问题说明:
在尝试使用以下命令为PublicClient创建Daemon应用程序时,失败。如果将PublicClient配置为False,它将起作用。
问题复制:
Connect-AzureAD
$svcprincipal = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
#Microsoft Graph
$reqGraph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$reqGraph.ResourceAppId = $svcprincipal.AppId
##Delegated Permissions
$delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "0e263e50-5827-48a4-b97c-d940288653c7","Scope" #Access Directory as the signed in user
##Application Permissions
$appPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "62a82d76-70ea-41e2-9197-370581804d09","Role" #Read and Write All Groups
$appPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "19dbc75e-c2e2-444c-a770-ec69d8559fc7","Role" #Read and Write directory data
# when Set PublicClient as False, it worked.
New-AzureADApplication -DisplayName pca-test3 -ReplyUrls https://localhost/ -AvailableToOtherTenants $true -PublicClient $false -RequiredResourceAccess $reqGraph
# when Set PublicClient as True, it failed
New-AzureADApplication -DisplayName pca-test3 -ReplyUrls https://localhost/ -AvailableToOtherTenants $true -PublicClient $true -RequiredResourceAccess $reqGraph`
错误消息:
代码:Request_BadRequest 消息:属性requiredResourceAccess.resourceAccess无效。 详细信息:PropertyName-requiredResourceAccess.resourceAccess,PropertyErrorCode-GenericError HttpStatusCode:BadRequest HttpStatusDescription:错误的请求 HttpResponseStatus:已完成
任何人都可以提供一些建议或帮助吗?谢谢。
答案 0 :(得分:0)
由于您将Azure AD应用程序创建为公共客户端,因此我们无法为该应用程序配置应用程序权限。由于不信任这些应用程序以安全地保留应用程序的机密,因此它们仅代表用户访问Web API。有关更多详细信息,请参阅document。因此,我们需要为应用程序配置委派权限。换句话说,权限的类型应为scope
。
例如
Connect-AzureAD
$svcprincipal = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
$reqGraph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$reqGraph.ResourceAppId = $svcprincipal.AppId
$delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "0e263e50-5827-48a4-b97c-d940288653c7","Scope" #Sign in and read user profile
$delPermission2 =New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope" #Access Directory as the signed in user
$reqGraph.ResourceAccess = $delPermission1,$delPermission2
New-AzureADApplication -DisplayName pca-test3 -ReplyUrls https://localhost/ -AvailableToOtherTenants $true -PublicClient $true -RequiredResourceAccess $reqGraph