使用az powershell创建Azure AD应用程序

1bqhqjot  于 2023-03-09  发布在  Shell
关注(0)|答案(1)|浏览(155)

我正在创建一个Azure AD应用程序,为它生成客户端密码,并使用az PowerShell授予Reader角色我想给予Microsoft Graph. Directory.readAll对该应用程序的权限,但不确定如何使用PowerShell。有人能帮忙吗?以下是我编写的代码:

#Connect to Azure AD
Connect-AzAccount -TenantId <tenant-id>
Connect-AzureAD
#Set variables for the app
$appName = "test"
$secret = "MySecret"

#Create the app
$app = New-AzureADApplication -DisplayName $appName -PublicClient $false

#Create the client secret
$bytes = [System.Text.Encoding]::Unicode.GetBytes($secret)
$base64 = [System.Convert]::ToBase64String($bytes)
$startDate = Get-Date
$endDate = $startDate.AddYears(1)
$secret = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId -CustomKeyIdentifier "MyCustomKeyIdentifier" -Value $base64 -StartDate $startDate -EndDate $endDate

#Retrieve the tenant ID
$tenantId = (Get-AzureADTenantDetail).ObjectId

#giving Reader Role
New-AzRoleAssignment -ObjectId $app.ObjectId -RoleDefinitionName "Reader" -PrincipalType "ServicePrincipal"

#Print the App-ID, tenant ID, and client secret
Write-Host "App-ID: $($app.AppId)"
Write-Host "Tenant ID: $tenantId"
Write-Host "Client Secret: $($secret.Value)"
Azure

1条答案

按热度按时间
nxagd54h

nxagd54h1#

我尝试在我的环境中重现相同的结果,结果如下:

我运行了与您相同的PowerShell脚本,并得到了如下所示的响应

#Connect to Azure AD
Connect-AzAccount -TenantId <tenantID>
Connect-AzureAD

#Set variables for the app
$appName = "test"
$secret = "MySecret"

#Create the app
$app = New-AzureADApplication -DisplayName $appName -PublicClient $false

#Create the client secret
$bytes = [System.Text.Encoding]::Unicode.GetBytes($secret)
$base64 = [System.Convert]::ToBase64String($bytes)
$startDate = Get-Date
$endDate = $startDate.AddYears(1)
$secret = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId -CustomKeyIdentifier "MyCustomKeyIdentifier" -Value $base64 -StartDate $startDate -EndDate $endDate

#Retrieve the tenant ID
$tenantId = (Get-AzureADTenantDetail).ObjectId

#giving Reader Role
New-AzRoleAssignment -ObjectId $app.ObjectId -RoleDefinitionName "Reader" -PrincipalType "ServicePrincipal" -Scope "/subscriptions/<subID>/resourcegroups/<myRGname>"

#Print the App-ID, tenant ID, and client secret
Write-Host "App-ID: $($app.AppId)"
Write-Host "Tenant ID: $tenantId"
Write-Host "Client Secret: $($secret.Value)"
    • 答复:**

当我在Portal中进行相同检查时,成功创建了名为**test**的应用程序,如下所示:

若要向此应用程序添加Microsoft Graph Directory.Read.All权限,可以运行以下PowerShell脚本:

$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = "00000003-0000-0000-c000-000000000000"
$DirectoryReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7ab1d382-f21e-4acd-a863-ba3e13f7da61","Role"
$Graph.ResourceAccess = $DirectoryReadAll
$app = Get-AzureADApplication -SearchString "test" 
  
Set-AzureADApplication -ObjectId $app.ObjectId -RequiredResourceAccess $Graph
    • 答复:**

当我在Portal中进行相同检查时,**Directory.Read.All**权限成功添加到应用程序,如下所示:

要授予管理员同意上述权限,您需要创建服务主体并运行PowerShell脚本,如下所示:

$sp = New-AzureADServicePrincipal -AccountEnabled $true -AppId $app.AppId -AppRoleAssignmentRequired $true -DisplayName "test"
$graphsp = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"

New-AzureADServiceAppRoleAssignment `
             -Id $DirectoryReadAll.Id `
             -ObjectId $sp.ObjectId `
             -PrincipalId $sp.ObjectId `
             -ResourceId $graphsp.ObjectId
    • 答复:**

确认这一点,您可以检查成功授予管理员同意的门户网站,如下所示:

赞(0)分享  回复(0)举报  2023-03-09
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com