-1

问题描述:

在尝试使用以下命令为 PublicClient 创建守护程序应用程序时,它失败了。如果将 PublicClient 配置为 False,它可以工作。

问题再现:

Connect-AzureAD
$svcprincipal = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }

#Microsoft Graph
$reqGraph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$reqGraph.ResourceAppId = $svcprincipal.AppId

##Delegated Permissions
$delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "0e263e50-5827-48a4-b97c-d940288653c7","Scope" #Access Directory as the signed in user

##Application Permissions
$appPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "62a82d76-70ea-41e2-9197-370581804d09","Role" #Read and Write All Groups
$appPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "19dbc75e-c2e2-444c-a770-ec69d8559fc7","Role" #Read and Write directory data

# when Set PublicClient as False, it worked.
New-AzureADApplication -DisplayName pca-test3 -ReplyUrls https://localhost/ -AvailableToOtherTenants $true -PublicClient $false -RequiredResourceAccess $reqGraph

# when Set PublicClient as True, it failed
New-AzureADApplication -DisplayName pca-test3 -ReplyUrls https://localhost/ -AvailableToOtherTenants $true -PublicClient $true -RequiredResourceAccess $reqGraph`

错误信息:

代码:Request_BadRequest 消息:属性 requiredResourceAccess.resourceAccess 无效。详细信息:PropertyName - requiredResourceAccess.resourceAccess、PropertyErrorCode - GenericError HttpStatusCode:BadRequest HttpStatusDescription:错误请求 HttpResponseStatus:已完成

任何人都可以提供一些建议或帮助?谢谢。

4

1 回答 1

0

由于您将 Azure AD 应用程序创建为公共客户端,因此我们无法为该应用程序配置应用程序权限。由于这些应用程序不受信任以安全地保存应用程序机密,因此它们仅代表用户访问 Web API。更多详细信息,请参阅文档。所以我们需要为应用程序配置Delegated权限。换句话说,权限的类型应该是scope.

例如

Connect-AzureAD

$svcprincipal = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }

$reqGraph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$reqGraph.ResourceAppId = $svcprincipal.AppId
$delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "0e263e50-5827-48a4-b97c-d940288653c7","Scope" #Sign in and read user profile
$delPermission2 =New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope" #Access Directory as the signed in user

$reqGraph.ResourceAccess = $delPermission1,$delPermission2

New-AzureADApplication -DisplayName pca-test3 -ReplyUrls https://localhost/ -AvailableToOtherTenants $true -PublicClient $true -RequiredResourceAccess $reqGraph

在此处输入图像描述

于 2020-04-07T03:40:33.150 回答