使用 PATCH graph.microsoft.com API 向应用程序 Azure AD 添加 API 权限
add API permissions to application Azure AD with PATCH graph.microsoft.com API
我正在尝试通过补丁方法向我的应用程序添加 API 权限。
我有 4 个权限要添加。
$appPermissionsRequired = @('RoleManagement.ReadWrite.Directory', 'PrivilegedAccess.ReadWrite.AzureADGroup', 'Group.read.all', 'Directory.read.all')
我有另一种方法可以找到正确的权限 ID,然后将其放入列表“roleassignments”
$RoleAssignments = @()
Foreach ($AppPermission in $appPermissionsRequired) {
$RoleAssignment = $targetSp.AppRoles | Where-Object { $_.value -eq $AppPermission }
$RoleAssignments += $RoleAssignment
}
问题是,当我 运行 补丁方法时,它给了我一个:“代码”:“Request_BadRequest
整个错误信息:
WARNING: {"error":{"code":"Request_BadRequest","message":"Specified HTTP method is not allowed for the request target.","innerError":{"date":"2021-11-03T07:37:41","request-id":"28769332-907b-47dc-bc98-f45754e17226","client-request-id":"28769332-907b-47dc-bc98-f45754e17226"}}}
foreach ($RoleAssignment in $RoleAssignments) {
$restSplat = @{
Method = "PATCH"
uri = "https://graph.microsoft.com/v1.0/applications?`$filter=appId eq '$appId'"
headers = @{"Authorization" = "Bearer $AADToken"; "Content-Type" = "application/json"}
body = @{
requiredResourceAccess = @(
@{
resourceAppId = $targetSp.appId
resourceAccess = @(
@{
id = $RoleAssignment.Id
type = "Role"
}
)
}
)
} | ConvertTo-Json -Depth 4
}
$restSplat
$rest = (Invoke-RestMethod @restSplat).Value
}
您调用的 PATCH https://graph.microsoft.com/v1.0/applications 没有 PATCH 操作,因为它用于列表:GET /applications 和创建:POST /applications.
要使用 PATCH 操作为应用程序更新 requiredResourceAccess,您需要调用 PATCH /applications/{directoryObjectId}。请注意,directoryObjectId 不是 appId,而是 Azure 门户上或来自 Get /applications
的应用程序的对象 ID
而不是
PATCH https://graph.microsoft.com/v1.0/applications?`$filter=appId eq '$appId'
使用
PATCH https://graph.microsoft.com/v1.0/applications/object-id
请记住,此操作既不会添加管理员对权限的同意,它也会取代 属性 因此 运行 一次性请求。
我正在尝试通过补丁方法向我的应用程序添加 API 权限。
我有 4 个权限要添加。
$appPermissionsRequired = @('RoleManagement.ReadWrite.Directory', 'PrivilegedAccess.ReadWrite.AzureADGroup', 'Group.read.all', 'Directory.read.all')
我有另一种方法可以找到正确的权限 ID,然后将其放入列表“roleassignments”
$RoleAssignments = @()
Foreach ($AppPermission in $appPermissionsRequired) {
$RoleAssignment = $targetSp.AppRoles | Where-Object { $_.value -eq $AppPermission }
$RoleAssignments += $RoleAssignment
}
问题是,当我 运行 补丁方法时,它给了我一个:“代码”:“Request_BadRequest
整个错误信息:
WARNING: {"error":{"code":"Request_BadRequest","message":"Specified HTTP method is not allowed for the request target.","innerError":{"date":"2021-11-03T07:37:41","request-id":"28769332-907b-47dc-bc98-f45754e17226","client-request-id":"28769332-907b-47dc-bc98-f45754e17226"}}}
foreach ($RoleAssignment in $RoleAssignments) {
$restSplat = @{
Method = "PATCH"
uri = "https://graph.microsoft.com/v1.0/applications?`$filter=appId eq '$appId'"
headers = @{"Authorization" = "Bearer $AADToken"; "Content-Type" = "application/json"}
body = @{
requiredResourceAccess = @(
@{
resourceAppId = $targetSp.appId
resourceAccess = @(
@{
id = $RoleAssignment.Id
type = "Role"
}
)
}
)
} | ConvertTo-Json -Depth 4
}
$restSplat
$rest = (Invoke-RestMethod @restSplat).Value
}
您调用的 PATCH https://graph.microsoft.com/v1.0/applications 没有 PATCH 操作,因为它用于列表:GET /applications 和创建:POST /applications.
要使用 PATCH 操作为应用程序更新 requiredResourceAccess,您需要调用 PATCH /applications/{directoryObjectId}。请注意,directoryObjectId 不是 appId,而是 Azure 门户上或来自 Get /applications
而不是
PATCH https://graph.microsoft.com/v1.0/applications?`$filter=appId eq '$appId'
使用
PATCH https://graph.microsoft.com/v1.0/applications/object-id
请记住,此操作既不会添加管理员对权限的同意,它也会取代 属性 因此 运行 一次性请求。