問題描述
我使用 AAD Graph API 在 Azure AD 中創建了一個新應用程序.(代碼)
I have created a new application in Azure AD using the AAD Graph API. (code)
不幸的是,在我訪問 Azure 管理門戶中的應用程序配置頁面并進行外觀更改并保存之前,它不允許我的客戶端訪問請求的資源.刪除更改并再次保存后,它仍然有效.更改 + 回退步驟之前和之后的應用程序清單文件完全相同(正如 diff.exe 中所說的一樣).
Unfortunately it doesn't let my client access the requested resources until I have been to the application's configuration page in the Azure management portal and made a cosmetic change, and then saved it. After removing the change and saving again, it still works. The application manifest files before the change + change back steps and after them are completely identical (as in diff.exe says they are the same).
比較應用程序認證時返回的 JWT 令牌時,表明更改后訪問令牌包含角色"部分.在將應用程序保存到管理門戶之前返回的訪問令牌中不存在整個角色"部分.
When comparing the JWT tokens returned when the application authenticates, it shows that the post-change access token includes the "roles" section. The entire "roles" section is not present in the access token returned before saving the application in the management portal.
因此,在保存更改時,Azure 管理門戶似乎對應用程序做了某些事情".問題是它是什么,我可以使用 AAD 圖形 API 做同樣的事情嗎?
So it seems the Azure management portal does "something" to the application when saving changes. The question is what it is, and can I do the same using the AAD graph API?
推薦答案
有幾個問題.Azure 后端的一些錯誤,現在已經修復,還有一些我不知道的對 API 的缺失調用是必要的.多虧了 MS Support 的一些非常樂于助人的人,我們才得以讓它發揮作用.
There were several issues. Some bugs in the backend on Azure, which have now been fixed, and also some missing calls to the API which I didn't know were necessary. Thanks to some very helpful people at MS Support, we were able to get it to work.
在創建應用程序時,您需要執行以下操作:
When creating an application, you need to do the following:
- 創建一個 應用程序對象.
- 設置 RequiredResourceAccess,即.應用程序對 Azure Graph API 等具有哪些權限.這是在門戶的對其他應用程序的權限"設置中配置的內容.您可以通過手動配置權限來獲取必要的 GUID,然后查看應用程序的 AAD 清單文件.
- 創建一個 應用程序的服務主體.
- 添加 AppRoleAssignments 到服務主體.
- Create an application object.
- Setup the RequiredResourceAccess for the application, ie. which permissions the appliation has to Azure Graph API etc. This is what is configured in the portal's "permissions to other applications" settings. You can get the necessary GUIDs by configuring the permissions manually, and then looking in the application's AAD manifest file.
- Create a service principal for the application.
- Add AppRoleAssignments to the service principal.
最后一部分是我之前缺少的.即使您在應用程序對象上配置了RequiredResourceAccess,服務主體仍然需要 AppRoleAssignments 才能真正擁有訪問資源的權限.
The final part is what I was missing before. Even though you have configured RequiredResourceAccess on the application object, the service principal still needs the AppRoleAssignments to actually have permission to access the resources.
在創建 AppRoleAssignments 時,要確定要分配哪個 PrincipalId 有點棘手,因為那是其他資源的服務主體的 AAD ObjectId.
When creating the AppRoleAssignments it is a little bit tricky to figure out which PrincipalId to assign, since that is the AAD ObjectId of the service principal for the other resource.
這里是添加 AppRoleAssignment 以訪問 Azure AD Graph API 的片段.client 是一個 ActiveDirectoryClient實例,而 sp 是我的應用程序的 ServicePrincipal:
Here is a snippet for adding the AppRoleAssignment to access the Azure AD Graph API. client is an ActiveDirectoryClient instance, and sp is the ServicePrincipal for my application:
我的經驗是,在新創建的對象在 AAD 中有效之前,您需要等待很短的時間,可能是 2-3 分鐘,然后您才能使用新應用程序進行身份驗證.
My experience is that you need to wait a short time, maybe 2-3 minutes, before the newly created objects are valid in AAD, and then you can authenticate using the new application.
這篇關于新的 Azure AD 應用程序在通過管理門戶更新之前無法運行的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!