堆栈内存溢出
  简体   繁体   English

在 Terraform 中设置 Azure AD Microsoft Graph Email API/权限

[英]Setting Azure AD Microsoft Graph Email API/Permission in Terraform

 原文  2022-05-06 10:19:38       azure/ permissions/ azure-active-directory/ terraform/ microsoft-graph-api

问题描述

I am provisioning some Azure infrastructure using Terraform. Included in the setup requirement is some configuration of an Azure AD registered app and this requires the following Microsoft Graph permissions to be granted (see image below):我正在使用 Terraform 配置一些 Azure 基础设施。设置要求中包括 Azure AD 注册应用程序的一些配置,这需要授予以下 Microsoft Graph 权限(见下图):

  • GroupMember.Read.All群组成员.Read.All
  • email (OpenId) email (OpenId)

在此处输入图像描述

Within my Terraform configuration, I have the below code snippet included in my resource "azuread_application" block, within the required_resource_access sub-block.在我的 Terraform 配置中,我的resource "azuread_application"块中的required_resource_access子块中包含以下代码片段。 For the resource_access ids, I have used the values provided on this Microsoft page - https://learn.microsoft.com/en-us/graph/permissions-reference .对于 resource_access id,我使用了此 Microsoft 页面上提供的值 - https://learn.microsoft.com/en-us/graph/permissions-reference

在此处输入图像描述

My Terraform configuration is currently able to successfully add the GroupMember.Read.All permission, but somehow it fails to add the required Email permission as depicted in the screenshot below, displaying the GUID reference instead of the actual name "email".我的 Terraform 配置目前能够成功添加 GroupMember.Read.All 权限,但不知何故无法添加所需的 Email 权限,如下面的屏幕截图所示,显示 GUID 引用而不是实际名称“电子邮件”。

What I'd also like to be able to do in my Terraform configuration is the ability to Grant admin consent for both API/Permissions (depicted in the rightmost column).我还希望能够在我的 Terraform 配置中执行的操作是能够为 API/权限授予管理员同意(如最右侧的列所示)。

在此处输入图像描述

Any tips on how I can achieve all of the above?关于如何实现上述所有目标的任何提示?


1 个解决方案

解决方案1
 3 已采纳  2022-05-06 11:56:33

For permission type , Scope corresponds to the Delegated permission type, where Role is the Application type.对于权限typeScope对应于Delegated权限类型,其中RoleApplication类型。

The email OpenID scope is a Delegated permission type, so you need to change the permission type from Role to Scope . email OpenID scope 是Delegated权限类型,因此需要将权限typeRole更改为Scope

resource_access {
    id = "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0"
    type = "Scope"
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 带有外部帐户和Microsoft Graph API的Azure AD - Azure AD with external accounts and Microsoft Graph API Azure AD Graph API 和 Microsoft Graph API 有什么区别 - What is the difference between Azure AD Graph API and Microsoft Graph API 如何发布Azure AD Graph API或Microsoft Graph API中的更新 - How updates in Azure AD Graph API or Microsoft Graph API are released 发送 email 到 Azure AD 图 API 作为 email 别名 - Send email thru Azure AD Graph API as email alias 如何使用microsoft graph api为azure ad中的用户分配角色 - How to use microsoft graph api for assigning role to the user in azure ad 是否可以使用 onPremisesSyncEnabled (Microsoft Graph API) 来监控 Azure AD 是否同步? - Can onPremisesSyncEnabled (Microsoft Graph API) be used to monitor if the Azure AD is in sync? 在 Vaadin 23 + Spring Security + Azure AD 中访问 Microsoft Graph API - Accessing Microsoft Graph API in Vaadin 23 + Spring Security + Azure AD 如何使用 microsoft graph api 获取 azure 广告用户属性 - How to get azure ad user properties using microsoft graph api 用于将成员添加到组的 Microsoft Azure AD Graph API - Microsoft Azure AD Graph API to add member to a group Azure AD Graph API无法访问Microsoft帐户 - Azure AD Graph API cannot access Microsoft Account
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM