久久久久久久av_日韩在线中文_看一级毛片视频_日本精品二区_成人深夜福利视频_武道仙尊动漫在线观看

新的 Azure AD 應用程序在通過管理門戶更新之前無

New Azure AD application doesn#39;t work until updated through management portal(新的 Azure AD 應用程序在通過管理門戶更新之前無法運行)
本文介紹了新的 Azure AD 應用程序在通過管理門戶更新之前無法運行的處理方法,對大家解決問題具有一定的參考價值,需要的朋友們下面隨著小編來一起學習吧!

問題描述

限時送ChatGPT賬號..

我使用 AAD Graph API 在 Azure AD 中創建了一個新應用程序.(代碼)

I have created a new application in Azure AD using the AAD Graph API. (code)

不幸的是,在我訪問 Azure 管理門戶中的應用程序配置頁面并進行外觀更改并保存之前,它不允許我的客戶端訪問請求的資源.刪除更改并再次保存后,它仍然有效.更改 + 回退步驟之前和之后的應用程序清單文件完全相同(正如 diff.exe 中所說的一樣).

Unfortunately it doesn't let my client access the requested resources until I have been to the application's configuration page in the Azure management portal and made a cosmetic change, and then saved it. After removing the change and saving again, it still works. The application manifest files before the change + change back steps and after them are completely identical (as in diff.exe says they are the same).

比較應用程序認證時返回的 JWT 令牌時,表明更改后訪問令牌包含角色"部分.在將應用程序保存到管理門戶之前返回的訪問令牌中不存在整個角色"部分.

When comparing the JWT tokens returned when the application authenticates, it shows that the post-change access token includes the "roles" section. The entire "roles" section is not present in the access token returned before saving the application in the management portal.

因此,在保存更改時,Azure 管理門戶似乎對應用程序做了某些事情".問題是它是什么,我可以使用 AAD 圖形 API 做同樣的事情嗎?

So it seems the Azure management portal does "something" to the application when saving changes. The question is what it is, and can I do the same using the AAD graph API?

推薦答案

有幾個問題.Azure 后端的一些錯誤,現在已經修復,還有一些我不知道的對 API 的缺失調用是必要的.多虧了 MS Support 的一些非常樂于助人的人,我們才得以讓它發揮作用.

There were several issues. Some bugs in the backend on Azure, which have now been fixed, and also some missing calls to the API which I didn't know were necessary. Thanks to some very helpful people at MS Support, we were able to get it to work.

在創建應用程序時,您需要執行以下操作:

When creating an application, you need to do the following:

  1. 創建一個 應用程序對象.
  2. 設置 RequiredResourceAccess,即.應用程序對 Azure Graph API 等具有哪些權限.這是在門戶的對其他應用程序的權限"設置中配置的內容.您可以通過手動配置權限來獲取必要的 GUID,然后查看應用程序的 AAD 清單文件.
  3. 創建一個 應用程序的服務主體.
  4. 添加 AppRoleAssignments 到服務主體.
  1. Create an application object.
  2. Setup the RequiredResourceAccess for the application, ie. which permissions the appliation has to Azure Graph API etc. This is what is configured in the portal's "permissions to other applications" settings. You can get the necessary GUIDs by configuring the permissions manually, and then looking in the application's AAD manifest file.
  3. Create a service principal for the application.
  4. Add AppRoleAssignments to the service principal.

最后一部分是我之前缺少的.即使您在應用程序對象上配置了RequiredResourceAccess,服務主體仍然需要 AppRoleAssignments 才能真正擁有訪問資源的權限.

The final part is what I was missing before. Even though you have configured RequiredResourceAccess on the application object, the service principal still needs the AppRoleAssignments to actually have permission to access the resources.

在創建 AppRoleAssignments 時,要確定要分配哪個 PrincipalId 有點棘手,因為那是其他資源的服務主體的 AAD ObjectId.

When creating the AppRoleAssignments it is a little bit tricky to figure out which PrincipalId to assign, since that is the AAD ObjectId of the service principal for the other resource.

