检索 Microsoft Graph API 的权限 ID - 各种范围的委派/应用程序权限 GUID
Retrieving permission IDs for Microsoft Graph API - Delegated / Application Permissions GUID for various Scopes
是否有快速简便的方法来查找 Microsoft Graph API - 委托/应用程序权限 GUID(甚至弃用的 Azure AD API 权限)。
尝试按照官方文档进行操作,但发现不是很直观。
https://docs.microsoft.com/en-us/graph/permissions-reference
由于权限名称相似,例如:group.readwrite.all 委托与应用程序之间,是否有任何工具或技术可以轻松找到这些 ID。
az ad sp list --query "[?appDisplayName=='Microsoft Graph'].{permissions:oauth2Permissions}[0].permissions[?value=='Group.ReadWrite.All'].{id: id, value: value, adminConsentDisplayName: adminConsentDisplayName, adminConsentDescription: adminConsentDescription}[0]" --all
{
"adminConsentDescription": "Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.",
"adminConsentDisplayName": "Read and write all groups",
"id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
"value": "Group.ReadWrite.All"
}
这似乎不正确,因为正确的 ID 是:
Group_ReadWrite_All = {
id = "62a82d76-70ea-41e2-9197-370581804d09"
type = "Role"
}
我是不是遗漏了什么明显的东西?特别是 Role/Scope 或其委托与应用程序问题?
查询以列出所有应用程序
az ad sp list --query '[].{appDisplayName:appDisplayName, appId:appId}'
查询“Microsoft Graph”应用,查找“Group.ReadWrite.All”权限的“oauth2”范围
az ad sp list --query "[?appDisplayName=='Microsoft Graph'].{permissions:oauth2Permissions}[0].permissions[?value=='Group.ReadWrite.All'].{id: id, value: value, adminConsentDisplayName: adminConsentDisplayName, adminConsentDescription: adminConsentDescription}[0]" --all
{
"adminConsentDescription": "Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.",
"adminConsentDisplayName": "Read and write all groups",
"id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
"value": "Group.ReadWrite.All"
}
查询“Microsoft Graph”应用,查找“Group.ReadWrite.All”权限的应用“角色”
az ad sp list --query "[?appDisplayName=='Microsoft Graph'].{permissions:appRoles}[0].permissions[?value=='Group.ReadWrite.All'].{id: id, value: value, adminConsentDisplayName: adminConsentDisplayName, adminConsentDescription: adminConsentDescription}[0]" --all
{
"adminConsentDescription": null,
"adminConsentDisplayName": null,
"id": "62a82d76-70ea-41e2-9197-370581804d09",
"value": "Group.ReadWrite.All"
}
是否有快速简便的方法来查找 Microsoft Graph API - 委托/应用程序权限 GUID(甚至弃用的 Azure AD API 权限)。
尝试按照官方文档进行操作,但发现不是很直观。 https://docs.microsoft.com/en-us/graph/permissions-reference
由于权限名称相似,例如:group.readwrite.all 委托与应用程序之间,是否有任何工具或技术可以轻松找到这些 ID。
az ad sp list --query "[?appDisplayName=='Microsoft Graph'].{permissions:oauth2Permissions}[0].permissions[?value=='Group.ReadWrite.All'].{id: id, value: value, adminConsentDisplayName: adminConsentDisplayName, adminConsentDescription: adminConsentDescription}[0]" --all
{
"adminConsentDescription": "Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.",
"adminConsentDisplayName": "Read and write all groups",
"id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
"value": "Group.ReadWrite.All"
}
这似乎不正确,因为正确的 ID 是:
Group_ReadWrite_All = {
id = "62a82d76-70ea-41e2-9197-370581804d09"
type = "Role"
}
我是不是遗漏了什么明显的东西?特别是 Role/Scope 或其委托与应用程序问题?
查询以列出所有应用程序
az ad sp list --query '[].{appDisplayName:appDisplayName, appId:appId}'
查询“Microsoft Graph”应用,查找“Group.ReadWrite.All”权限的“oauth2”范围
az ad sp list --query "[?appDisplayName=='Microsoft Graph'].{permissions:oauth2Permissions}[0].permissions[?value=='Group.ReadWrite.All'].{id: id, value: value, adminConsentDisplayName: adminConsentDisplayName, adminConsentDescription: adminConsentDescription}[0]" --all
{
"adminConsentDescription": "Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.",
"adminConsentDisplayName": "Read and write all groups",
"id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
"value": "Group.ReadWrite.All"
}
查询“Microsoft Graph”应用,查找“Group.ReadWrite.All”权限的应用“角色”
az ad sp list --query "[?appDisplayName=='Microsoft Graph'].{permissions:appRoles}[0].permissions[?value=='Group.ReadWrite.All'].{id: id, value: value, adminConsentDisplayName: adminConsentDisplayName, adminConsentDescription: adminConsentDescription}[0]" --all
{
"adminConsentDescription": null,
"adminConsentDisplayName": null,
"id": "62a82d76-70ea-41e2-9197-370581804d09",
"value": "Group.ReadWrite.All"
}