stackoom
  简体   繁体   中英

How to grant admin consent to an Azure AAD app in Powershell?

 原文  2020-08-21 20:20:30       azure/ powershell/ authentication/ active-directory

Question

I'm trying to authenticate an Azure Web App using Azure Active directory. I have taken the following steps, so far:

1- Through Azure portal, I have created an app registration in AAD, and assigned it to the web app following the instructions from here .

2- I assigned some users to my app using New-AzureADGroupAppRoleAssignment cmdlet , and then set user assignment as a requirement, using set-AzureADServicePrincipal -AppRoleAssignmentRequired $true

This works as expected: the users who are not assigned to the app, see an "access denied" page, and the ones who are, see a prompt page for "Admin consent".

The problem is there is no links in the admin consent prompt for them to request it. I tried to follow the instructions from here , but I don't have access to the AAD through the portal. I can only do this through Powershell.

If you know of the Powershell cmdlet for setting this link (or to change the admin consent to user consent), I would be grateful if you could post it here.

3 answers

solution1
 2  2020-08-22 04:44:46

You have two choices. Admin consent can be granted if you have global admin permission via the portal or the AZ cli. The easiest way is via the portal. Just go to AAD, app registrations, then find your app. Go to the permissions blade. You should see a consent button. I don't remember the AZ cli command off the top of my head, but it's probably easier to just do it in the portal.

solution2
 2 ACCPTED  2020-08-24 03:11:26

There is no command to grant admin consent in PowerShell currently, in your case, if you can access Azure AD with powershell, I think you can also access it via Azure CLI.

So my workaround is to use az ad app permission admin-consent in Azure CLI, it is an equivalent of the admin consent button in the portal.

Make sure you have installed the Azure CLI , use az login to login the user account or service principal which is the admin in your AAD tenant, then run the command below.

az ad app permission admin-consent --id <application-id>

solution3
 2  2020-11-11 11:32:59

After trying to get this to work with a Service Principal, which it turns out isn't possible as this can only be executed by a User account az ad app permission admin-consent --id <application-id> will be depricated in a future release as discussed on this Issue thread:

https://github.com/Azure/azure-cli/issues/12137

The advised way to grant admin consent to API's is now:

az ad app permission grant --id 46eb4122-bd2b-4f54-af7b-6d79b46ee31a 
                           --api 00000003-0000-0000-c000-000000000000
                           --scope "Directory.Read.All Directory.ReadWrite.All"

Microsoft Docs: az ad app permission grant

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Grant Admin Consent in Azure Grant Admin Consent to Azure Application for GraphAPI Permissions Powershell How an Azure AD Administrator can grant permission to a local app to certain users without giving admin consent? How can I grant consent to my own app in azure, in case I am not global admin in tenant? How to grant admin permission to AAD users in Azure SQL Server Azure Grant admin consent for Arcadis not editable How to verify Admin consent for AAD Application? How to consent an app and its dependent services in AAD How to grant permission scope to an Azure App in Powershell? Azure AD Admin Consent via PowerShell?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM