[英]Powershell - Do “Grant Permissions” action on Azure AD Application with Powershell
I'm creating an Azure AD application using AzureAD module to call Microsoft Graph API.我正在使用 AzureAD 模块创建一个 Azure AD 应用程序来调用 Microsoft Graph API。 I can successfully generate the access token.
我可以成功生成访问令牌。 But, when I try to call the API I have an error "message": "Invalid scope claims/roles.".
但是,当我尝试调用 API 时,出现错误“消息”:“范围声明/角色无效。”。
When I click on "Grant Permissions" button in my created application in Azure Portal and retry the call to API, the call is working.当我在 Azure 门户中创建的应用程序中单击“授予权限”按钮并重试对 API 的调用时,调用正在工作。
I don't find anywhere how to do this "Grant Permissions" actions with Powershell.我在任何地方都找不到如何使用 Powershell 执行此“授予权限”操作的方法。 Is there a way to do that ?
有没有办法做到这一点?
Thanks谢谢
Damien达米安
There is an easy way to do this (as admin), it requires you have the AzureAD and AzureRM modules installed for Powershell and is not supported by Microsoft.有一种简单的方法可以做到这一点(以管理员身份),它需要您为 Powershell 安装 AzureAD 和 AzureRM 模块,并且 Microsoft 不支持。
Original post / reference to my blog is here: http://www.lieben.nu/liebensraum/2018/04/how-to-grant-oauth2-permissions-to-an-azure-ad-application-using-powershell-unattended-silently/原始帖子/参考我的博客在这里: http : //www.lieben.nu/liebensraum/2018/04/how-to-grant-oauth2-permissions-to-an-azure-ad-application-using-powershell-无人值守/
The specific code sample that should help you accomplish this:应该可以帮助您完成此操作的特定代码示例:
Function Grant-OAuth2PermissionsToApp{
Param(
[Parameter(Mandatory=$true)]$Username, #global administrator username
[Parameter(Mandatory=$true)]$Password, #global administrator password
[Parameter(Mandatory=$true)]$azureAppId #application ID of the azure application you wish to admin-consent to
)
$secpasswd = ConvertTo-SecureString $Password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($Username, $secpasswd)
$res = login-azurermaccount -Credential $mycreds
$context = Get-AzureRmContext
$tenantId = $context.Tenant.Id
$refreshToken = @($context.TokenCache.ReadItems() | where {$_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date)})[0].RefreshToken
$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'
$header = @{
'Authorization' = 'Bearer ' + $apiToken.access_token
'X-Requested-With'= 'XMLHttpRequest'
'x-ms-client-request-id'= [guid]::NewGuid()
'x-ms-correlation-id' = [guid]::NewGuid()}
$url = "https://main.iam.ad.ext.azure.com/api/RegisteredApplications/$azureAppId/Consent?onBehalfOfAll=true"
Invoke-RestMethod -Uri $url -Headers $header -Method POST -ErrorAction Stop
}
I came across the same error 'Refresh token is malformed'
.我遇到了同样的错误
'Refresh token is malformed'
。 When reading out the refreshtoken the token was twice in the string.读出 refreshtoken 时,字符串中的令牌两次。 Resolved it by adding the line
通过添加行解决它
$refreshtoken = $refreshtoken.Split("`n")[0]
If I am not wrong, then it is using "Admin Consent".如果我没有错,那么它正在使用“管理员同意”。 In that case, you should be using
&prompt=admin_consent
in the auth request directly.在这种情况下,您应该直接在身份验证请求中使用
&prompt=admin_consent
。
If your application requests an app-only permission and a user tries to sign in to the application, an error message is displayed saying the user isn't able to consent.如果您的应用程序请求仅限应用程序的权限并且用户尝试登录该应用程序,则会显示一条错误消息,指出用户无法同意。
Whether or not a permission requires admin consent is determined by the developer that published the resource, and can be found in the documentation for the resource.权限是否需要管理员同意由发布资源的开发人员决定,可以在资源的文档中找到。
Link: Multi-tenant App pattern链接: 多租户应用模式
List of Available permissions for the Azure AD Graph API and Microsoft Graph API are Azure AD Graph API 和 Microsoft Graph API 的可用权限列表是
Graph API Permission Scopes 图 API 权限范围
Hope it helps.希望能帮助到你。
This answer builds on top of Jos's answer.这个答案建立在乔斯的答案之上。
Active Directory Authentication library doesn't make the refresh tokens publicly available anymore. Active Directory 身份验证库不再公开提供刷新令牌。 More information can be found in github/azure-powershell/7525 .
更多信息可以在github/azure-powershell/7525 中找到。
The modified snippet below worked for me下面修改后的片段对我有用
Connect-AzAccount
$context = Get-AzContext
$tenantId = $context.Tenant.TenantId
Connect-AzureAD -TenantId $tenantId -AccountId $context.Account.Id
$appId = 'Your Application ID'
$token = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $tenantId, $null, "Never", $null, "74658136-14ec-4630-ad9b-26e160ff0fc6")
$headers = @{
'Authorization' = 'Bearer ' + $token.AccessToken
'X-Requested-With'= 'XMLHttpRequest'
'x-ms-client-request-id'= [guid]::NewGuid()
'x-ms-correlation-id' = [guid]::NewGuid()}
$url = "https://main.iam.ad.ext.azure.com/api/RegisteredApplications/$appId/Consent?onBehalfOfAll=true"
Invoke-RestMethod -Uri $url -Headers $headers -Method POST -ErrorAction Stop
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.