建应用程序注册。我遇到的问题是,我的脚本看起来很好,但我无法对定义的任何作用域授予任何管理员许可。然后我注意到了一个问题——当你在门户中创建应用注册时,它会自动获得一个服务主体,是否使用Microsoft Graph SDK for Powershell将角色分配给应用程序服务主体?,powershell,azure-active-directory,microsoft-graph-api,azure-ad-b2c,microsoft-graph-sdks,Powershell,Azure Active Directory,Microsoft Graph Api,Azure Ad B2c,Microsoft Graph Sdks,我正在使用,因为我的脚本需要Powershell 7支持,AzureAD模块在Windows上除了Powershell 5之外的任何地方都有很多问题。基本上,我正在尝试在B2C租户中创建应用程序注册。我遇到的问题是,我的脚本看起来很好,但我无法对定义的任何作用域授予任何管理员许可。然后我注意到了一个问题——当你在门户中创建应用注册时,它会自动获得一个服务主体,newmgapplication不会这样做 在我尝试使用New-MgServicePrincipalAppRoleAssignment将服
newmgapplication
不会这样做
在我尝试使用New-MgServicePrincipalAppRoleAssignment
将服务主体分配给我的应用程序之前,我有下面的脚本可以运行,其中出现错误:New-MgServicePrincipalAppRoleAssignment\u CreateExpanded:不是有效的参考更新。
我不确定这是否是适合我需要的功能,或者New MgRoleManagementDirectoryRoleAssignment
是否是正确的功能
function Upsert-AppRegistration {
Param(
[string] $TemplateParametersFile,
[string] $ResourceGroupName
)
$templateParameters = Get-Content $TemplateParametersFile | ConvertFrom-Json
$customerName = $templateParameters.parameters.customerName.value
$deploymentIdentifier = $templateParameters.parameters.deploymentIdentifier.value
$b2cTenantId = $templateParameters.parameters.b2cTenantId.value
$b2cTenantName = $templateParameters.parameters.b2cTenantName.value
$GraphConnection = Connect-Graph -TenantId $b2cTenantId -Scopes "User.Read","User.ReadWrite.All","Mail.ReadWrite",`
"Directory.ReadWrite.All","Chat.ReadWrite", "People.Read", `
"Group.Read.All", "Directory.AccessAsUser.All", "Tasks.ReadWrite", `
"Sites.Manage.All"
[string[]]$webRedirectUris =
"https://localhost:5050/LoginView",
"https://localhost:5050/DashboardView",
"https://localhost:5050/UsersView",
"https://localhost:5050/OrdersView"
# Our custom app.login scope for delegated permissions from front-end login
$oauth2PermissionScopes = @{
"Id" = [guid]::NewGuid().guid
"Value" = "app.login"
"AdminConsentDescription" = "This will provide the application access to login"
"AdminConsentDisplayName" = "Admin delegated login"
"IsEnabled" = $true
"Type" = "Admin"
}
[object[]]$appLoginScope = @{
"Id" = $oauth2PermissionScopes.Id
"Type" = "Scope"
}
# Microsoft.Graph ResourceAccess scopes and roles
$mgOfflineAccessScope = @{
"Id" = "7427e0e9-2fba-42fe-b0c0-848c9e6a8182"
"Type" = "Scope"
}
$mgOpenidScope = @{
"Id" = "37f7f235-527c-4136-accd-4a02d197296e"
"Type" = "Scope"
}
$mgDirectoryReadWriteAllRole = @{
"Id" = "19dbc75e-c2e2-444c-a770-ec69d8559fc7"
"Type" = "Role"
}
$mgResourceAccess = $mgOfflineAccessScope, $mgOpenidScope, $mgDirectoryReadWriteAllRole
[object[]]$requiredResourceAccess = @{
"ResourceAppId" = "00000003-0000-0000-c000-000000000000"
"ResourceAccess" = $mgResourceAccess
}
$mgApplicationParams = @{
"DisplayName" = "${customerName}-${deploymentIdentifier}"
"ApiOauth2PermissionScopes" = $oauth2PermissionScopes
"ApiRequestedAccessTokenVersion" = 2
"ImplicitGrantSettingEnableAccessTokenIssuance" = $true
"ImplicitGrantSettingEnableIdTokenIssuance" = $true
"RequiredResourceAccess" = $requiredResourceAccess
"WebLogoutUrl" = "https://localhost:5050/LogoutView"
"WebRedirectUris" = $webRedirectUris
"IdentifierUris" = "https://$b2cTenantName.onmicrosoft.com/app"
}
# We need to create our application before we can add permissions to our custom scope
$mgApplication = New-MgApplication @mgApplicationParams
# Now our application has an Id so we can finish setting up the RequiredResourceAccess
$newRequiredResourceAccess = $requiredResourceAccess + @{
"ResourceAppId" = $mgApplication.AppId
"ResourceAccess" = $appLoginScope
}
# Azure doesn't always update immediately, make sure app exists before we try to update its config
$appExists = $false
while (!$appExists) {
Start-Sleep -Seconds 2
$appExists = Get-MgApplication -ApplicationId $mgApplication.Id
}
$mgApplicationParams.Add("ApplicationId", $mgApplication.Id)
$mgApplicationParams.RequiredResourceAccess = $newRequiredResourceAccess
Update-MgApplication @mgApplicationParams
$appServicePrincipal = New-MgServicePrincipal -AppId $mgApplication.AppId -Tags @("WindowsAzureActiveDirectoryIntegratedApp")
$result = New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $appServicePrincipal.Id `
-AppRoleId 19dbc75e-c2e2-444c-a770-ec69d8559fc7 `
-ResourceId 429a2356-9cdc-475e-8caf-cfe8b7c77db8 `
-PrincipalType "ServicePrincipal"
# @TODO Generate app client secret
$appClientSecret = "--SECRET--"
Write-Host "Created the app registration ${customerName}-${deploymentIdentifier} with client Id:",
$mgApplication.AppId -ForegroundColor Yellow
@{
"appClientId" = $mgApplication.AppId
"appClientSecret" = $appClientSecret
}
}
事实证明,我不需要为我的服务负责人分配一个角色来完成it工作和所有工作,以便正确显示。这是Azure用户界面的滞后性和在服务主体中添加标记的关键性的结合,当我发布此信息时,我还没有对其进行测试。结果表明,我不需要为我的服务主体分配一个角色以使其工作和所有内容正确显示。这是Azure用户界面的滞后性和在服务主体中添加标记的关键性的结合,当我发布此信息时,我还没有对其进行测试。您找到如何创建$appClientSecret了吗?您找到如何创建$appClientSecret了吗?