使用 graph.microsoft.com 时找不到类型 Microsoft.Open.AzureAD.Model.ResourceAccess
Cannot find type Microsoft.Open.AzureAD.Model.ResourceAccess when using graph.microsoft.com
我正在尝试使用此脚本向我的应用程序添加所需的 API 权限。 Azure AD 模块在我使用的 powershell 版本 (powershell 7 (x86)) 中不起作用,因此我使用 graph.microsoft.com API。问题是,当我 运行 它时,它会出现错误“无法找到类型 System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]:验证包含此类型的程序集是否已加载。”与 RequiredResourceAccess 相同。
所以问题就在这里。如何使用 ResourceAccess 找到类型 og。
$ResourceAccessObjects = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
foreach ($RoleAssignment in $RoleAssignments) {
$resourceAccess = New-Object "microsoft.open.azuread.model.resourceAccess"
$resourceAccess.Id = $RoleAssignment.Id
$resourceAccess.Type = 'Role'
$ResourceAccessObjects.Add($resourceAccess)
}
$requiredResourceAccess = New-Object "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$requiredResourceAccess.ResourceAppId = $targetSp.AppId
$requiredResourceAccess.ResourceAccess = $ResourceAccessObjects
整个脚本
Connect-AzAccount
$AADToken = (Get-AzAccessToken -ResourceUrl "Https://graph.microsoft.com").Token
Function GrantAllThePermissionsWeWant
{
param
(
[string] $targetServicePrincipalName,
$appPermissionsRequired,
$appId,
$spForApp
)
}
$restSplat = @{
Method = "GET"
uri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$filter=displayName eq '$targetServicePrincipalName'"
headers = @{"Authorization" = "Bearer $AADToken"; "Content-Type" = "application/json" }
}
$targetSp = Invoke-RestMethod @restSplat | ConvertTo-Json
$RoleAssignments = @()
Foreach ($AppPermission in $appPermissionsRequired) {
$RoleAssignment = $targetSp.AppRoles | Where-Object { $_.Value -eq $AppPermission}
$RoleAssignments += $RoleAssignment
}
$ResourceAccessObjects = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
foreach ($RoleAssignment in $RoleAssignments) {
$resourceAccess = New-Object "microsoft.open.azuread.model.resourceAccess"
$resourceAccess.Id = $RoleAssignment.Id
$resourceAccess.Type = 'Role'
$ResourceAccessObjects.Add($resourceAccess)
}
$requiredResourceAccess = New-Object "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$requiredResourceAccess.ResourceAppId = $targetSp.AppId
$requiredResourceAccess.ResourceAccess = $ResourceAccessObjects
# set the required resource access
Set-AzureADApplication -ObjectId $appId.ObjectId -RequiredResourceAccess $requiredResourceAccess
Start-Sleep -s 1
# grant the required resource access
foreach ($RoleAssignment in $RoleAssignments) {
Write-Output -InputObject ('Granting admin consent for App Role: {0}' -f $($RoleAssignment.Value))
New-AzureADServiceAppRoleAssignment -ObjectId $spForApp.ObjectId -Id $RoleAssignment.Id -PrincipalId $spForApp.ObjectId -ResourceId $targetSp.ObjectId
Start-Sleep -s 1
}
$appId = '(appid)'
$appPermissionsRequired = @('Directory.Read.All')
$targetServicePrincipalName = '(spname)'
GrantAllThePermissionsWeWant -targetServicePrincipalName $targetServicePrincipalName -appPermissionsRequired $appPermissionsRequired -appId $appId -spForApp $targetSp
我还没有讲到“Set-AzureADApplication”是对 graph.microsoft.com API 的调用,所以请忽略该部分。
与Powershell任务相比,Azure Powershell task默认包含一些az模块:
Azure PowerShell 任务使用 Azure/AzureRM/Az PowerShell 模块与 Azure 订阅交互。
当你收到 cannot find type 错误时,因为默认情况下 powershell 不包含 AzureAD module。
以下命令可帮助您安装 AzureAD 模块。
Install-Module AzureAD -Scope CurrentUser -Force
Import-Module AzureAD -Force
$graphPerms = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
在脚本的开头安装并导入模块。问题会消失。
我的解决方案是这样的:
foreach ($RoleAssignment in $RoleAssignments) {
$restSplat = @{
Method = "PATCH"
uri = "https://graph.microsoft.com/v1.0/applications/$($appId)"
headers = @{"Authorization" = "Bearer $AADToken"; "Content-Type" = "application/json" }
body = @{
requiredResourceAccess = @(
@{
resourceAppId = $targetSp.appId
resourceAccess = @(
@{
id = $RoleAssignment.Id
type = "Role"
}
)
}
)
} | ConvertTo-Json -Depth 4
}
