Azure 广告应用程序 - 以编程方式更新清单

Question

我试图找到一种方法来使用 json 文件通过 powershell 更新 Azure Ad 注册应用程序的清单。

Json 文件包含所有应用程序角色，我想简单地将应用程序角色：[] 注入应用程序角色括号中

有没有办法通过电源外壳或 CLI 实现这一点？

Answer 1

是的，您可以通过 PowerShell 更新 Azure AD 应用程序的清单。

专门添加应用程序角色，这里有一个 PowerShell 脚本。

如果您在创建新应用程序时尝试执行此操作，只需使用New-AzureADApplication代替Set-AzureADApplication。

Connect-AzureAD -TenantId <Tenant GUID>

# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
    $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
    $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
    $appRole.AllowedMemberTypes.Add("User");
    $appRole.DisplayName = $Name
    $appRole.Id = New-Guid
    $appRole.IsEnabled = $true
    $appRole.Description = $Description
    $appRole.Value = $Name;
    return $appRole
}

# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles

$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"
$appRoles.Add($newRole)

Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles

Answer 2

请记住，Azure AD 门户中显示的“清单”只不过是应用程序对象的轻度约束表示，如 Azure AD Graph API 公开的：https://msdn.microsoft.com/库/Azure/广告/图形/api/entity-and-complex-type-reference#application-entity

Azure AD PowerShell（AzureAD 模块）只是同一 API 的简单包装器。New‑AzureADApplication执行POSTon /applications、Get‑AzureADApplication执行 a GET、Set‑AzureADApplication执行 aPATCH和Remove‑AzureADApplication执行 a DELETE。

因此，请记住这一点，考虑以下输入文件app-roles.json：

[
    {
        "allowedMemberTypes": [ "Application" ],
        "description": "Read some things in the My App service",
        "displayName": "Read some things",
        "id": "b2b2e6de-bb42-41b4-92db-fda89218b5ae",
        "isEnabled": true,
        "value": "Things.Read.Some"
    },
    {
        "allowedMemberTypes": [ "User" ],
        "description": "Super admin role for My App",
        "displayName": "My App Super Admin",
        "id": "a01eca9b-0c55-411d-aa5f-d8cfdbadf500",
        "isEnabled": true,
        "value": "super_admin"
    }
]

您可以使用以下脚本在应用程序上设置这些应用程序角色（请注意，这将删除任何现有的应用程序角色，这将导致错误，因为它们之前未被禁用）：

$appId = "{app-id}"
$pathToAppRolesJson = "app-roles.json"

# Read all desired app roles from JSON file
$appRolesFromJson = Get-Content -Path $pathToAppRolesJson -Raw | ConvertFrom-Json

# Build a new list of Azure AD PowerShell AppRole objects
$appRolesForApp = @()
$appRolesFromJson | ForEach-Object {

    # Create new Azure AD PowerShell AppRole object for each app role
    $appRole = New-Object "Microsoft.Open.AzureAD.Model.AppRole"
    $appRole.AllowedMemberTypes = $_.allowedMemberTypes
    $appRole.Description = $_.description
    $appRole.DisplayName = $_.displayName
    $appRole.Id = $_.id
    $appRole.IsEnabled = $_.isEnabled
    $appRole.Value = $_.value

    # Add to the list of app roles
    $appRolesForApp += $appRole
}

# Update the Application object with the new list of app roles
$app = Get-AzureADApplication -Filter ("appId eq '{0}'" -f $appId)
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRolesForApp