Active Directory中的管理员同意
[英]Administrator Consent in Active Directory
问题描述
I think I'm missing an understanding of a development process under Azure AD. 
我认为我缺少对Azure AD下开发过程的理解。 I develop a web app, that is authenticated via AD in our corp network, and uses some of our services (like Sharepoint and PowerBI). 我开发了一个Web应用程序,该应用程序通过公司网络中的AD进行了身份验证,并使用了我们的某些服务(例如Sharepoint和PowerBI)。
It seems like for some of the functionality of Sharepoint, I need administrator consent (In app permissions I had to set Admin: Required). 似乎对于Sharepoint的某些功能,我需要管理员同意(在应用程序权限中,我必须设置Admin:必需)。 When I try to go to my app (which is located on localhost), it displays this: 当我尝试转到我的应用程序(位于localhost上)时,它显示如下:
this application requires application permissions to another application.
Consent for application permissions can only be performed by an administrator.
Sign out and sign in as an administrator or
contact one of your organization's administrators.
As I understood a Global Administrator need to sign in into an application once, so other users (like me) could log in. But this workflow sounds faulty, I cannot ask our admin to go to my pc and sign in (I have a web app on localhost, so I cannot send him the link). 据我了解,全局管理员需要登录一次应用程序,以便其他用户(例如我)可以登录。但是此工作流程听起来有问题,我不能要求管理员进入我的电脑并登录(我有一个网站本地主机上的应用程序,因此我无法向他发送链接)。 Futhermore, what to do if he is located geographically in another place and just cannot go to my pc? 此外,如果他在地理位置上位于另一个地方而无法去我的电脑该怎么办? He is also not ready to give me global admin rights just because of this. 正因为如此,他也不准备授予我全球管理员权限。
This just sounds weird, and I feel like I simply missing something obvious. 这听起来很不可思议,但我觉得我只是缺少明显的东西。 How do people actually develop such things without asking IT to get to their PCs each time they change something in auth logic? 人们如何真正开发这样的东西,而不必每次更改身份验证逻辑中的任何内容时都要求IT进入他们的PC?
1 个解决方案
解决方案1
2 2016-11-03 17:32:09
I agree the UX is not phenomenal on this one. 我同意UX在这一方面并不出色。
Just logging in as an admin is not enough. 仅以管理员身份登录是不够的。 You have to be logging in with the prompt query parameter set to admin_consent . 您必须使用提示查询参数设置为admin_consent登录 。 At least when using the OAuth endpoint. 至少在使用OAuth端点时。
So you need to hit a URL such as https://login.microsoftonline.com/common/oauth2/authorize?client_id=your-client-id&redirect_uri=your-encoded-reply-url&response_mode=form_post&response_type=code+id_token&prompt=admin_consent . 因此,您需要访问一个URL,例如https://login.microsoftonline.com/common/oauth2/authorize?client_id=your-client-id&redirect_uri=your-encoded-reply-url&response_mode=form_post&response_type=code+id_token&prompt=admin_consent 。
Replace your-client-id with your app's client id, and your-encoded-reply-url with a valid reply URL for your app. 将your-client-id替换为应用程序的客户端ID,并将your-encoded-reply-url替换为应用程序的有效回复URL。 Also replace common with your tenant id/domain name if your app is not multi-tenant. 如果您的应用不是多租户,也请用租户ID /域名替换common 。
If you want to do it the easy way, use Vittorio's nifty form at his blog . 如果您想以简单的方式进行操作,请在他的Blog上使用Vittorio的漂亮形式。 Just enter the tenant id (or common), reply URL, and your app's client id, tick the admin consent checkbox and click Go. 只需输入租户ID(或公共ID),回复URL和您的应用程序的客户ID,勾选“管理员同意”复选框,然后单击“执行”即可。
And yes, you need to be an admin in Azure AD to do this, so ask your admin to do this. 是的,您需要成为Azure AD的管理员才能执行此操作,因此请您的管理员执行此操作。
EDIT: With the newest update to the Azure Portal came the ability to grant permissions from the portal directly. 编辑:通过Azure门户的最新更新,可以直接从门户授予权限。
If you go to Azure Active Directory in the new portal, find your app registration there and click Grant Permissions under the Required permissions blade. 如果您在新门户中转到Azure Active Directory,请在此处找到您的应用程序注册,然后在“必需的权限”刀片下单击“ 授予权限 ”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.