update - mgapplication/New-MgApplication cmdlets中用于设置OAuth2Permissions的值的正确格式是什么(以更新此api定义的scope中的作用域)?的"公开api"部分。页面)?
从文档中可以看出oauth2permissionscope对象需要通过-Api参数来设置,使用一个包含oauth2permissionscope对象的immicrosoftgraphpermissionscope[]的对象/数组的immicrosoftgraphapiapplication对象。
这是我尝试过的:
$appRegName = "My App Reg"
$userConsentDisplayName = "Access $($appRegName)"
$userConsentDescription = "Allow the application to access $($appRegName) on your behalf."
$adminConsentDisplayName = "Access $($appRegName)"
$adminConsentDescription = "Allow the application to access $($appRegName) on behalf of the signed-in user."
$oauth2PermissionsScopes = @{
Oauth2PermissionScopes = @{
AdminConsentDescription = $adminConsentDescription
AdminConsentDisplayName = $adminConsentDisplayName
UserConsentDescription = $userConsentDescription
UserConsentDisplayName = $userConsentDisplayName
}
}
$api = @{
Api = $oauth2PermissionsScopes
}
Update-MgApplication -ApplicationId $clientAadApplication.Id -Api $api
#^Causes this error: "A resource without a type name was found, but no expected type was specified. To allow entries without type information, the expected type must also be specified when the model is specified."
$oauth2PermissionsScopes = @{
Oauth2PermissionScopes = @{
AdminConsentDescription = $adminConsentDescription
AdminConsentDisplayName = $adminConsentDisplayName
UserConsentDescription = $userConsentDescription
UserConsentDisplayName = $userConsentDisplayName
}
}
Update-MgApplication -ApplicationId $clientAadApplication.Id -Api $oauth2PermissionsParams
#^This doesn't generate an error, but nothing is set. The body of the PATCH request shows as (and generates a 204 No Content response):
#{
# "api": {
# "oauth2PermissionScopes": [ ]
# }
#}
我的格式或cmdlet参数的使用有什么问题?
apiApplication具有属性Oauth2PermissionScopes,它是IMicrosoftGraphPermissionScope的数组。
你需要用数组
构建一个哈希表$apiApplication = @{
oauth2PermissionScopes = @(
# first item
@{
AdminConsentDescription = $adminConsentDescription
AdminConsentDisplayName = $adminConsentDisplayName
UserConsentDescription = $userConsentDescription
UserConsentDisplayName = $userConsentDisplayName
}
)
}
Update-MgApplication -ApplicationId $clientAadApplication.Id -Api $apiApplication
对于验证,您可以运行$apiApplication | ConvertTo-Json来检查json的外观。
{
"oauth2PermissionScopes": [
{
"UserConsentDescription": null,
"AdminConsentDescription": null,
"AdminConsentDisplayName": null,
"UserConsentDisplayName": null
}
]
}
类似于New-MgApplication
$params = @{
DisplayName = "My App",
Api = @{
Oauth2PermissionScopes = @(
@{
AdminConsentDescription = $adminConsentDescription
AdminConsentDisplayName = $adminConsentDisplayName
UserConsentDescription = $userConsentDescription
UserConsentDisplayName = $userConsentDisplayName
}
)
}
New-MgApplication -BodyParameter $params
纠正参数的格式以确保正确的哈希表(根据@user2250152的答案)是部分修复。设置OAuth2权限范围时,不存在于应用程序注册的主要问题是需要设置额外的属性,除了*Description和*DisplayName字段(Id, IsEnabled, Type和Value也是必需的):
$apiApplication = @{
oauth2PermissionScopes = @(
@{
AdminConsentDescription = $adminConsentDescription
AdminConsentDisplayName = $adminConsentDisplayName
UserConsentDescription = $userConsentDescription
UserConsentDisplayName = $userConsentDisplayName
Id = New-Guid
IsEnabled = $true
Type = "User"
Value = "user_impersonation"
}
)
}
#$clientAadApplication variable is set 'off-script' (must use the Id of the Application Registration set to that variable from Get-MgApplication or as a result of New-MgApplication)
Update-MgApplication -ApplicationId $clientAadApplication.Id -Api $apiApplication