Question

我正通过以下代码注册AAD应用程序

ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot, async () => await GetAppTokenAsync());

            Application application = new Application()
            {
                AvailableToOtherTenants = false,
                DisplayName = appName,
                ErrorUrl = null,
                GroupMembershipClaims = null,
                Homepage = "http://"+appName,
                IdentifierUris = new List<string>() { "https://"+appName }, 
                KeyCredentials = new List<KeyCredential>(),
                KnownClientApplications = new List<Guid>(),
                LogoutUrl = null,
                Oauth2AllowImplicitFlow = false,
                Oauth2AllowUrlPathMatching = false,
                Oauth2Permissions = new List<OAuth2Permission>(),
                Oauth2RequirePostResponse = false,
                // PasswordCredentials = new List<PasswordCredential>(),
                PasswordCredentials = new List<PasswordCredential>(),
                PublicClient = false,
                ReplyUrls = new List<string>(),
                // RequiredResourceAccess = new List<RequiredResourceAccess>(),
                RequiredResourceAccess = new List<RequiredResourceAccess>(),
                SamlMetadataUrl = null,
                ExtensionProperties = new List<ExtensionProperty>(),
                Manager = null,
                ObjectType = "Application",
                DeletionTimestamp = null,
                CreatedOnBehalfOf = null,
                CreatedObjects = new List<DirectoryObject>(),
                DirectReports = new List<DirectoryObject>(),
                Members = new List<DirectoryObject>(),
                MemberOf = new List<DirectoryObject>(),
                Owners = new List<DirectoryObject>(),
                OwnedObjects = new List<DirectoryObject>(),
                Policies = new List<DirectoryObject>()
            };

我还有一个类型为Microsoft.Azure.ActiveDirectory.GraphClient.User的对象，其中包含我想要添加为应用程序所有者的用户的所有信息。

我该怎么做？

我尝试的方式就是这样做

activeDirectoryClient.Applications.AddApplicationAsync(application).Wait();

            ServicePrincipal newServicePrincpal = new ServicePrincipal();
            if (application != null)
            {
                newServicePrincpal.DisplayName = application.DisplayName;
                newServicePrincpal.AccountEnabled = true;
                newServicePrincpal.AppId = application.AppId;
                newServicePrincpal.Owners.Add(user);

                try
                {
                    activeDirectoryClient.ServicePrincipals.AddServicePrincipalAsync(newServicePrincpal).Wait();
                }
                catch (Exception e)
                {
                    Console.WriteLine(e.Message);
                }
            }

但是当我在Azure门户中手动导航到应用程序时，出现的唯一所有者是我自己的帐户，而不是我在用户变量中获得的其他帐户

知道如何将其他所有者添加到应用程序中吗？

Answer 1

我也可以重现这个问题。此问题的根本原因是Azure AD Graph库在尝试创建服务主体时未提供所有者信息。

如果您要添加服务主体的所有者，则可以在创建服务主体后使用以下代码：

var activeDirectoryClient = GraphHelper.CreateGraphClient();
var sp = (ServicePrincipal)activeDirectoryClient.ServicePrincipals.GetByObjectId("4af8365b-1b49-481c-8c47-7b3fab5611fc").ExecuteAsync().Result;
var user = new Users().GetUserByUserName(activeDirectoryClient, "user2@adfei.onmicrosoft.com").Result;
sp.Owners.Add(user);
sp.UpdateAsync();

如果您想添加应用的所有者，请参考以下代码：

var activeDirectoryClient = GraphHelper.CreateGraphClient();
var app = (Application)activeDirectoryClient.Applications.GetByObjectId("bd87934b-dd4f-446a-a025-7675d1b2464a").ExecuteAsync().Result;
var user = new Users().GetUserByUserName(activeDirectoryClient, "user2@adfei.onmicrosoft.com").Result;
app.Owners.Add(user);
app.UpdateAsync();

有关应用程序和服务主体之间差异的更多详细信息，请查看此document。

如果您希望图表客户端库支持在创建所有者时添加所有者，则可以尝试从here提交反馈。

更新

public static ActiveDirectoryClient CreateGraphClient()
{
    string accessToken = "";
    string tenantId= "";
    string graphResourceId = "https://graph.windows.net";

    Uri servicePointUri = new Uri(graphResourceId);
    Uri serviceRoot = new Uri(servicePointUri, tenantId);

    ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot, async () => await Task.FromResult(accessToken));

    return activeDirectoryClient;
}

添加一个runalbe代码示例以添加服务主体的所有者： https://github.com/VitorX/AddServicePrincipalWithOwner

UPDATE2

在上面运行代码示例后，您可以使用下面的 Fiddler 捕获结果。我们可以通过创建服务主体的响应来获取服务主体的对象id：

然后我们可以通过REST检查校长的所有者，如下图所示：

如何将所有者添加到Azure Active Directory应用程序

1 个答案:

更新

UPDATE2