![](/img/trans.png)
[英]Is it possible to assign roles and scopes to a newly created app using a Service Principal in PowerShell?
[英]Using Microsoft Graph SDK for Powershell to Assign Role to App Service Principal?
I am using https://github.com/microsoftgraph/msgraph-sdk-powershell , as I need Powershell 7 support for my script, the AzureAD module has a ton of issues in anything but Powershell 5 on Windows I am finding. 基本上,我正在嘗試在 B2C 租戶中創建應用程序注冊。 我遇到的問題是我的腳本看起來不錯,但我無法授予任何管理員對定義的任何范圍的同意。 然后我注意到了這個問題 - 當您在門戶中創建應用程序注冊時,它會自動獲取服務主體,而New-MgApplication
不會這樣做。
我有下面的腳本可以工作,直到我嘗試使用New-MgServicePrincipalAppRoleAssignment
將服務主體分配給我的應用程序,它在那里出現錯誤: New-MgServicePrincipalAppRoleAssignment_CreateExpanded: Not a valid reference update.
我不確定這是否是適合我需要的 function,或者New-MgRoleManagementDirectoryRoleAssignment
是否是正確的 function。
function Upsert-AppRegistration {
Param(
[string] $TemplateParametersFile,
[string] $ResourceGroupName
)
$templateParameters = Get-Content $TemplateParametersFile | ConvertFrom-Json
$customerName = $templateParameters.parameters.customerName.value
$deploymentIdentifier = $templateParameters.parameters.deploymentIdentifier.value
$b2cTenantId = $templateParameters.parameters.b2cTenantId.value
$b2cTenantName = $templateParameters.parameters.b2cTenantName.value
$GraphConnection = Connect-Graph -TenantId $b2cTenantId -Scopes "User.Read","User.ReadWrite.All","Mail.ReadWrite",`
"Directory.ReadWrite.All","Chat.ReadWrite", "People.Read", `
"Group.Read.All", "Directory.AccessAsUser.All", "Tasks.ReadWrite", `
"Sites.Manage.All"
[string[]]$webRedirectUris =
"https://localhost:5050/LoginView",
"https://localhost:5050/DashboardView",
"https://localhost:5050/UsersView",
"https://localhost:5050/OrdersView"
# Our custom app.login scope for delegated permissions from front-end login
$oauth2PermissionScopes = @{
"Id" = [guid]::NewGuid().guid
"Value" = "app.login"
"AdminConsentDescription" = "This will provide the application access to login"
"AdminConsentDisplayName" = "Admin delegated login"
"IsEnabled" = $true
"Type" = "Admin"
}
[object[]]$appLoginScope = @{
"Id" = $oauth2PermissionScopes.Id
"Type" = "Scope"
}
# Microsoft.Graph ResourceAccess scopes and roles
$mgOfflineAccessScope = @{
"Id" = "7427e0e9-2fba-42fe-b0c0-848c9e6a8182"
"Type" = "Scope"
}
$mgOpenidScope = @{
"Id" = "37f7f235-527c-4136-accd-4a02d197296e"
"Type" = "Scope"
}
$mgDirectoryReadWriteAllRole = @{
"Id" = "19dbc75e-c2e2-444c-a770-ec69d8559fc7"
"Type" = "Role"
}
$mgResourceAccess = $mgOfflineAccessScope, $mgOpenidScope, $mgDirectoryReadWriteAllRole
[object[]]$requiredResourceAccess = @{
"ResourceAppId" = "00000003-0000-0000-c000-000000000000"
"ResourceAccess" = $mgResourceAccess
}
$mgApplicationParams = @{
"DisplayName" = "${customerName}-${deploymentIdentifier}"
"ApiOauth2PermissionScopes" = $oauth2PermissionScopes
"ApiRequestedAccessTokenVersion" = 2
"ImplicitGrantSettingEnableAccessTokenIssuance" = $true
"ImplicitGrantSettingEnableIdTokenIssuance" = $true
"RequiredResourceAccess" = $requiredResourceAccess
"WebLogoutUrl" = "https://localhost:5050/LogoutView"
"WebRedirectUris" = $webRedirectUris
"IdentifierUris" = "https://$b2cTenantName.onmicrosoft.com/app"
}
# We need to create our application before we can add permissions to our custom scope
$mgApplication = New-MgApplication @mgApplicationParams
# Now our application has an Id so we can finish setting up the RequiredResourceAccess
$newRequiredResourceAccess = $requiredResourceAccess + @{
"ResourceAppId" = $mgApplication.AppId
"ResourceAccess" = $appLoginScope
}
# Azure doesn't always update immediately, make sure app exists before we try to update its config
$appExists = $false
while (!$appExists) {
Start-Sleep -Seconds 2
$appExists = Get-MgApplication -ApplicationId $mgApplication.Id
}
$mgApplicationParams.Add("ApplicationId", $mgApplication.Id)
$mgApplicationParams.RequiredResourceAccess = $newRequiredResourceAccess
Update-MgApplication @mgApplicationParams
$appServicePrincipal = New-MgServicePrincipal -AppId $mgApplication.AppId -Tags @("WindowsAzureActiveDirectoryIntegratedApp")
$result = New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $appServicePrincipal.Id `
-AppRoleId 19dbc75e-c2e2-444c-a770-ec69d8559fc7 `
-ResourceId 429a2356-9cdc-475e-8caf-cfe8b7c77db8 `
-PrincipalType "ServicePrincipal"
# @TODO Generate app client secret
$appClientSecret = "--SECRET--"
Write-Host "Created the app registration ${customerName}-${deploymentIdentifier} with client Id:",
$mgApplication.AppId -ForegroundColor Yellow
@{
"appClientId" = $mgApplication.AppId
"appClientSecret" = $appClientSecret
}
}
事實證明,我不需要為我的服務主體分配一個角色,它就可以正常工作並且一切都可以正確顯示。 這是 Azure 的 UI 滯后和關鍵是在服務主體中添加標簽的組合,當我發布此內容時,我還沒有測試過。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.