使用Microsoft Graph SDK for PowerShell为应用服务主体分配角色？

fcg9iug3 于 2023-10-18 发布在 Shell

关注(0)|答案(2)|浏览(111)

我正在使用https://github.com/microsoftgraph/msgraph-sdk-powershell，因为我需要Powershell 7支持我的脚本，AzureAD模块在Windows上除了Powershell 5之外还有很多问题。基本上，我试图在B2C租户中创建应用程序注册。我遇到的问题是，我的脚本看起来很好，但我不能授予任何管理员同意任何定义的范围。然后我注意到了一个问题--当你在门户网站中创建一个应用程序注册时，它会自动获得一个服务主体，而New-MgApplication不会这样做。
我有下面的脚本，它可以工作，直到我尝试使用New-MgServicePrincipalAppRoleAssignment将服务主体分配给我的应用程序，它在错误中崩溃：New-MgServicePrincipalAppRoleAssignment_CreateExpanded: Not a valid reference update.
我不确定这是否是适合我需要的函数，或者New-MgRoleManagementDirectoryRoleAssignment是否是正确的函数。

function Upsert-AppRegistration {
    Param(
        [string] $TemplateParametersFile,
        [string] $ResourceGroupName
    )

    $templateParameters = Get-Content $TemplateParametersFile | ConvertFrom-Json
    $customerName = $templateParameters.parameters.customerName.value
    $deploymentIdentifier = $templateParameters.parameters.deploymentIdentifier.value
    $b2cTenantId = $templateParameters.parameters.b2cTenantId.value
    $b2cTenantName = $templateParameters.parameters.b2cTenantName.value

    $GraphConnection = Connect-Graph -TenantId $b2cTenantId -Scopes "User.Read","User.ReadWrite.All","Mail.ReadWrite",`
            "Directory.ReadWrite.All","Chat.ReadWrite", "People.Read", `
            "Group.Read.All", "Directory.AccessAsUser.All", "Tasks.ReadWrite", `
            "Sites.Manage.All"

    [string[]]$webRedirectUris = 
        "https://localhost:5050/LoginView",
        "https://localhost:5050/DashboardView",
        "https://localhost:5050/UsersView",
        "https://localhost:5050/OrdersView"

    # Our custom app.login scope for delegated permissions from front-end login
    $oauth2PermissionScopes = @{
        "Id" = [guid]::NewGuid().guid
        "Value" = "app.login"
        "AdminConsentDescription" = "This will provide the application access to login"
        "AdminConsentDisplayName" = "Admin delegated login"
        "IsEnabled" = $true
        "Type" = "Admin"
    }

    [object[]]$appLoginScope = @{
        "Id" = $oauth2PermissionScopes.Id
        "Type" = "Scope"
    }

    # Microsoft.Graph ResourceAccess scopes and roles
    $mgOfflineAccessScope = @{
        "Id" = "7427e0e9-2fba-42fe-b0c0-848c9e6a8182"
        "Type" = "Scope"
    }

    $mgOpenidScope = @{
        "Id" = "37f7f235-527c-4136-accd-4a02d197296e"
        "Type" = "Scope"
    }

    $mgDirectoryReadWriteAllRole = @{
        "Id" = "19dbc75e-c2e2-444c-a770-ec69d8559fc7"
        "Type" = "Role"
    }

    $mgResourceAccess = $mgOfflineAccessScope, $mgOpenidScope, $mgDirectoryReadWriteAllRole

    [object[]]$requiredResourceAccess = @{
        "ResourceAppId" = "00000003-0000-0000-c000-000000000000"
        "ResourceAccess" = $mgResourceAccess
    }
    $mgApplicationParams = @{
        "DisplayName" = "${customerName}-${deploymentIdentifier}"
        "ApiOauth2PermissionScopes" = $oauth2PermissionScopes
        "ApiRequestedAccessTokenVersion" = 2
        "ImplicitGrantSettingEnableAccessTokenIssuance" = $true
        "ImplicitGrantSettingEnableIdTokenIssuance" = $true
        "RequiredResourceAccess" = $requiredResourceAccess
        "WebLogoutUrl" = "https://localhost:5050/LogoutView"
        "WebRedirectUris" = $webRedirectUris
        "IdentifierUris" = "https://$b2cTenantName.onmicrosoft.com/app"
    }

    # We need to create our application before we can add permissions to our custom scope
    $mgApplication = New-MgApplication @mgApplicationParams

    # Now our application has an Id so we can finish setting up the RequiredResourceAccess

    $newRequiredResourceAccess =  $requiredResourceAccess + @{
        "ResourceAppId" = $mgApplication.AppId
        "ResourceAccess" = $appLoginScope
    }

    # Azure doesn't always update immediately, make sure app exists before we try to update its config
    $appExists = $false
    while (!$appExists) {
        Start-Sleep -Seconds 2
        $appExists = Get-MgApplication -ApplicationId $mgApplication.Id
    }

    $mgApplicationParams.Add("ApplicationId", $mgApplication.Id)
    $mgApplicationParams.RequiredResourceAccess = $newRequiredResourceAccess
    Update-MgApplication @mgApplicationParams

    $appServicePrincipal = New-MgServicePrincipal -AppId $mgApplication.AppId -Tags @("WindowsAzureActiveDirectoryIntegratedApp")

    $result = New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $appServicePrincipal.Id `
        -AppRoleId 19dbc75e-c2e2-444c-a770-ec69d8559fc7 `
        -ResourceId 429a2356-9cdc-475e-8caf-cfe8b7c77db8 `
        -PrincipalType "ServicePrincipal"

    # @TODO Generate app client secret 
    $appClientSecret = "--SECRET--"

    Write-Host "Created the app registration ${customerName}-${deploymentIdentifier} with client Id:",
        $mgApplication.AppId -ForegroundColor Yellow

    @{
        "appClientId" = $mgApplication.AppId
        "appClientSecret" = $appClientSecret
    }
}

powershell

来源：https://stackoverflow.com/questions/61021658/using-microsoft-graph-sdk-for-powershell-to-assign-role-to-app-service-principal

2条答案

按热度按时间

holgip5t1#

事实证明，我不需要为我的服务主体分配一个角色，它的工作和一切都显示正确。这是Azure的UI滞后的组合，也是在服务主体中添加标签的关键，当我发布这篇文章时，我还没有测试过。

赞(0）回复(0）举报 2023-10-18

amrnrhlw2#

要缓解错误New-MgServicePrincipalAppRoleAssignment_CreateExpanded: Not a valid reference update.，请使用New-MgServicePrincipalAppRoleAssignment文档- Example 1中提供的代码片段。
让我在这里提供额外的解释：

$params = @{
  # the app service principal object ID which will receive the permission
  principalId = "guid1";
  # the app service principal object ID which owns the appRole
  # e.g. MS Graph Service Principal
  # NOTE: this ID is unique for each Azure AD Tenant
  resourceId = "guid2";
  # The Id of the AppRole
  # NOTE: the value remains constant across all Azure AD tenants
  appRoleId = "guid3";
}

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId "guid1" -BodyParameter $params

以上内容在Microsoft Graph PowerShell v1.0上进行了测试，在即将推出的版本中，小工具的功能可能会发生变化。

赞(0）回复(0）举报 2023-10-18

我来回答

使用Microsoft Graph SDK for PowerShell为应用服务主体分配角色？

2条答案

相关问题

热门标签

最新问答