$rest = (Invoke-RestMethod @restSplat).Value
现在我只需要用 Graph.microsoft.com 授予所需的资源访问权限。
我正在尝试使用此脚本向我的应用程序添加所需的 API 权限。 Azure AD 模块在我使用的 powershell 版本 (powershell 7 (x86)) 中不起作用,因此我使用 graph.microsoft.com API。问题是,当我 运行 它时,它会出现错误“无法找到类型 System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]:验证包含此类型的程序集是否已加载。”与 RequiredResourceAccess 相同。
所以问题就在这里。如何使用 ResourceAccess 找到类型 og。
$ResourceAccessObjects = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
foreach ($RoleAssignment in $RoleAssignments) {
$resourceAccess = New-Object "microsoft.open.azuread.model.resourceAccess"
$resourceAccess.Id = $RoleAssignment.Id
$resourceAccess.Type = 'Role'
$ResourceAccessObjects.Add($resourceAccess)
}
$requiredResourceAccess = New-Object "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$requiredResourceAccess.ResourceAppId = $targetSp.AppId
$requiredResourceAccess.ResourceAccess = $ResourceAccessObjects
整个脚本
Connect-AzAccount
$AADToken = (Get-AzAccessToken -ResourceUrl "Https://graph.microsoft.com").Token
Function GrantAllThePermissionsWeWant
{
param
(
[string] $targetServicePrincipalName,
$appPermissionsRequired,
$appId,
$spForApp
)
}
$restSplat = @{
Method = "GET"
uri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$filter=displayName eq '$targetServicePrincipalName'"
headers = @{"Authorization" = "Bearer $AADToken"; "Content-Type" = "application/json" }
}
$targetSp = Invoke-RestMethod @restSplat | ConvertTo-Json
$RoleAssignments = @()
Foreach ($AppPermission in $appPermissionsRequired) {
$RoleAssignment = $targetSp.AppRoles | Where-Object { $_.Value -eq $AppPermission}
$RoleAssignments += $RoleAssignment
}
$ResourceAccessObjects = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
foreach ($RoleAssignment in $RoleAssignments) {
$resourceAccess = New-Object "microsoft.open.azuread.model.resourceAccess"
$resourceAccess.Id = $RoleAssignment.Id
$resourceAccess.Type = 'Role'
$ResourceAccessObjects.Add($resourceAccess)
}
$requiredResourceAccess = New-Object "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$requiredResourceAccess.ResourceAppId = $targetSp.AppId
$requiredResourceAccess.ResourceAccess = $ResourceAccessObjects
# set the required resource access
Set-AzureADApplication -ObjectId $appId.ObjectId -RequiredResourceAccess $requiredResourceAccess
Start-Sleep -s 1
# grant the required resource access
foreach ($RoleAssignment in $RoleAssignments) {
Write-Output -InputObject ('Granting admin consent for App Role: {0}' -f $($RoleAssignment.Value))
New-AzureADServiceAppRoleAssignment -ObjectId $spForApp.ObjectId -Id $RoleAssignment.Id -PrincipalId $spForApp.ObjectId -ResourceId $targetSp.ObjectId
Start-Sleep -s 1
}
$appId = '(appid)'
$appPermissionsRequired = @('Directory.Read.All')
$targetServicePrincipalName = '(spname)'
GrantAllThePermissionsWeWant -targetServicePrincipalName $targetServicePrincipalName -appPermissionsRequired $appPermissionsRequired -appId $appId -spForApp $targetSp
我还没有讲到“Set-AzureADApplication”是对 graph.microsoft.com API 的调用,所以请忽略该部分。
与Powershell任务相比,Azure Powershell task默认包含一些az模块:
Azure PowerShell 任务使用 Azure/AzureRM/Az PowerShell 模块与 Azure 订阅交互。
当你收到 cannot find type 错误时,因为默认情况下 powershell 不包含 AzureAD module。
以下命令可帮助您安装 AzureAD 模块。
Install-Module AzureAD -Scope CurrentUser -Force
Import-Module AzureAD -Force
$graphPerms = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
在脚本的开头安装并导入模块。问题会消失。
我的解决方案是这样的:
foreach ($RoleAssignment in $RoleAssignments) {
$restSplat = @{
Method = "PATCH"
uri = "https://graph.microsoft.com/v1.0/applications/$($appId)"
headers = @{"Authorization" = "Bearer $AADToken"; "Content-Type" = "application/json" }
body = @{
requiredResourceAccess = @(
@{
resourceAppId = $targetSp.appId
resourceAccess = @(
@{
id = $RoleAssignment.Id
type = "Role"
}
)
}
)
} | ConvertTo-Json -Depth 4
}
$rest = (Invoke-RestMethod @restSplat).Value
现在我只需要用 Graph.microsoft.com 授予所需的资源访问权限。