您的位置: 首页  >  技术问答  >  我想通过Powershell脚本让管理员同意API权限

我想通过Powershell脚本让管理员同意API权限

分类: 技术问答 2022-06-04 19:03:19
问题描述:

我在powershell的Az模块中有一个代码,用于创建appID,app secret和分配API权限.如何授予管理员同意我分配给AzApp的所有API权限?

I have a code in Az module of powershell to create appID, app secret and assign API permission. How do I grant admin consent to all the API permissions that I assigned to the AzApp?

...
$context = Get-AzContext
$ResourceAppIdURI = "https://graph.windows.net/"
$token = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, $ResourceAppIdURI).AccessToken

$headers = @{ }
$headers.Add("Content-Type", "application/json")
$headers.Add("Accept", "application/json")
$headers.Add("Authorization", "Bearer $($token)")

$objectID = $myApp.ObjectId
$url = "https://graph.windows.net/$tenant/applications/{0}?api-version=1.6" -f $objectID
Write-Host "URL: " $url

$postData = "{`"requiredResourceAccess`":[
    {`"resourceAppId`":`"00000003-0000-0000-c000-000000000000`",
    `"resourceAccess`":[
        {`"id`":`"e1fe6dd8-ba31-4d61-89e7-88639da4683d`",`"type`":`"Scope`"},
        {`"id`":`"7ab1d382-f21e-4acd-a863-ba3e13f7da61`",`"type`":`"Role`"},
        {`"id`":`"5b567255-7703-4780-807c-7be8301ae99b`",`"type`":`"Role`"},
        {`"id`":`"e2a3a72e-5f79-4c64-b1b1-878b674786c9`",`"type`":`"Role`"},
        {`"id`":`"df021288-bdef-4463-88db-98f22de89214`",`"type`":`"Role`"}
        ]
    }]
}";
Invoke-RestMethod -Uri $url -Method "PATCH" -Headers $headers -Body $postData

Write-Host "App created..."
Write-Host "AppID: " $myApp.ApplicationId
Write-Host "App Secret: " $secret
Write-Host "TenantID: " $tenant.Id

Microsoft没有公开任何API来授予Azure AD应用程序/服务主体的管理员同意.您可以对此在用户语音中发布.

There is no API exposed by Microsoft to grant admin consent for Azure AD application / service principal. You can vote this post on User Voice.

有一个解决方法:

调用Microsoft Graph API 在Powershell中将appRoleAssignment授予服务主体.

Call Microsoft Graph API Create a delegated permission grant and Grant an appRoleAssignment to a service principal in Powershell.

示例供您参考:

$context = Get-AzContext
$ResourceAppIdURI = "https://graph.windows.net/"
$ResourceGraphURI = "https://graph.microsoft.com/"
$token = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, $ResourceAppIdURI).AccessToken
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, $ResourceGraphURI).AccessToken


$clientID = "d154cc56-f1a2-4906-9f26-bfb4756f9c20"
$resourceID = "08a1faff-51c1-4cbb-81c4-1bc11286da76"
$scopes = "Sites.Read.All User.Read User.Read.All User.ReadBasic.All"


$body = @{
    clientId    = $clientID
    consentType = "AllPrincipals"
    principalId = $null
    resourceId  = $resourceID
    scope       = $scopes
    startTime   = "2019-10-19T10:37:00Z"
    expiryTime  = "2020-10-19T10:37:00Z"
}

$apiUrl = "https://graph.microsoft.com/beta/oauth2PermissionGrants"
Invoke-RestMethod -Uri $apiUrl -Headers @{Authorization = "Bearer $($graphToken)" }  -Method POST -Body $($body | convertto-json) -ContentType "application/json"

$principalId = "d154cc56-f1a2-4906-9f26-bfb4756f9c20"

$body1 = @{
    principalId    = $principalId
    resourceId = $resourceID
    appRoleId = "df021288-bdef-4463-88db-98f22de89214"
}

$apiUrl1 = "https://graph.microsoft.com/beta/servicePrincipals/$($principalId)/appRoleAssignedTo"
Invoke-RestMethod -Uri $apiUrl1 -Headers @{Authorization = "Bearer $($graphToken)" }  -Method POST -Body $($body1 | convertto-json) -ContentType "application/json"

对于第一次调用 https://graph.microsoft.com/beta/oauth2PermissionGrants :

clientID 是服务主体(不是Azure AD应用程序)的对象ID,可以使用

clientID is the object id of the service principal (not Azure AD application), you can find it using Get-AzADServicePrincipal. You can also find it on Azure Portal - Azure Active Directory - Enterprise Applications, search for the name of your Azure AD application.

resouceID 是Microsoft Graph服务主体的对象ID.您可以在企业应用程序下找到(搜索"00000003-0000-0000-c000-000000000000").

resouceID is the object id of Microsoft Graph service principal. You can find under Enterprise applications (search for "00000003-0000-0000-c000-000000000000").

作用域是您要授予管理员同意的已授予权限.

scopes are the delegated permissions you want to grant admin consent.

第二次调用 https://graph.microsoft.com/beta/servicePrincipals/$($ principalId)/appRoleAssignedTo :

principalId 与上述 clientID 相同.

appRoleId 应用程序权限 ID.

相关推荐