是否有任何方法(使用 PowerShell cmdlet 或 Graph API)为 Azure Active Directory 创建 native 应用程序?我正在寻找一种为我的应用程序自动创建环境的方法
最佳答案
您可以使用 Graph API 在您的目录中创建应用程序。这是 PowerShell 脚本。
# Adding the AD library to your PowerShell Session.
Add-Type -Path 'C:\Program Files\Microsoft Azure Active Directory Connect\Microsoft.IdentityModel.Clients.ActiveDirectory.dll'
# This is the tenant id of you Azure AD. You can use tenant name instead if you want.
$tenantID = "<your tenant id>"
$authString = "https://login.microsoftonline.com/$tenantID"
# Here, the username must be a user in your organization and with MFA disabled.
# And, it must have permission to create an AD application.
$username = "<your username>"
$password = "<the password of your username>"
# The resource URI for your token.
$resource = "https://graph.windows.net"
# This is the common client id.
$client_id = "1950a258-227b-4e31-a9cf-717495945fc2"
# Create a client credential with the above common client id, username and password.
$creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" `
-ArgumentList $username,$password
# Create a authentication context with the above authentication string.
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" `
-ArgumentList $authString
# Acquire access token from server.
$authenticationResult = $authContext.AcquireToken($resource,$client_id,$creds)
# Use the access token to setup headers for your http request.
$authHeader = $authenticationResult.AccessTokenType + " " + $authenticationResult.AccessToken
$headers = @{"Authorization"=$authHeader; "Content-Type"="application/json"}
# Send a request to create a new AD application.
Invoke-RestMethod -Method POST `
-Uri "https://graph.chinacloudapi.cn/$tenantID/applications?api-version=1.6-internal" `
-Headers $headers -InFile ./application.json
如果“Microsoft.IdentityModel.Clients.ActiveDirectory.dll”位于其他位置,则应修改Add-Type
的路径。
在“application.json”中,您应该指定应用程序的参数。这是一个简单的示例。
{
"odata.type": "Microsoft.DirectoryServices.Application",
"objectType": "Application",
"deletionTimestamp": null,
"allowActAsForAllClients": null,
"appBranding": null,
"appCategory": null,
"appData": null,
"appMetadata": {
"version": 0,
"data": []
},
"appRoles": [],
"availableToOtherTenants": false,
"displayName": "nativeClient",
"encryptedMsiApplicationSecret": null,
"errorUrl": null,
"groupMembershipClaims": null,
"homepage": null,
"identifierUris": [],
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"passwordCredentials": [],
"publicClient": true,
"recordConsentConditions": null,
"replyUrls": [
"http://www.microsoft.com"
],
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"supportsConvergence": false
}
“requiredResourceAccess”的设置必须与上面完全相同,否则 Azure 经典门户将无法管理您的应用程序。如果深入查看 Json 文件,您会发现 Native Application 和 Web App Application 共享相同的 API 和属性。只要您保持大部分字段与上述示例相同,Azure 就会为您创建一个 native 应用程序。但是,当然,您可以修改displayName 和replyUrls。
关于azure - 如何通过 Graph API 为 Azure AD 创建新的 native 应用程序,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/36753178/