問題描述

我使用 AAD Graph API 在 Azure AD 中創(chuàng)建了一個新應(yīng)用程序.(代碼)

I have created a new application in Azure AD using the AAD Graph API. (code)

不幸的是，在我訪問 Azure 管理門戶中的應(yīng)用程序配置頁面并進(jìn)行外觀更改并保存之前，它不允許我的客戶端訪問請求的資源.刪除更改并再次保存后，它仍然有效.更改 + 回退步驟之前和之后的應(yīng)用程序清單文件完全相同(正如 diff.exe 中所說的一樣).

Unfortunately it doesn't let my client access the requested resources until I have been to the application's configuration page in the Azure management portal and made a cosmetic change, and then saved it. After removing the change and saving again, it still works. The application manifest files before the change + change back steps and after them are completely identical (as in diff.exe says they are the same).

比較應(yīng)用程序認(rèn)證時返回的 JWT 令牌時，表明更改后訪問令牌包含角色"部分.在將應(yīng)用程序保存到管理門戶之前返回的訪問令牌中不存在整個角色"部分.

When comparing the JWT tokens returned when the application authenticates, it shows that the post-change access token includes the "roles" section. The entire "roles" section is not present in the access token returned before saving the application in the management portal.

因此，在保存更改時，Azure 管理門戶似乎對應(yīng)用程序做了某些事情".問題是它是什么，我可以使用 AAD 圖形 API 做同樣的事情嗎?

So it seems the Azure management portal does "something" to the application when saving changes. The question is what it is, and can I do the same using the AAD graph API?

推薦答案

有幾個問題.Azure 后端的一些錯誤，現(xiàn)在已經(jīng)修復(fù)，還有一些我不知道的對 API 的缺失調(diào)用是必要的.多虧了 MS Support 的一些非常樂于助人的人，我們才得以讓它發(fā)揮作用.

There were several issues. Some bugs in the backend on Azure, which have now been fixed, and also some missing calls to the API which I didn't know were necessary. Thanks to some very helpful people at MS Support, we were able to get it to work.

在創(chuàng)建應(yīng)用程序時，您需要執(zhí)行以下操作:

When creating an application, you need to do the following:

1. 創(chuàng)建一個 應(yīng)用程序?qū)ο?
2. 設(shè)置 RequiredResourceAccess，即.應(yīng)用程序?qū)?Azure Graph API 等具有哪些權(quán)限.這是在門戶的對其他應(yīng)用程序的權(quán)限"設(shè)置中配置的內(nèi)容.您可以通過手動配置權(quán)限來獲取必要的 GUID，然后查看應(yīng)用程序的 AAD 清單文件.
3. 創(chuàng)建一個 應(yīng)用程序的服務(wù)主體.
4. 添加 AppRoleAssignments 到服務(wù)主體.

1. Create an application object.
2. Setup the RequiredResourceAccess for the application, ie. which permissions the appliation has to Azure Graph API etc. This is what is configured in the portal's "permissions to other applications" settings. You can get the necessary GUIDs by configuring the permissions manually, and then looking in the application's AAD manifest file.
3. Create a service principal for the application.
4. Add AppRoleAssignments to the service principal.

最后一部分是我之前缺少的.即使您在應(yīng)用程序?qū)ο笊吓渲昧薘equiredResourceAccess，服務(wù)主體仍然需要 AppRoleAssignments 才能真正擁有訪問資源的權(quán)限.

The final part is what I was missing before. Even though you have configured RequiredResourceAccess on the application object, the service principal still needs the AppRoleAssignments to actually have permission to access the resources.

在創(chuàng)建 AppRoleAssignments 時，要確定要分配哪個 PrincipalId 有點(diǎn)棘手，因為那是其他資源的服務(wù)主體的 AAD ObjectId.

When creating the AppRoleAssignments it is a little bit tricky to figure out which PrincipalId to assign, since that is the AAD ObjectId of the service principal for the other resource.

這里是添加 AppRoleAssignment 以訪問 Azure AD Graph API 的片段.client 是一個 ActiveDirectoryClient實例，而 sp 是我的應(yīng)用程序的 ServicePrincipal:

Here is a snippet for adding the AppRoleAssignment to access the Azure AD Graph API. client is an ActiveDirectoryClient instance, and sp is the ServicePrincipal for my application:

// find the azure ad service principal
var aadsp =
     client.ServicePrincipals.Where(csp => csp.AppId == "00000002-0000-0000-c000-000000000000")
     .ExecuteSingleAsync().Result;

// create the app role assignment
var azureDirectoryReadAssignment = new AppRoleAssignment
{
    PrincipalType = "ServicePrincipal",
    PrincipalId = Guid.Parse(sp.ObjectId), //
    Id = Guid.Parse("5778995a-e1bf-45b8-affa-663a9f3f4d04"), // id for Directory.Read
    // azure active directory resource ID
    ResourceId = Guid.Parse(aadsp.ObjectId) // azure active directory resource ID
};
// add it to the service principal
sp.AppRoleAssignments.Add(azureDirectoryReadAssignment);
// update the service principal in AAD
await sp.UpdateAsync();

我的經(jīng)驗是，在新創(chuàng)建的對象在 AAD 中有效之前，您需要等待很短的時間，可能是 2-3 分鐘，然后您才能使用新應(yīng)用程序進(jìn)行身份驗證.

My experience is that you need to wait a short time, maybe 2-3 minutes, before the newly created objects are valid in AAD, and then you can authenticate using the new application.

這篇關(guān)于新的 Azure AD 應(yīng)用程序在通過管理門戶更新之前無法運(yùn)行的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！