powershell - Get-AzureRmADApplication 显示没有权限

Question

我在 Azure 门户 ( https://portal.azure.com ) 中创建了一个测试应用程序。在 Visual Studio 2015 中，我有 PowerShell 并且可以执行:

获取 AzureRmADApplication

我得到以下输出:

DisplayName             : test
ObjectId                : ...
IdentifierUris          : ...
HomePage                : ...
Type                    : Application
ApplicationId           : ...
AvailableToOtherTenants : False
AppPermissions          : 
ReplyUrls               : ...

“AppPermissions”列表为空，但在 Azure 门户中我已授予“测试”所有可用权限。

我正在使用 PowerShell 3.0.399.0。至少 Get-Host 报告是这样的:

Name             : PowerShell Tools for Visual Studio Host
Version          : 3.0.399.0
InstanceId       : d7bb788e-e342-41fb-a78b-cad36f940aae

如果我使用:Get-AzureADApplication -Filter "DisplayName eq 'test'"我得到:

[ERROR] Get-AzureADApplication : Error occurred while executing GetApplications 
[ERROR] Code: Authentication_Unauthorized
[ERROR] Message: User was not found
[ERROR] HttpStatusCode: Forbidden
[ERROR] HttpStatusDescription: Forbidden
[ERROR] HttpResponseStatus: Completed

有什么想法吗？如何在PowerShell中获取应用程序“test”的权限？为什么这对我不起作用？

BR，雷内

Answer 1

目前AD应用权限是基于OAuth 2.0构建的，我们可以使用这个脚本来获取权限:

PS C:\Users> Get-AzureADApplication | where{ $_.displayname -eq 'jasonweb' } | fl *


DeletionTimeStamp          :
ObjectId                   : 6b11xxxx-xxxx-xxxx-xxxx-xxx9e59532e
ObjectType                 : Application
AddIns                     : {}
AppId                      : efc18xxx-xxxx-xxxx-xxxx-xxxx401dc6bc
AppRoles                   : {}
AvailableToOtherTenants    : False
DisplayName                : jasonweb
ErrorUrl                   :
GroupMembershipClaims      :
Homepage                   : http://jasontest321.azurewebsites.net
IdentifierUris             : {https://XXXXXXXXXX.onmicrosoft.com/9d1xxxxx-xxxx-xxxx-xxxx-xxxxcecab763}
KeyCredentials             : {}
KnownClientApplications    : {}
LogoutUrl                  :
Oauth2AllowImplicitFlow    : False
Oauth2AllowUrlPathMatching : False
Oauth2Permissions          : {class OAuth2Permission {
                               AdminConsentDescription: Allow the application to access jasonweb on behalf of the signed-in user.
                               AdminConsentDisplayName: Access jasonweb
                               Id: acecxxxx-xxxx-xxxx-xxxx-xxxxd1a04466
                               IsEnabled: True
                               Type: User
                               UserConsentDescription: Allow the application to access jasonweb on your behalf.
                               UserConsentDisplayName: Access jasonweb
                               Value: user_impersonation
                             }
                             }
OAuth2RequiredPostResponse :
PasswordCredentials        : {}
PublicClient               : False
RecordConsentConditions    :
ReplyUrls                  : {http://jasontest321.azurewebsites.net}
RequiredResourceAccess     : {class RequiredResourceAccess {
                               ResourceAppId: 00000003-0000-0000-c000-000000000000
                               ResourceAccess: System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ResourceAccess]
                             }
                             , class RequiredResourceAccess {
                               ResourceAppId: 00000002-0000-0000-c000-000000000000
                               ResourceAccess: System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ResourceAccess]
                             }
                             }
SamlMetadataUrl            :

注意:该命令属于Azure Active directory version 2.0 。

有关安装 Azure Active Directory V2 powershell 模块的更多信息，请参阅此 link .