[英]How to get permissions in Azure Active Directory Application?
[英]How to add Owners to an Azure Active Directory Application
我正在通过以下代码注册AAD应用程序
ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot, async () => await GetAppTokenAsync());
Application application = new Application()
{
AvailableToOtherTenants = false,
DisplayName = appName,
ErrorUrl = null,
GroupMembershipClaims = null,
Homepage = "http://"+appName,
IdentifierUris = new List<string>() { "https://"+appName },
KeyCredentials = new List<KeyCredential>(),
KnownClientApplications = new List<Guid>(),
LogoutUrl = null,
Oauth2AllowImplicitFlow = false,
Oauth2AllowUrlPathMatching = false,
Oauth2Permissions = new List<OAuth2Permission>(),
Oauth2RequirePostResponse = false,
// PasswordCredentials = new List<PasswordCredential>(),
PasswordCredentials = new List<PasswordCredential>(),
PublicClient = false,
ReplyUrls = new List<string>(),
// RequiredResourceAccess = new List<RequiredResourceAccess>(),
RequiredResourceAccess = new List<RequiredResourceAccess>(),
SamlMetadataUrl = null,
ExtensionProperties = new List<ExtensionProperty>(),
Manager = null,
ObjectType = "Application",
DeletionTimestamp = null,
CreatedOnBehalfOf = null,
CreatedObjects = new List<DirectoryObject>(),
DirectReports = new List<DirectoryObject>(),
Members = new List<DirectoryObject>(),
MemberOf = new List<DirectoryObject>(),
Owners = new List<DirectoryObject>(),
OwnedObjects = new List<DirectoryObject>(),
Policies = new List<DirectoryObject>()
};
我还有一个类型为Microsoft.Azure.ActiveDirectory.GraphClient.User的对象,其中包含要添加为应用程序所有者的User的所有信息。
我怎样才能做到这一点?
我尝试的方式就是这样做
activeDirectoryClient.Applications.AddApplicationAsync(application).Wait();
ServicePrincipal newServicePrincpal = new ServicePrincipal();
if (application != null)
{
newServicePrincpal.DisplayName = application.DisplayName;
newServicePrincpal.AccountEnabled = true;
newServicePrincpal.AppId = application.AppId;
newServicePrincpal.Owners.Add(user);
try
{
activeDirectoryClient.ServicePrincipals.AddServicePrincipalAsync(newServicePrincpal).Wait();
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
但是,当我在Azure门户中手动导航到应用程序时,出现的唯一所有者是我自己的帐户,而不是我在用户变量中获得的其他帐户
知道如何将其他所有者添加到应用程序吗?
我也可以重现此问题。 此问题的根本原因是,Azure AD Graph库在尝试创建服务主体时不提供所有者信息。
如果要添加服务主体的所有者,则可以在创建服务主体后使用以下代码:
var activeDirectoryClient = GraphHelper.CreateGraphClient();
var sp = (ServicePrincipal)activeDirectoryClient.ServicePrincipals.GetByObjectId("4af8365b-1b49-481c-8c47-7b3fab5611fc").ExecuteAsync().Result;
var user = new Users().GetUserByUserName(activeDirectoryClient, "user2@adfei.onmicrosoft.com").Result;
sp.Owners.Add(user);
sp.UpdateAsync();
如果要添加application的所有者,请参考以下代码:
var activeDirectoryClient = GraphHelper.CreateGraphClient();
var app = (Application)activeDirectoryClient.Applications.GetByObjectId("bd87934b-dd4f-446a-a025-7675d1b2464a").ExecuteAsync().Result;
var user = new Users().GetUserByUserName(activeDirectoryClient, "user2@adfei.onmicrosoft.com").Result;
app.Owners.Add(user);
app.UpdateAsync();
有关应用程序和服务主体之间区别的更多详细信息,请检查此文档 。
而且,如果您希望Graph客户端库在创建所有者时支持添加所有者,则可以尝试从此处提交反馈。
public static ActiveDirectoryClient CreateGraphClient()
{
string accessToken = "";
string tenantId= "";
string graphResourceId = "https://graph.windows.net";
Uri servicePointUri = new Uri(graphResourceId);
Uri serviceRoot = new Uri(servicePointUri, tenantId);
ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot, async () => await Task.FromResult(accessToken));
return activeDirectoryClient;
}
添加一个runalbe代码示例以添加服务主体的所有者: https : //github.com/VitorX/AddServicePrincipalWithOwner
在运行完上面的代码示例之后,您可以使用如下所示的Fiddler捕获结果。 通过创建服务主体的响应,我们可以获得服务主体的对象ID:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.