我在使用以下代码时遇到问题。我正在尝试使用 New-AzureADApplication 中的 -RequiredResourceAccess 属性为 AzureAD 中的应用注册分配以下权限。我不断收到无效的 $reqGraph 值?
请帮忙?
<块引用>New-AzureADApplication : 执行 NewApplication 时出错 代码:Request_BadRequest 消息:为属性指定的值无效 资源“RequiredResourceAccess”的“resourceAppId”。请求 ID: 5abf5ea5-8f94-4d14-8e8d-8f12a92bf3e5 日期时间戳:2021 年 5 月 17 日星期一 07:12:02 GMT 详细信息:PropertyName - resourceAppId、PropertyErrorCode
$appName = "Test" # Maximum 32 characters
$adalUrlIdentifier = "https://abc.dk/AADGuestLifecycleMgmt"
$appReplyUrl = "https://www.abc.dk"
$pwd = Read-Host -Prompt 'Enter a secure password for your certificate!'
$certStore = "Cert:\CurrentUser\My"
$currentDate = Get-Date
$endDate = $currentDate.AddYears(10) # 10 years is nice and long
$thumb = (New-SelfSignedCertificate -DnsName "abc.dk" -CertStoreLocation $certStore -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $endDate).Thumbprint
$thumb > cert-thumb.txt # Save to file
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "$certStore\$thumb" -FilePath .\AzureADGuestLifecycleMgmt.pfx -Password $pwd
$path = (Get-Item -Path ".\").FullName
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("$path\AzureADGuestLifecycleMgmt.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Install-Module AzureAD
Import-Module AzureAD
# Connect to Azure AD as an admin account
Connect-AzureAD
# Store tenantid
$tenant = Get-AzureADTenantDetail
$tenant.ObjectId > tenantid.txt
# Add AuditLog.Read.All access
$svcPrincipal = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Microsoft Graph" }
$appRole = $svcPrincipal.AppRoles | ? { $_.Value -eq "AuditLog.Read.All" }
$appPermission = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "$($appRole.Id)", "Role"
#Add Directory.ReadWrite.All access
$appRole2 = $svcPrincipal.AppRoles | ? { $_.Value -eq "Directory.ReadWrite.All" }
$appPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "$($appRole2.Id)", "Role"
$reqGraph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$reqGraph.ResourceAppId = $svcPrincipal.AppId
$reqGraph.ResourceAccess = $appPermission, $appPermission2
Write-Host $reqGraph
# Create Azure Active Directory Application (ADAL App)
$application = New-AzureADApplication -DisplayName "$appName" -IdentifierUris $adalUrlIdentifier -ReplyUrls $appReplyUrl -RequiredResourceAccess $reqGraph
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "$appName" -Type AsymmetricX509Cert -Usage Verify -Value $keyValue -StartDate $currentDate -EndDate $endDate.AddDays(-1)
答案 0 :(得分:0)
您的租户中似乎有多个应用注册,其名称中包含“Microsoft Graph”。它会导致您得到错误的 $svcPrincipal.AppId(在这种情况下,它可能是多个应用 ID 的组合)。
请直接设置$reqGraph.ResourceAppId = "00000003-0000-0000-c000-000000000000"。
00000003-0000-0000-c000-000000000000 是 Microsoft Graph 应用的应用 ID,是一个固定值。
答案 1 :(得分:0)
这是 $_.DisplayName -eq "Microsoft Graph" 的正确代码
appName = "Test" # Maximum 32 characters
$adalUrlIdentifier = "https://abc.dk/AADGuestLifecycleMgmt"
$appReplyUrl = "https://www.abc.dk"
$pwd = Read-Host -Prompt 'Enter a secure password for your certificate!'
$certStore = "Cert:\CurrentUser\My"
$currentDate = Get-Date
$endDate = $currentDate.AddYears(10) # 10 years is nice and long
$thumb = (New-SelfSignedCertificate -DnsName "abc.dk" -CertStoreLocation $certStore -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $endDate).Thumbprint
$thumb > cert-thumb.txt # Save to file
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "$certStore\$thumb" -FilePath .\AzureADGuestLifecycleMgmt.pfx -Password $pwd
$path = (Get-Item -Path ".\").FullName
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("$path\AzureADGuestLifecycleMgmt.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Install-Module AzureAD
Import-Module AzureAD
# Connect to Azure AD as an admin account
Connect-AzureAD
# Store tenantid
$tenant = Get-AzureADTenantDetail
$tenant.ObjectId > tenantid.txt
# Add AuditLog.Read.All access
$svcPrincipal = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
$appRole = $svcPrincipal.AppRoles | ? { $_.Value -eq "AuditLog.Read.All" }
$appPermission = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "$($appRole.Id)", "Role"
#Add Directory.ReadWrite.All access
$appRole2 = $svcPrincipal.AppRoles | ? { $_.Value -eq "Directory.ReadWrite.All" }
$appPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "$($appRole2.Id)", "Role"
$reqGraph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$reqGraph.ResourceAppId = $svcPrincipal.AppId
$reqGraph.ResourceAccess = $appPermission, $appPermission2
Write-Host $reqGraph
# Create Azure Active Directory Application (ADAL App)
$application = New-AzureADApplication -DisplayName "$appName" -IdentifierUris $adalUrlIdentifier -ReplyUrls $appReplyUrl -RequiredResourceAccess $reqGraph
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "$appName" -Type AsymmetricX509Cert -Usage Verify -Value $keyValue -StartDate $currentDate -EndDate $endDate.AddDays(-1)