是否可以通过 Powershell 将 Microsoft Graph 委托权限添加到 Azure AD 应用程序?
Is it possible to add Microsoft Graph delegated permissions to Azure AD app via Powershell?
我使用以下脚本从 PowerShell 在 Azure AD 中注册了一个应用程序。
//To create new application
$myapp = New-AzureADApplication -DisplayName MyApp
$myappId=$myapp.AppId
//To set ApplicationID URI
Set-AzureADApplication -ApplicationId $myappId -IdentifierUris "api://$myappId"
//To retrieve details of new application
Get-AzureADApplication -Filter "DisplayName eq $myapp"
现在我想为此应用设置委派的 API 权限(Calendars.Read、Application.Read.All、Directory.Read.All)。
从 Azure 门户,我知道如何分配这些。但是是否可以通过 PowerShell 添加这些权限?如果是,谁能帮我处理脚本或 cmdlet?
如有任何帮助,我们将不胜感激。谢谢。
是的,可以通过 PowerShell
设置委派的 API 权限
最初,请注意可以通过以下 cmdlet 检索的新应用程序的 AppID:
Get-AzureADApplication -Filter "DisplayName eq $myapp"
使用以下 cmdlet 检查您是否有名为“Microsoft Graph”的服务主体:
Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
为了通过 PowerShell 分配 API 权限,您应该知道可以使用以下 cmdlet 显示的那些委派权限的 GUID:
$MSGraph.Oauth2Permissions | FT ID, Value
记下所需权限的 ID,例如 Calendars.Read、Application.Read.All 和 Directory.Read.All
请在下面找到完整的脚本:
$myapp = New-AzureADApplication -DisplayName MyApp
$myappId=$myapp.ObjectId
Get-AzureADApplication -Filter "DisplayName eq 'MyApp'"
$MSGraph = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
$MSGraph.Oauth2Permissions | FT ID, Value
# Create a Resource Access resource object and assign the service principal’s App ID to it.
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = $MSGraph.AppId
# Create a set of delegated permissions using noted IDs
$Per1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "c79f8feb-a9db-4090-85f9-90d820caa0eb","Scope"
$Per2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "465a38f9-76ea-45b9-9f34-9e8b0d4b0b42","Scope"
$Per3 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "06da0dbc-49e2-44d2-8312-53f166ab848a","Scope"
$Graph.ResourceAccess = $Per1, $Per2, $Per3
# Set the above resource access object to your application ObjectId so permissions can be assigned.
Set-AzureADApplication -ObjectId $myappId -RequiredResourceAccess $Graph
参考:
How to assign Permissions to Azure AD App by using PowerShell?
我使用以下脚本从 PowerShell 在 Azure AD 中注册了一个应用程序。
//To create new application
$myapp = New-AzureADApplication -DisplayName MyApp
$myappId=$myapp.AppId
//To set ApplicationID URI
Set-AzureADApplication -ApplicationId $myappId -IdentifierUris "api://$myappId"
//To retrieve details of new application
Get-AzureADApplication -Filter "DisplayName eq $myapp"
现在我想为此应用设置委派的 API 权限(Calendars.Read、Application.Read.All、Directory.Read.All)。
从 Azure 门户,我知道如何分配这些。但是是否可以通过 PowerShell 添加这些权限?如果是,谁能帮我处理脚本或 cmdlet?
如有任何帮助,我们将不胜感激。谢谢。
是的,可以通过 PowerShell
设置委派的 API 权限最初,请注意可以通过以下 cmdlet 检索的新应用程序的 AppID:
Get-AzureADApplication -Filter "DisplayName eq $myapp"
使用以下 cmdlet 检查您是否有名为“Microsoft Graph”的服务主体:
Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
为了通过 PowerShell 分配 API 权限,您应该知道可以使用以下 cmdlet 显示的那些委派权限的 GUID:
$MSGraph.Oauth2Permissions | FT ID, Value
记下所需权限的 ID,例如 Calendars.Read、Application.Read.All 和 Directory.Read.All
请在下面找到完整的脚本:
$myapp = New-AzureADApplication -DisplayName MyApp
$myappId=$myapp.ObjectId
Get-AzureADApplication -Filter "DisplayName eq 'MyApp'"
$MSGraph = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
$MSGraph.Oauth2Permissions | FT ID, Value
# Create a Resource Access resource object and assign the service principal’s App ID to it.
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = $MSGraph.AppId
# Create a set of delegated permissions using noted IDs
$Per1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "c79f8feb-a9db-4090-85f9-90d820caa0eb","Scope"
$Per2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "465a38f9-76ea-45b9-9f34-9e8b0d4b0b42","Scope"
$Per3 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "06da0dbc-49e2-44d2-8312-53f166ab848a","Scope"
$Graph.ResourceAccess = $Per1, $Per2, $Per3
# Set the above resource access object to your application ObjectId so permissions can be assigned.
Set-AzureADApplication -ObjectId $myappId -RequiredResourceAccess $Graph
参考:
How to assign Permissions to Azure AD App by using PowerShell?