是否有一种快速简便的方法来查找Microsoft Graph API-委派/应用程序权限GUID(甚至是不推荐使用的Azure AD API权限(。
试图遵循官方文件,但发现它不是很直观。https://learn.microsoft.com/en-us/graph/permissions-reference
由于权限名称相似,例如:group.readwrite.all介于委派和应用程序之间,是否有任何工具或技术可以轻松找到这些ID。
az ad sp list --query "[?appDisplayName=='Microsoft Graph'].{permissions:oauth2Permissions}[0].permissions[?value=='Group.ReadWrite.All'].{id: id, value: value, adminConsentDisplayName: adminConsentDisplayName, adminConsentDescription: adminConsentDescription}[0]" --all
{
"adminConsentDescription": "Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.",
"adminConsentDisplayName": "Read and write all groups",
"id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
"value": "Group.ReadWrite.All"
}
这似乎是不正确的,因为正确的ID是:
Group_ReadWrite_All = {
id = "62a82d76-70ea-41e2-9197-370581804d09"
type = "Role"
}
我是不是遗漏了一些显而易见的东西?尤其是角色/范围或其委托与应用程序问题?
查询以列出所有应用
az ad sp list --query '[].{appDisplayName:appDisplayName, appId:appId}'
查询";Microsoft Graph"应用程序,以查找";oauth2";"范围";Group.ReadWrite.All";许可
az ad sp list --query "[?appDisplayName=='Microsoft Graph'].{permissions:oauth2Permissions}[0].permissions[?value=='Group.ReadWrite.All'].{id: id, value: value, adminConsentDisplayName: adminConsentDisplayName, adminConsentDescription: adminConsentDescription}[0]" --all
{
"adminConsentDescription": "Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.",
"adminConsentDisplayName": "Read and write all groups",
"id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
"value": "Group.ReadWrite.All"
}
查询";Microsoft Graph"应用程序,查找应用程序";角色"的";Group.ReadWrite.All";许可
az ad sp list --query "[?appDisplayName=='Microsoft Graph'].{permissions:appRoles}[0].permissions[?value=='Group.ReadWrite.All'].{id: id, value: value, adminConsentDisplayName: adminConsentDisplayName, adminConsentDescription: adminConsentDescription}[0]" --all
{
"adminConsentDescription": null,
"adminConsentDisplayName": null,
"id": "62a82d76-70ea-41e2-9197-370581804d09",
"value": "Group.ReadWrite.All"
}