Azure 广告应用程序 - 以编程方式更新清单
Azure ad app - Updating manifest programmatically
我正在尝试找到一种方法,利用 json 文件通过 powershell 更新 Azure Ad 注册应用程序的清单。
Json 文件包含所有应用程序角色,我想简单地将应用程序角色:[] 直接注入应用程序角色括号
有没有办法通过电源 shell 或 CLI 实现此目的?
是的,您可以通过 PowerShell 更新 Azure AD 应用程序的清单。
专门添加App Roles,这里有一个PowerShell脚本。
如果您在创建新应用程序时尝试这样做,只需使用 New-AzureADApplication 而不是 Set-AzureADApplication。
Connect-AzureAD -TenantId <Tenant GUID>
# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $Name
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = $Description
$appRole.Value = $Name;
return $appRole
}
# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles
$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"
$appRoles.Add($newRole)
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles
请记住,Azure AD 门户中显示的 "manifest" 只不过是 Azure AD Graph API 公开的应用程序对象的轻微约束表示: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#application-entity
Azure AD PowerShell(AzureAD 模块)只是相同 API 的简单包装器。 New‑AzureADApplication 在 /applications 上执行 POST,Get‑AzureADApplication 执行 GET,Set‑AzureADApplication 执行 PATCH,Remove‑AzureADApplication 做了 DELETE.
因此,牢记这一点,考虑以下输入文件 app-roles.json:
[
{
"allowedMemberTypes": [ "Application" ],
"description": "Read some things in the My App service",
"displayName": "Read some things",
"id": "b2b2e6de-bb42-41b4-92db-fda89218b5ae",
"isEnabled": true,
"value": "Things.Read.Some"
},
{
"allowedMemberTypes": [ "User" ],
"description": "Super admin role for My App",
"displayName": "My App Super Admin",
"id": "a01eca9b-0c55-411d-aa5f-d8cfdbadf500",
"isEnabled": true,
"value": "super_admin"
}
]
您可以使用以下脚本在应用程序上设置这些应用程序角色(请注意,这将删除所有现有的应用程序角色,如果它们之前未被禁用,这将导致错误):
$appId = "{app-id}"
$pathToAppRolesJson = "app-roles.json"
# Read all desired app roles from JSON file
$appRolesFromJson = Get-Content -Path $pathToAppRolesJson -Raw | ConvertFrom-Json
# Build a new list of Azure AD PowerShell AppRole objects
$appRolesForApp = @()
$appRolesFromJson | ForEach-Object {
# Create new Azure AD PowerShell AppRole object for each app role
$appRole = New-Object "Microsoft.Open.AzureAD.Model.AppRole"
$appRole.AllowedMemberTypes = $_.allowedMemberTypes
$appRole.Description = $_.description
$appRole.DisplayName = $_.displayName
$appRole.Id = $_.id
$appRole.IsEnabled = $_.isEnabled
$appRole.Value = $_.value
# Add to the list of app roles
$appRolesForApp += $appRole
}
# Update the Application object with the new list of app roles
$app = Get-AzureADApplication -Filter ("appId eq '{0}'" -f $appId)
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRolesForApp
Azure 客户端命令
az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --app-roles @manifest.json
manifest.json
[{
"allowedMemberTypes": [
"User"
],
"description": "Approvers can mark documents as approved",
"displayName": "Approver",
"isEnabled": "true",
"value": "approver"
}]
我正在尝试找到一种方法,利用 json 文件通过 powershell 更新 Azure Ad 注册应用程序的清单。
Json 文件包含所有应用程序角色,我想简单地将应用程序角色:[] 直接注入应用程序角色括号
有没有办法通过电源 shell 或 CLI 实现此目的?
是的,您可以通过 PowerShell 更新 Azure AD 应用程序的清单。
专门添加App Roles,这里有一个PowerShell脚本。
如果您在创建新应用程序时尝试这样做,只需使用 New-AzureADApplication 而不是 Set-AzureADApplication。
Connect-AzureAD -TenantId <Tenant GUID>
# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $Name
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = $Description
$appRole.Value = $Name;
return $appRole
}
# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles
$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"
$appRoles.Add($newRole)
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles
请记住,Azure AD 门户中显示的 "manifest" 只不过是 Azure AD Graph API 公开的应用程序对象的轻微约束表示: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#application-entity
Azure AD PowerShell(AzureAD 模块)只是相同 API 的简单包装器。 New‑AzureADApplication 在 /applications 上执行 POST,Get‑AzureADApplication 执行 GET,Set‑AzureADApplication 执行 PATCH,Remove‑AzureADApplication 做了 DELETE.
因此,牢记这一点,考虑以下输入文件 app-roles.json:
[
{
"allowedMemberTypes": [ "Application" ],
"description": "Read some things in the My App service",
"displayName": "Read some things",
"id": "b2b2e6de-bb42-41b4-92db-fda89218b5ae",
"isEnabled": true,
"value": "Things.Read.Some"
},
{
"allowedMemberTypes": [ "User" ],
"description": "Super admin role for My App",
"displayName": "My App Super Admin",
"id": "a01eca9b-0c55-411d-aa5f-d8cfdbadf500",
"isEnabled": true,
"value": "super_admin"
}
]
您可以使用以下脚本在应用程序上设置这些应用程序角色(请注意,这将删除所有现有的应用程序角色,如果它们之前未被禁用,这将导致错误):
$appId = "{app-id}"
$pathToAppRolesJson = "app-roles.json"
# Read all desired app roles from JSON file
$appRolesFromJson = Get-Content -Path $pathToAppRolesJson -Raw | ConvertFrom-Json
# Build a new list of Azure AD PowerShell AppRole objects
$appRolesForApp = @()
$appRolesFromJson | ForEach-Object {
# Create new Azure AD PowerShell AppRole object for each app role
$appRole = New-Object "Microsoft.Open.AzureAD.Model.AppRole"
$appRole.AllowedMemberTypes = $_.allowedMemberTypes
$appRole.Description = $_.description
$appRole.DisplayName = $_.displayName
$appRole.Id = $_.id
$appRole.IsEnabled = $_.isEnabled
$appRole.Value = $_.value
# Add to the list of app roles
$appRolesForApp += $appRole
}
# Update the Application object with the new list of app roles
$app = Get-AzureADApplication -Filter ("appId eq '{0}'" -f $appId)
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRolesForApp
Azure 客户端命令
az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --app-roles @manifest.json
manifest.json
[{
"allowedMemberTypes": [
"User"
],
"description": "Approvers can mark documents as approved",
"displayName": "Approver",
"isEnabled": "true",
"value": "approver"
}]