這里是添加 AppRoleAssignment 以訪問 Azure AD Graph API 的片段.client 是一個 ActiveDirectoryClient實例,而 sp 是我的應用程序的 ServicePrincipal:

Here is a snippet for adding the AppRoleAssignment to access the Azure AD Graph API. client is an ActiveDirectoryClient instance, and sp is the ServicePrincipal for my application:

// find the azure ad service principal
var aadsp =
     client.ServicePrincipals.Where(csp => csp.AppId == "00000002-0000-0000-c000-000000000000")
     .ExecuteSingleAsync().Result;

// create the app role assignment
var azureDirectoryReadAssignment = new AppRoleAssignment
{
    PrincipalType = "ServicePrincipal",
    PrincipalId = Guid.Parse(sp.ObjectId), //
    Id = Guid.Parse("5778995a-e1bf-45b8-affa-663a9f3f4d04"), // id for Directory.Read
    // azure active directory resource ID
    ResourceId = Guid.Parse(aadsp.ObjectId) // azure active directory resource ID
};
// add it to the service principal
sp.AppRoleAssignments.Add(azureDirectoryReadAssignment);
// update the service principal in AAD
await sp.UpdateAsync();

我的經驗是,在新創建的對象在 AAD 中有效之前,您需要等待很短的時間,可能是 2-3 分鐘,然后您才能使用新應用程序進行身份驗證.

My experience is that you need to wait a short time, maybe 2-3 minutes, before the newly created objects are valid in AAD, and then you can authenticate using the new application.

這篇關于新的 Azure AD 應用程序在通過管理門戶更新之前無法運行的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!

【網站聲明】本站部分內容來源于互聯網,旨在幫助大家更快的解決問題,如果有圖片或者內容侵犯了您的權益,請聯系我們刪除處理,感謝您的支持!

相關文檔推薦

ASP.NET Core authenticating with Azure Active Directory and persisting custom Claims across requests(ASP.NET Core 使用 Azure Active Directory 進行身份驗證并跨請求保留自定義聲明)
ASP.NET Core 2.0 Web API Azure Ad v2 Token Authorization not working(ASP.NET Core 2.0 Web API Azure Ad v2 令牌授權不起作用)
ASP Core Azure Active Directory Login use roles(ASP Core Azure Active Directory 登錄使用角色)
How do I get Azure AD OAuth2 Access Token and Refresh token for Daemon or Server to C# ASP.NET Web API(如何獲取守護進程或服務器到 C# ASP.NET Web API 的 Azure AD OAuth2 訪問令牌和刷新令牌) - IT屋-程序員軟件開發技
.Net Core 2.0 - Get AAD access token to use with Microsoft Graph(.Net Core 2.0 - 獲取 AAD 訪問令牌以與 Microsoft Graph 一起使用)
Azure KeyVault Active Directory AcquireTokenAsync timeout when called asynchronously(異步調用時 Azure KeyVault Active Directory AcquireTokenAsync 超時)
主站蜘蛛池模板: 亚洲天堂网在线观看 | 亚洲一区二区三区中文字幕 | 成人小视频在线观看 | 日韩一区二区三区在线播放 | 亚洲欧美在线播放 | 亚洲一区二区三区 | 日韩一区二区在线观看视频 | 欧美草草 | 久久一区 | 97久久久久 | 99国产免费 | 亚洲不卡视频 | 伊人久久影院 | 九九热精品在线观看 | 久久久久一区二区三区 | 黄色一及片 | 激情做爰呻吟视频舌吻 | 黄色大片免费在线观看 | 极品美女一区二区三区 | 一区二区毛片 | 天堂网av在线 | 欧美亚洲一区二区三区 | 久久久久久久91 | 亚洲精品在线观看视频 | 在线看91| www.在线播放| 成人在线观看网址 | 在线免费观看黄 | 色伊伊 | 一级特黄妇女高潮 | 亚洲国产成人精品女人 | 在线观看国产一区 | 91av免费| av不卡在线观看 | 亚洲国产毛片 | 日韩黄色在线观看 | 日本性网站 | 色婷婷一区 | 亚洲综合在线视频 | 日韩精品免费看 | 一级毛片在线免费观看 |