gpt4 book ai didi

azure - 如何以编程方式获取 Azure AD 应用程序的 Graph API 权限指南?

转载 作者:行者123 更新时间:2023-12-04 04:20:52 25 4
gpt4 key购买 nike

我正在尝试向 Azure AD 应用程序添加所需的权限。我已经知道如何通过 PATCH REST 调用从下载的 list 中复制信息,例如

"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "7b9103a5-4610-446b-9670-80643382c1fa",
"type": "Scope"
},
{
"id": "5df07973-7d5d-46ed-9847-1271055cbd51",
"type": "Scope"
}
]
}
]

正如 Christer Ljung 在他的博客上所解释的那样 http://www.redbaronofazure.com/?page_id=181 .

但谜团仍然是我如何“转换”人类可读的范围,例如 Mail.Read这些晦涩的指南。我读过 Sahil Malik 的以下博客:http://blah.winsmarts.com/2015-1-Programmatically_register_native_apps_in_Azure_AD_or_Office_365.aspx这解释了如何获取特定 ServicePrincipal 的可用 guid 列表。例如。通过 http 访问 https://graph.windows.net/<tenant-id>/servicePrincipals()?api-version=1.6&$filter=appId%20eq%20'00000002-0000-0ff1-ce00-000000000000'> (交换)但是当我尝试获取 ServicePrincipal 00000003-0000-0000-c000-000000000000 的可用范围列表时(我相信 Graph API 的那个)返回值只是空。

有趣的是,使用 Fiddler,我能够在通过 Azure 门户添加权限时捕获包含所有 guid 的 http post 请求。

有人知道我如何以编程方式执行此操作吗?

最佳答案

经过调查,我发现了一种使用 azure-cli 获取权限 GUID 的方法。在此分享,以防有人发现此内容:

  1. 通过显示名称、应用程序 ID 或对象 ID 获取某个服务主体的所有权限及其 GUID。 (请注意,显示名称不是唯一的,可以映射多个服务主体)
$ az ad sp list --filter "displayName eq 'Microsoft Graph'" --query '[].oauth2Permissions[].{Value:value, Id:id, UserConsentDisplayName:userConsentDisplayName}' -o table
Value Id UserConsentDisplayName
------------------------------------------------------- ------------------------------------ -----------------------------------------------------------------------------------------
ServiceHealth.Read.All 55896846-df78-47a7-aa94-8d3d4442ca7f Read service health
ServiceMessage.Read.All eda39fa6-f8cf-4c3c-a909-432c683e4c9b Read service messages
TermStore.ReadWrite.All 6c37c71d-f50f-4bff-8fd3-8a41da390140 Read and write term store data
TermStore.Read.All 297f747b-0005-475b-8fef-c890f5152b38 Read term store data
TeamMember.ReadWriteNonOwnerRole.All 2104a4db-3a2f-4ea0-9dba-143d457dc666 Add and remove members with non-owner role for all teams
Team.Create 7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0 Create teams
TeamsAppInstallation.ReadWriteForUser 093f8818-d05f-49b8-95bc-9d2a73e9a43c Manage your installed Teams apps
TeamsAppInstallation.ReadWriteSelfForUser 207e0cb1-3ce7-4922-b991-5a760c346ebc Allow the Teams app to manage itself for you
...

$ az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query '[].oauth2Permissions[].{Value:value, Id:id, UserConsentDisplayName:userConsentDisplayName}' -o table | head
Value Id UserConsentDisplayName
------------------------------------------------------- ------------------------------------ -----------------------------------------------------------------------------------------
ServiceHealth.Read.All 55896846-df78-47a7-aa94-8d3d4442ca7f Read service health
ServiceMessage.Read.All eda39fa6-f8cf-4c3c-a909-432c683e4c9b Read service messages
TermStore.ReadWrite.All 6c37c71d-f50f-4bff-8fd3-8a41da390140 Read and write term store data
TermStore.Read.All 297f747b-0005-475b-8fef-c890f5152b38 Read term store data
TeamMember.ReadWriteNonOwnerRole.All 2104a4db-3a2f-4ea0-9dba-143d457dc666 Add and remove members with non-owner role for all teams
Team.Create 7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0 Create teams
TeamsAppInstallation.ReadWriteForUser 093f8818-d05f-49b8-95bc-9d2a73e9a43c Manage your installed Teams apps
TeamsAppInstallation.ReadWriteSelfForUser 207e0cb1-3ce7-4922-b991-5a760c346ebc Allow the Teams app to manage itself for you
...
  • 运行以下命令可获取某个服务主体的完整信息,包括其 oauth2Permissions 和 servicePrincipalNames 等。
  • az ad sp show --id 00000003-0000-0000-c000-000000000000 >microsoft_graph_permission_list.json

    # microsoft_graph_permission_list.json
    {
    ...
    "appDisplayName": "Microsoft Graph",
    "appId": "00000003-0000-0000-c000-000000000000",
    "objectId": "b19d498e-6687-4156-869a-2e8a95a9d659",
    "servicePrincipalNames": [
    "https://dod-graph.microsoft.us",
    "https://graph.microsoft.com/",
    "https://graph.microsoft.us",
    "00000003-0000-0000-c000-000000000000/ags.windows.net",
    "00000003-0000-0000-c000-000000000000",
    "https://canary.graph.microsoft.com",
    "https://graph.microsoft.com",
    "https://ags.windows.net"
    ],
    "appRoles": [...],
    "oauth2Permissions": [
    {
    "adminConsentDescription": "Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.",
    "adminConsentDisplayName": "Read and write all users' full profiles",
    "id": "204e0828-b5ca-4ad8-b9f3-f32a958e7cc4",
    "isEnabled": true,
    "type": "Admin",
    "userConsentDescription": "Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on your behalf.",
    "userConsentDisplayName": "Read and write all users' full profiles",
    "value": "User.ReadWrite.All"
    },
    {
    "adminConsentDescription": "Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.",
    "adminConsentDisplayName": "Read all users' full profiles",
    "id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
    "isEnabled": true,
    "type": "Admin",
    "userConsentDescription": "Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on your behalf.",
    "userConsentDisplayName": "Read all users' full profiles",
    "value": "User.Read.All"
    },
    ...
    ]
    ...
    }

    关于azure - 如何以编程方式获取 Azure AD 应用程序的 Graph API 权限指南?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/41946417/

    25 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com