[英]Microsoft graph API: permission grant for application (app roles) (NOT delegate via Oauth2PermissionGrants)
We are using the Microsoft graph API (.net SDK).我们正在使用 Microsoft graph API (.net SDK)。
We know that we can use GraphServiceClient.Oauth2PermissionGrants for delegated grant (in Azure AD app it's "Expose an API").我们知道我们可以使用 GraphServiceClient.Oauth2PermissionGrants 进行委托授权(在 Azure AD 应用程序中它是“公开 API”)。
But when it comes to granting admin consent for application type (via app role of other applications), like below:但是,当涉及到为应用程序类型授予管理员同意时(通过其他应用程序的应用程序角色),如下所示:
In the portal, we can just click "Grant admin consent for XXXX".在门户中,我们只需单击“Grant admin consent for XXXX”。
I could not figure out how to GraphServiceClient.PermissionGrants does not seem to be the one we are after.我无法弄清楚如何 GraphServiceClient.PermissionGrants 似乎不是我们所追求的。
Googled around, found the related answer Azure OAuth: Unable to programmatically create app with admin consent for permissions , which leads me to the actual API used https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignedto?view=graph-rest-1.0&tabs=csharp谷歌搜索,找到相关答案Azure OAuth: Unable to programmatically create app with admin consent for permissions ,这让我找到了实际使用的API https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post -approleassignedto?view=graph-rest-1.0&tabs=csharp
In a nutshell, use app role assignment via AppRoleAssignedTo:简而言之,通过 AppRoleAssignedTo 使用应用程序角色分配:
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var appRoleAssignment = new AppRoleAssignment
{
PrincipalId = Guid.Parse("THE-OBJECT-ID-OF-THE-PRINCIPAL-OF-THE-AZURE-AD-APPLICATION-THAT-NEEDS-ACCESS"),
ResourceId = Guid.Parse("THE-OBJECT-ID-OF-THE-PRINCIPAL-OF-THE-AZURE-AD-APPLICATION-THAT-HAS-THE-APP-ROLE-DEFINED"),
AppRoleId = Guid.Parse("THE-ID-OF-THE-APP-ROLE-DEFINED-IN-THE-RESOURCE-ID-ABOVE")
};
await graphClient.ServicePrincipals["THE-OBJECT-ID-OF-THE-PRINCIPAL-OF-THE-AZURE-AD-APPLICATION-THAT-HAS-THE-APP-ROLE-DEFINED"].AppRoleAssignedTo
.Request()
.AddAsync(appRoleAssignment);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.