堆栈内存溢出
  简体   繁体   English

Azure 应用注册 - 范围和权限

[英]Azure App Registration - scopes and permissions

 原文  2020-03-05 22:14:21       azure/ azure-active-directory/ microsoft-graph-api/ azure-ad-graph-api

问题描述

I have a windows service app which needs to authenticate with Azure AD for multiple service accounts...each instance will have a different service account.我有一个 Windows 服务应用程序,它需要使用 Azure AD 对多个服务帐户进行身份验证……每个实例都有一个不同的服务帐户。 (say I have 3 instances on 3 different servers with 3 different service accounts - S1, S2, S3). (假设我在 3 个不同的服务器上有 3 个实例,具有 3 个不同的服务帐户 - S1、S2、S3)。 This service reads from a shared email address (each instance has it's own shared email E1 for S1, E2 for S2 and E3 for S3) using Microsoft Graph API.此服务使用 Microsoft Graph API 从共享电子邮件地址(每个实例都有自己的共享电子邮件 E1 用于 S1、E2 用于 S2 和 E3 用于 S3)读取。

What kind of permissions or setup do I need in Azure App Registration in order for S1 to read E1 (and not be able to read others), S2 for E2 and S3 for E3 only.我在 Azure 应用注册中需要什么样的权限或设置才能让 S1 读取 E1(而不能读取其他),S2 读取 E2,S3 仅读取 E3。

I am thinking to register the App in a Single Tenant and adding 3 owners S1, S2, S3.我想在单个租户中注册该应用程序并添加 3 个所有者 S1、S2、S3。 So the service account authenticates silently using user\\pass and reads from the shared email.因此,服务帐户使用 user\\pass 静默验证并从共享电子邮件中读取。 Scope should be set to Mail.Read.Shared.范围应设置为 Mail.Read.Shared。

An admin user will consent for the needed permissions...since there is no UI for it.管理员用户将同意所需的权限......因为它没有 UI。

Is this the correct setup?这是正确的设置吗?

1 个解决方案

解决方案1
 0 已采纳  2020-03-06 03:11:08

From a design perspective, your idea is correct.从设计的角度来看,你的想法是正确的。

In addition to Mail.Read.Shared , you may also need basic delegation permissions Mail.ReadBasic and Mail.Read to read emails.除了Mail.Read.Shared ,您可能还需要基本的委派权限Mail.ReadBasicMail.Read来阅读电子邮件。

Because you want S1 to read E1 (and not be able to read others), you should implement Get access on behalf of a user .因为您希望 S1 读取 E1(并且不能读取其他),所以您应该代表用户实现Get 访问 Thus S1 could only access its own shared email.因此 S1 只能访问它自己的共享电子邮件。

Of course password flow should be also suitable for this scenario.当然密码流也应该适合这种场景。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 限制 Azure 中的应用注册权限 - Restrict App Registration permissions in Azure Azure 应用注册与 Microsoft Graph 权限异常 - Azure app registration with Microsoft Graph permissions anomaly 无法在Azure Active Directory应用程序注册中设置Microsoft Graph权限 - Not able to set Microsoft Graph permissions in Azure Active Directory App Registration 使用 Azure 应用注册向 Office 365 管理 API 授予权限 - Issue granting permissions with Azure App Registration to Office 365 Management API 如何限制 Azure 应用注册的 Microsoft Graph 权限? - How to limit Microsoft Graph permissions for an Azure app registration? 使用应用注册更改 Azure VM 本地管理员密码的权限 - Permissions to change Azure VM Local Admin Password using App Registration 如何使用PowerShell向Azure App注册添加Api权限 - How to Add Api Permissions to an Azure App Registration using PowerShell Azure AD App 注册通过 Powershell:如何确保正确的权限? - Azure AD App Registration via Powershell: How to ensure the proper permissions? 如何通过 PowerShell 使用 azure-AD 模块导出分配给 azure 应用注册的委派权限 - How to export delegated permissions assigned to azure app registration using azure-AD module via PowerShell Azure AD 范围、权限和令牌如何与公开 API 一起工作? - How Azure AD scopes, permissions and tokens work with exposing API?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM