0

我在 Azure 中创建了一个注册应用程序,并获得了 Graph API 的以下 API 权限,如下所示:

**
Directory.ReadWrite.All
Policy.Read.All 
Policy.ReadWrite.TrustFramework
User.Invite.All
User.Read
**

我的计划是向 Azure B2B 目录添加一个允许列表,然后使用我在上面创建的服务原则邀请来宾用户到我的目录。

有了上述权限,我就可以阅读当前政策并将邀请发送给访客用户。但是,我不能在我的 B2B 目录中附加现有的允许域列表。

每次我尝试更新现有策略时,我都会被拒绝访问,如下所示:

**
Set-AzureADPolicy -Definition $policyValue -Id $currentpolicy.Id | Out-Null**

Error

Set-AzureADPolicy : Error occurred while executing SetPolicy 
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
InnerError:
  RequestId: 4f161b70-f71c-4507-8b91-788457429fcc
  DateTimeStamp: Wed, 08 Apr 2020 16:57:39 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ Set-AzureADPolicy -Definition $policyValue -Id $currentpolicy.Id | Ou ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-AzureADPolicy], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.SetPolicy

有谁知道这里缺少什么?

我还可以确认 Graph API 目前支持此操作吗?

谢谢巴莱普

4

1 回答 1

0

根据一些测试,我只是将“策略”下的其他三个权限添加到您注册的应用程序中。然后我可以使用Set-AzureADPolicy命令成功(通过服务原则连接到 Azure AD)。 在此处输入图像描述

更新:

我提供所有步骤供您参考:

1.在powershell中运行以下命令

# Login to Azure AD PowerShell With Admin Account
Connect-AzureAD 

# Create the self signed cert
$currentDate = Get-Date
$endDate  = $currentDate.AddYears(1)
$notAfter  = $endDate.AddYears(1)
$pwd  = "xxxxxxx"
$thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName com.foo.bar -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath c:\temp\examplecert.pfx -Password $pwd

# Load the certificate
$cert  = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\temp\examplecert.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())


# Create the Azure Active Directory Application
$application = New-AzureADApplication -DisplayName "huryttt1234" -IdentifierUris "https://huryttt1234"
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "Huryttt1234" -StartDate $currentDate -EndDate $endDate -Type AsymmetricX509Cert -Usage Verify -Value $keyValue

# Create the Service Principal and connect it to the Application
$sp = New-AzureADServicePrincipal -AppId $application.AppId

2.现在我在 Azure 门户上的 AD 中的新应用程序 (Huryttt1234) 中添加五个权限,并授予管理员同意。

3.然后运行以下命令:

# Get Tenant Detail
$tenant = Get-AzureADTenantDetail
# Now you can login to Azure PowerShell with your Service Principal and Certificate
Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId  $sp.AppId -CertificateThumbprint $thumb

Get-AzureADPolicy -Id xxxxxxxxxxxxxxxxxxxx

Set-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxInactiveTime":"20:00:00"}}') -Id xxxxxxxxxxxxxxxxxxxx | Out-Null

我可以成功运行底部两行(get 操作和 set 操作)。

于 2020-04-13T04:34:44.123 回答