本文介绍了如何使用 Powershell 脚本在 Azure Active Directory 的清单下添加应用角色的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我手动创建了 Azure Active Directory 应用程序.我想通过 PowerShell 脚本添加用户并分配用户角色.

I have created Azure Active Directory application manually. I want to add user and assign the user roles through PowerShell script.

我可以使用 PowerShell 脚本添加用户,但无法在 azure Active Directory 应用程序的清单下添加应用角色.

I am able to add user with the PowerShell script but not able to add app roles under manifest in azure active directory application.

是否可以通过 PowerShell 脚本添加应用角色?

Is it possible to add app role through PowerShell script?

推荐答案

您可以在使用 New-AzureADApplication 创建新应用程序或使用 Set-AzureADApplication 为现有应用程序创建新应用程序时执行此操作.我没有看到专门用于添加/删除角色的命令,这就是上述两个选项的原因.

You can do this while creating a new app using New-AzureADApplication or for an existing application using Set-AzureADApplication. I don't see a command specifically to add/remove just the roles and that's why the above two options.

这是一个用于将新应用角色添加到现有注册应用程序的示例 PowerShell 脚本:

Here's an example PowerShell script for adding a new app role to an existing registered application:

Connect-AzureAD -TenantId <Tenant GUID>

# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
    $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
    $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
    $appRole.AllowedMemberTypes.Add("User");
    $appRole.DisplayName = $Name
    $appRole.Id = New-Guid
    $appRole.IsEnabled = $true
    $appRole.Description = $Description
    $appRole.Value = $Name;
    return $appRole
}

# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles

$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"
$appRoles.Add($newRole)

Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles

完成上述脚本以添加 AppRole 后,为用户分配角色非常简单,并且可以使用直接命令.这是一个示例脚本 -

Once you are done with above script to add AppRole, then assigning roles to a user is pretty simple and a direct command is available. Here's a sample script for that -

# Assign the values to the variables
$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"

# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }

# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id

这篇关于如何使用 Powershell 脚本在 Azure Active Directory 的清单下添加应用角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-25 01:21