堆栈内存溢出
  简体   繁体   English

Microsoft graph API:应用程序权限授予(应用程序角色)(不通过 Oauth2PermissionGrants 委托)

[英]Microsoft graph API: permission grant for application (app roles) (NOT delegate via Oauth2PermissionGrants)

 原文  2022-02-11 04:43:51       azure-active-directory/ microsoft-graph-api/ microsoft-graph-sdks

问题描述

We are using the Microsoft graph API (.net SDK).我们正在使用 Microsoft graph API (.net SDK)。

We know that we can use GraphServiceClient.Oauth2PermissionGrants for delegated grant (in Azure AD app it's "Expose an API").我们知道我们可以使用 GraphServiceClient.Oauth2PermissionGrants 进行委托授权(在 Azure AD 应用程序中它是“公开 API”)。

But when it comes to granting admin consent for application type (via app role of other applications), like below:但是,当涉及到为应用程序类型授予管理员同意时(通过其他应用程序的应用程序角色),如下所示: 在此处输入图像描述

In the portal, we can just click "Grant admin consent for XXXX".在门户中,我们只需单击“Grant admin consent for XXXX”。

I could not figure out how to GraphServiceClient.PermissionGrants does not seem to be the one we are after.我无法弄清楚如何 GraphServiceClient.PermissionGrants 似乎不是我们所追求的。

1 个解决方案

解决方案1
 3  2022-02-11 07:43:14

Googled around, found the related answer Azure OAuth: Unable to programmatically create app with admin consent for permissions , which leads me to the actual API used https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignedto?view=graph-rest-1.0&tabs=csharp谷歌搜索,找到相关答案Azure OAuth: Unable to programmatically create app with admin consent for permissions ,这让我找到了实际使用的API https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post -approleassignedto?view=graph-rest-1.0&tabs=csharp

In a nutshell, use app role assignment via AppRoleAssignedTo:简而言之,通过 AppRoleAssignedTo 使用应用程序角色分配:

GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var appRoleAssignment = new AppRoleAssignment
{
    PrincipalId = Guid.Parse("THE-OBJECT-ID-OF-THE-PRINCIPAL-OF-THE-AZURE-AD-APPLICATION-THAT-NEEDS-ACCESS"),
    ResourceId = Guid.Parse("THE-OBJECT-ID-OF-THE-PRINCIPAL-OF-THE-AZURE-AD-APPLICATION-THAT-HAS-THE-APP-ROLE-DEFINED"),
    AppRoleId = Guid.Parse("THE-ID-OF-THE-APP-ROLE-DEFINED-IN-THE-RESOURCE-ID-ABOVE")
};

await graphClient.ServicePrincipals["THE-OBJECT-ID-OF-THE-PRINCIPAL-OF-THE-AZURE-AD-APPLICATION-THAT-HAS-THE-APP-ROLE-DEFINED"].AppRoleAssignedTo
    .Request()
    .AddAsync(appRoleAssignment);

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Microsoft Graph API 角色声明未在令牌中但已添加应用程序权限 - Microsoft Graph API roles claim not in token but Application permissions added Microsoft Graph API 应用程序 Collections - Microsoft Graph API Application Collections Microsoft Graph oauth2 错误 AADSTS900144:请求正文必须包含以下参数“授权类型” - Microsoft Graph oauth2 error AADSTS900144: the request body must contain the following parameter "grant type" 尝试通过调用 Microsoft Graph API - /applications 将 Azure 虚拟桌面 RBAC 中定义的委派权限范围添加到 AAD 应用程序注册 - Trying to add delegated permission scopes defined in Azure Virtual Desktop RBAC to AAD App registration by calling Microsoft Graph API - /applications 基于 IP 地址限制对 Microsoft Graph 的访问,使用应用程序级身份验证和多租户应用程序 - Restricting access to Microsoft Graph based on IP address, using application level auth and multi-tenanted app 如何在没有企业应用程序客户端密钥的情况下刷新 Microsoft Graph API 的令牌? - How to refresh the token of Microsoft Graph API without Client Secret for an Enterprise App? Microsoft Graph 更新 App Registration Approles API 补丁方法总是返回无法读取 JSON 请求负载 - Update App Registration Approles by Microsoft Graph API Patch method returns always Unable to read JSON request payload Microsoft Graph API - 用户增量查询挑战 - Microsoft Graph API - User Delta Query Challenges 是否可以通过 Powershell 将 Microsoft Graph 委托权限添加到 Azure AD 应用程序? - Is it possible to add Microsoft Graph delegated permissions to Azure AD app via Powershell? 使用具有 Sites.Read.All 权限的托管标识向 Microsoft Graph Search API 发出 POST 请求时出现 401 Unauthorized - 401 Unauthorized when making a POST request to Microsoft Graph Search API using managed identity with Sites.Read.All permission
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM