[英]Azure Active Directory Object Permissions
I have an Azure Active Directory Application (and associated Service Principal). 我有一个Azure Active Directory应用程序(以及关联的服务主体)。 That Service Principal needs to be able to add and remove members from an Azure Active Directory Group...so I have added Read and write directory data under Application Permissions:
该服务主体需要能够从Azure Active Directory组中添加和删除成员...因此我在“应用程序权限”下添加了“读取和写入目录数据”:
And I have code that uses the Client ID and Client Secret to get an Authentication Token an perform these operations using the Azure Graph API. 我有使用客户端ID和客户端密钥获取身份验证令牌并使用Azure Graph API执行这些操作的代码。
However, this permission is far too broad. 但是,这种许可范围太广。 I need the Application/Service Principal to only have the ability to add and remove members from specific groups (not all)...and not the ability to perform other types of operations.
我需要应用程序/服务主体仅具有从特定组(不是全部)中添加和删除成员的能力……而没有执行其他类型的操作的能力。
Is there a way to do this? 有没有办法做到这一点?
Thank you. 谢谢。
There is a preview feature that partly fits your requirement: "Group.ReadWrite.All". 有一个预览功能可以部分满足您的需求:“ Group.ReadWrite.All”。 It lets your principal create and update groups and their navigation properties (incl. members).
它使您的主体可以创建和更新组及其导航属性(包括成员)。 It does not however reduce the permissions to modify only certain groups.
但是,它不会减少仅修改某些组的权限。
AAD permission scopes are described here: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes AAD权限范围如下所述: https : //msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
Preview features may be subject to change and you'll have to agree to reduced service terms etc.: https://azure.microsoft.com/en-us/services/preview/ 预览功能可能会有所更改,您必须同意减少服务条款等。https : //azure.microsoft.com/zh-cn/services/preview/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.