[英]Is it possible to add Microsoft Graph delegated permissions to Azure AD app via Powershell?
I registered an application in Azure AD from PowerShell using the below script.我使用以下脚本在 Azure AD 从 PowerShell 注册了一个应用程序。
//To create new application
$myapp = New-AzureADApplication -DisplayName MyApp
$myappId=$myapp.AppId
//To set ApplicationID URI
Set-AzureADApplication -ApplicationId $myappId -IdentifierUris "api://$myappId"
//To retrieve details of new application
Get-AzureADApplication -Filter "DisplayName eq $myapp"
Now I want to set delegated API permissions(Calendars.Read, Application.Read.All, Directory.Read.All) for this app.现在我想为此应用程序设置委托 API 权限(Calendars.Read、Application.Read.All、Directory.Read.All)。
From Azure Portal, I know how to assign these.从Azure 传送门,我知道如何分配这些。 But is it possible to add these permissions via PowerShell?
但是可以通过 PowerShell 添加这些权限吗? If yes, can anyone help me with the script or cmdlets?
如果是,谁能帮我处理脚本或 cmdlet?
Any help will be appreciated.任何帮助将不胜感激。 Thank you.
谢谢你。
Yes, it's possible to set delegated API permissions via PowerShell是的,可以通过PowerShell设置委托 API 权限
Initially, please note AppID of new application that can be retrieved by below cmdlet:最初,请注意可以通过以下 cmdlet 检索的新应用程序的AppID :
Get-AzureADApplication -Filter "DisplayName eq $myapp"
Check whether you have Service Principal named " Microsoft Graph " using below cmdlet:使用以下 cmdlet 检查您是否有名为“ Microsoft Graph ”的服务主体:
Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
In order to assign API permissions via PowerShell, you should know the GUIDs of those delegated permissions that can be displayed using below cmdlet:为了通过 PowerShell 分配 API 权限,您应该知道可以使用以下 cmdlet 显示的那些委派权限的GUID :
$MSGraph.Oauth2Permissions | FT ID, Value
Note the IDs of required permissions like Calendars.Read, Application.Read.All and Directory.Read.All记下所需权限的 ID,例如 Calendars.Read、Application.Read.All 和 Directory.Read.All
Please find the complete script below:请在下面找到完整的脚本:
$myapp = New-AzureADApplication -DisplayName MyApp
$myappId=$myapp.ObjectId
Get-AzureADApplication -Filter "DisplayName eq 'MyApp'"
$MSGraph = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
$MSGraph.Oauth2Permissions | FT ID, Value
# Create a Resource Access resource object and assign the service principal’s App ID to it.
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = $MSGraph.AppId
# Create a set of delegated permissions using noted IDs
$Per1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "c79f8feb-a9db-4090-85f9-90d820caa0eb","Scope"
$Per2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "465a38f9-76ea-45b9-9f34-9e8b0d4b0b42","Scope"
$Per3 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "06da0dbc-49e2-44d2-8312-53f166ab848a","Scope"
$Graph.ResourceAccess = $Per1, $Per2, $Per3
# Set the above resource access object to your application ObjectId so permissions can be assigned.
Set-AzureADApplication -ObjectId $myappId -RequiredResourceAccess $Graph
Reference:参考:
How to assign Permissions to Azure AD App by using PowerShell? 如何使用PowerShell给Azure AD App分配权限?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.