我对以下代码有问题。我正在尝试使用New-AzureADApplication中的-RerequiredResourceAccess属性将以下权限分配给AzureAD中的应用程序注册。我一直得到$reqGraph?的无效值?
请帮忙?
New-AzureADApplication:执行NewApplication时出错代码:Request_BadRequest消息:为属性指定的值无效资源"RequiredResourceAccess"的"resourceAppId"。请求ID:5bf5ea5-8f94-4d14-8e8d-8f12a92bf3e5日期时间戳:2021年5月17日,星期一07:12:02 GMT详细信息:PropertyName-resourceAppId,PropertyErrorCode
- 无效值HttpStatusCode:BadRequest HttpStatusDescription:Bad Request HttpResponseStatus:Completed
$appName = "Test" # Maximum 32 characters
$adalUrlIdentifier = "https://abc.dk/AADGuestLifecycleMgmt"
$appReplyUrl = "https://www.abc.dk"
$pwd = Read-Host -Prompt 'Enter a secure password for your certificate!'
$certStore = "Cert:CurrentUserMy"
$currentDate = Get-Date
$endDate = $currentDate.AddYears(10) # 10 years is nice and long
$thumb = (New-SelfSignedCertificate -DnsName "abc.dk" -CertStoreLocation $certStore -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $endDate).Thumbprint
$thumb > cert-thumb.txt # Save to file
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "$certStore$thumb" -FilePath .AzureADGuestLifecycleMgmt.pfx -Password $pwd
$path = (Get-Item -Path ".").FullName
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("$pathAzureADGuestLifecycleMgmt.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Install-Module AzureAD
Import-Module AzureAD
# Connect to Azure AD as an admin account
Connect-AzureAD
# Store tenantid
$tenant = Get-AzureADTenantDetail
$tenant.ObjectId > tenantid.txt
# Add AuditLog.Read.All access
$svcPrincipal = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Microsoft Graph" }
$appRole = $svcPrincipal.AppRoles | ? { $_.Value -eq "AuditLog.Read.All" }
$appPermission = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "$($appRole.Id)", "Role"
#Add Directory.ReadWrite.All access
$appRole2 = $svcPrincipal.AppRoles | ? { $_.Value -eq "Directory.ReadWrite.All" }
$appPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "$($appRole2.Id)", "Role"
$reqGraph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$reqGraph.ResourceAppId = $svcPrincipal.AppId
$reqGraph.ResourceAccess = $appPermission, $appPermission2
Write-Host $reqGraph
# Create Azure Active Directory Application (ADAL App)
$application = New-AzureADApplication -DisplayName "$appName" -IdentifierUris $adalUrlIdentifier -ReplyUrls $appReplyUrl -RequiredResourceAccess $reqGraph
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "$appName" -Type AsymmetricX509Cert -Usage Verify -Value $keyValue -StartDate $currentDate -EndDate $endDate.AddDays(-1)
似乎不止一个应用程序注册的名称包含"Microsoft Graph"在您的租户中。它会导致您获得错误的$svcPrincipal.AppId(在这种情况下,它可能是多个应用程序ID的组合(。
请直接设置$reqGraph.ResourceAppId = "00000003-0000-0000-c000-000000000000"。
00000003-0000-0000-c000-000000000000是Microsoft Graph应用程序的应用程序id,它是一个固定值。
下面是$_的正确代码。DisplayName-eq";Microsoft Graph">
appName = "Test" # Maximum 32 characters
$adalUrlIdentifier = "https://abc.dk/AADGuestLifecycleMgmt"
$appReplyUrl = "https://www.abc.dk"
$pwd = Read-Host -Prompt 'Enter a secure password for your certificate!'
$certStore = "Cert:CurrentUserMy"
$currentDate = Get-Date
$endDate = $currentDate.AddYears(10) # 10 years is nice and long
$thumb = (New-SelfSignedCertificate -DnsName "abc.dk" -CertStoreLocation $certStore -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $endDate).Thumbprint
$thumb > cert-thumb.txt # Save to file
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "$certStore$thumb" -FilePath .AzureADGuestLifecycleMgmt.pfx -Password $pwd
$path = (Get-Item -Path ".").FullName
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("$pathAzureADGuestLifecycleMgmt.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Install-Module AzureAD
Import-Module AzureAD
# Connect to Azure AD as an admin account
Connect-AzureAD
# Store tenantid
$tenant = Get-AzureADTenantDetail
$tenant.ObjectId > tenantid.txt
# Add AuditLog.Read.All access
$svcPrincipal = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
$appRole = $svcPrincipal.AppRoles | ? { $_.Value -eq "AuditLog.Read.All" }
$appPermission = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "$($appRole.Id)", "Role"
#Add Directory.ReadWrite.All access
$appRole2 = $svcPrincipal.AppRoles | ? { $_.Value -eq "Directory.ReadWrite.All" }
$appPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "$($appRole2.Id)", "Role"
$reqGraph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$reqGraph.ResourceAppId = $svcPrincipal.AppId
$reqGraph.ResourceAccess = $appPermission, $appPermission2
Write-Host $reqGraph
# Create Azure Active Directory Application (ADAL App)
$application = New-AzureADApplication -DisplayName "$appName" -IdentifierUris $adalUrlIdentifier -ReplyUrls $appReplyUrl -RequiredResourceAccess $reqGraph
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "$appName" -Type AsymmetricX509Cert -Usage Verify -Value $keyValue -StartDate $currentDate -EndDate $endDate.AddDays(-1)