Car*_*eld 9 azure azure-active-directory microsoft-graph
我正在尝试向Azure AD应用程序添加所需的权限.我已经知道如何通过PATCH REST调用从下载的清单中复制信息,例如
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "7b9103a5-4610-446b-9670-80643382c1fa",
"type": "Scope"
},
{
"id": "5df07973-7d5d-46ed-9847-1271055cbd51",
"type": "Scope"
}
]
}
]
正如Christer Ljung在他的博客http://www.redbaronofazure.com/?page_id=181上所解释的那样.
但神秘之处仍然是如何"转换"人类可读的范围,例如Mail.Read这些晦涩的guid.我在http://blah.winsmarts.com/2015-1-Programmatically_register_native_apps_in_Azure_AD_or_Office_365.aspx上阅读了Sahil Malik的以下博客,该博客解释了如何获取特定ServicePrincipal的可用guid列表.例如,通过http get to https://graph.windows.net/<tenant-id>/servicePrincipals()?api-version=1.6&$filter=appId%20eq%20'00000002-0000-0ff1-ce00-000000000000'>(Exchange),但是当我尝试获取ServicePrincipal的可用范围列表00000003-0000-0000-c000-000000000000(我相信Graph API的范围)时,返回值只是空的.
有趣的是,通过Fiddler,我能够捕获一个http post请求,其中包含通过Azure Portal添加权限时的所有guid.
任何人都知道如何以编程方式执行此操作?
bin*_*yDi 15
经过调查,我发现了一种使用 azure-cli 获取许可 guid 的方法。在这里分享以防有人发现这个:
$ az ad sp list --filter "displayName eq 'Microsoft Graph'" --query '[].oauth2Permissions[].{Value:value, Id:id, UserConsentDisplayName:userConsentDisplayName}' -o table
Value Id UserConsentDisplayName
------------------------------------------------------- ------------------------------------ -----------------------------------------------------------------------------------------
ServiceHealth.Read.All 55896846-df78-47a7-aa94-8d3d4442ca7f Read service health
ServiceMessage.Read.All eda39fa6-f8cf-4c3c-a909-432c683e4c9b Read service messages
TermStore.ReadWrite.All 6c37c71d-f50f-4bff-8fd3-8a41da390140 Read and write term store data
TermStore.Read.All 297f747b-0005-475b-8fef-c890f5152b38 Read term store data
TeamMember.ReadWriteNonOwnerRole.All 2104a4db-3a2f-4ea0-9dba-143d457dc666 Add and remove members with non-owner role for all teams
Team.Create 7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0 Create teams
TeamsAppInstallation.ReadWriteForUser 093f8818-d05f-49b8-95bc-9d2a73e9a43c Manage your installed Teams apps
TeamsAppInstallation.ReadWriteSelfForUser 207e0cb1-3ce7-4922-b991-5a760c346ebc Allow the Teams app to manage itself for you
...
$ az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query '[].oauth2Permissions[].{Value:value, Id:id, UserConsentDisplayName:userConsentDisplayName}' -o table | head
Value Id UserConsentDisplayName
------------------------------------------------------- ------------------------------------ -----------------------------------------------------------------------------------------
ServiceHealth.Read.All 55896846-df78-47a7-aa94-8d3d4442ca7f Read service health
ServiceMessage.Read.All eda39fa6-f8cf-4c3c-a909-432c683e4c9b Read service messages
TermStore.ReadWrite.All 6c37c71d-f50f-4bff-8fd3-8a41da390140 Read and write term store data
TermStore.Read.All 297f747b-0005-475b-8fef-c890f5152b38 Read term store data
TeamMember.ReadWriteNonOwnerRole.All 2104a4db-3a2f-4ea0-9dba-143d457dc666 Add and remove members with non-owner role for all teams
Team.Create 7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0 Create teams
TeamsAppInstallation.ReadWriteForUser 093f8818-d05f-49b8-95bc-9d2a73e9a43c Manage your installed Teams apps
TeamsAppInstallation.ReadWriteSelfForUser 207e0cb1-3ce7-4922-b991-5a760c346ebc Allow the Teams app to manage itself for you
...
az ad sp show --id 00000003-0000-0000-c000-000000000000 >microsoft_graph_permission_list.json
# microsoft_graph_permission_list.json
{
...
"appDisplayName": "Microsoft Graph",
"appId": "00000003-0000-0000-c000-000000000000",
"objectId": "b19d498e-6687-4156-869a-2e8a95a9d659",
"servicePrincipalNames": [
"https://dod-graph.microsoft.us",
"https://graph.microsoft.com/",
"https://graph.microsoft.us",
"00000003-0000-0000-c000-000000000000/ags.windows.net",
"00000003-0000-0000-c000-000000000000",
"https://canary.graph.microsoft.com",
"https://graph.microsoft.com",
"https://ags.windows.net"
],
"appRoles": [...],
"oauth2Permissions": [
{
"adminConsentDescription": "Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.",
"adminConsentDisplayName": "Read and write all users' full profiles",
"id": "204e0828-b5ca-4ad8-b9f3-f32a958e7cc4",
"isEnabled": true,
"type": "Admin",
"userConsentDescription": "Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on your behalf.",
"userConsentDisplayName": "Read and write all users' full profiles",
"value": "User.ReadWrite.All"
},
{
"adminConsentDescription": "Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.",
"adminConsentDisplayName": "Read all users' full profiles",
"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
"isEnabled": true,
"type": "Admin",
"userConsentDescription": "Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on your behalf.",
"userConsentDisplayName": "Read all users' full profiles",
"value": "User.Read.All"
},
...
]
...
}
关于这个话题几乎没有什么可说的.
首先,需要注意的是,所有OAuth2Permission Scope都在开发人员租户的主应用程序对象上注册.因此,一般情况下,您将无法访问该信息,因为它将位于您不是用户的租户中.因此,作为外部开发人员,这些权限范围无法通过我们的API发现.
其次,您可以看到Azure门户可以访问此信息,因为它提升了对所有租户中所有资源的OAuth2Permissions进行查询的访问权限.这就是我们的UX能够填充您要在租户中使用的所有各种外部和内部资源的所有权限的方式.门户网站将首先检查您的租户中的服务主体(一旦您同意使用该应用程序,服务主体最常配置),然后它将查找与该服务主体对应的应用程序对象,并查找所有权限范围.此行为有望允许您只查看与您相关的资源应用程序,而不是使用所有可能的资源填充屏幕.
最后,继续前进,我们希望从必须静态注册客户端调用资源应用程序所需的权限后退一步.相反,我们将推动一个新的增量和动态同意框架.您将注意到,我们在这里依赖于作用域名称,而不是像过去那样依赖于这些权限的ObjectID GUID.但是,我仍然同意你的观点,即资源暴露的范围的可发现性在很大程度上取决于他们自己的公共文档.我想在将来可能会有一个端点暴露特定资源上可用的所有范围,但我知道在不久的将来不会有这样的工作.
如果这有帮助,请告诉我!
| 归档时间: |
|
| 查看次数: |
1239 次 |
| 最近记录: |