[英]How do I add required permissions to an Azure Active Directory (AAD) application using the Azure PowerShell SDK?
In my scenario, I'm attempting to automate creation of one of my AAD applications in order for it to make calls to another another WebAPI service (different AAD app) using the instructions laid out for Daemon processes here: 在我的方案中,我尝试自动执行一个AAD应用程序的创建,以使其使用针对此处Daemon流程的说明对另一个WebAPI服务(另一个AAD应用程序)进行调用:
https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-daemon/ https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-daemon/
I've been able to automate creation of the AAD application and the required access key via PowerShell. 我已经能够通过PowerShell自动创建AAD应用程序和所需的访问密钥。
Here's how I create the application with the key added: 这是创建添加了密钥的应用程序的方法:
# Generate all the keys (secrets) for the AAD application.
$passwordCredentials = @()
foreach ($key in $activeDirectoryApplication.Keys.Key)
{
$keyKeyVaultName = $key.KeyVaultName
$keyName = $key.KeyVaultKeyName
$expiration = $key.Expiration
LogInfo "Generating key with key name '$keyName' into key vault '$keyKeyVaultName' with key expiry of '$expiration'."
$passwordCredential = GenerateActiveDirectoryApplicationKeyPasswordCredential $key
$passwordCredentials += $passwordCredential
PublishActiveDirectoryApplicationKeyToKeyVault $key $passwordCredential
}
$existingApplication = New-AzureRmADApplication -DisplayName $applicationName -HomePage $applicationHomePage -IdentifierUris @($applicationIdentifier) -PasswordCredentials $passwordCredentials
What I can't figure out is how to automate step 8 in the above link where it grants permissions to access the WebAPI application: 我不知道是如何自动执行上述链接中的步骤8,在该步骤中它授予访问WebAPI应用程序的权限:
- Configure Permissions for your application - in the Settings menu, choose the 'Required permissions' section, click on Add, then Select an API, and type 'TodoListService' in the textbox. 为您的应用程序配置权限-在“设置”菜单中,选择“所需权限”部分,单击“添加”,然后选择“ API”,然后在文本框中键入“ TodoListService”。 Then, click on Select Permissions and select 'Access TodoListService'. 然后,单击“选择权限”,然后选择“访问TodoListService”。
Does anyone know if this is possible with the Azure PowerShell SDK or do I need to do it some other way (maybe the AAD Graph API)? 有谁知道Azure PowerShell SDK是否可以做到这一点,还是我需要通过其他方式(也许是AAD Graph API)来做到这一点?
Thanks! 谢谢!
To assign permissions you would need to use New-AzureRmRoleAssignment
. 要分配权限,您将需要使用New-AzureRmRoleAssignment
。 That will allow you to assign permissions to an object (user\\group\\application) at a certain scope. 这将允许您在特定范围内为对象(用户\\组\\应用程序)分配权限。 if you need built-in role you are good to go. 如果您需要内置角色,那就很好了。 if you need to create a role use New-AzureRmRoleDefinition
. 如果您需要创建角色,请使用New-AzureRmRoleDefinition
。
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Classic storage reader"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.ClassicStorage/storageAccounts/read")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/xxxx")
New-AzureRmRoleDefinition -Role $role
Reading: 读:
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell
https://docs.microsoft.com/en-us/powershell/module/azurerm.resources/new-azurermroleassignment?view=azurermps-4.1.0 https://docs.microsoft.com/en-us/powershell/module/azurerm.resources/new-azurermroleassignment?view=azurermps-4.1.0
https://docs.microsoft.com/en-us/powershell/module/azurerm.resources/new-azurermroledefinition?view=azurermps-4.1.0 https://docs.microsoft.com/en-us/powershell/module/azurerm.resources/new-azurermroledefinition?view=azurermps-4.1.0
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.