0

我正在尝试编写一个脚本,该脚本将在 Azure 中创建一个新应用程序并添加所需的权限。我已经能够创建应用程序并添加与 Microsoft Graph 和 Azure Active Directory Graph 关联的应用程序权限。我能够枚举每个服务主体 ID 所需的权限,但是我没有看到与 Microsoft 365 管理 API 关联的服务主体 ID。 获取 AzureADServicePrincipal -All $true

以下是我当前有效的脚本...

$Test = New-AzureADApplication -DisplayName "Test"


$currentUser = (Get-AzureADUser -ObjectId (Get-AzureADCurrentSessionInfo).Account.Id)
Add-AzureADApplicationOwner -ObjectId $Test.ObjectId -RefObjectId $currentUser.ObjectId

#Get Service Principal of Azure Active Directory Graph 
$azureSP =  Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq "Windows Azure Active Directory"}
 


#Initialize RequiredResourceAccess for Microsoft Graph Resource API 
$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
$requiredGraphAccess.ResourceAppId = $graphSP.AppId
$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
 
#Set Application Permissions
$ApplicationPermissions = @('User.Read.All','AuditLog.Read.All','Directory.Read.All','IdentityRiskEvent.Read.All','IdentityRiskyUser.Read.All','Organization.Read.All','SecurityEvents.Read.All','Group.Read.All','RoleManagement.Read.All')
 
#Add app permissions
ForEach ($permission in $ApplicationPermissions) {
$reqPermission = $null
#Get required app permission
$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $permission}
if($reqPermission)
{
$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
$resourceAccess.Type = "Role"
$resourceAccess.Id = $reqPermission.Id    
#Add required app permission
$requiredGraphAccess.ResourceAccess.Add($resourceAccess)
}
else
{
Write-Host "App permission $permission not found in the Graph Resource API" -ForegroundColor Red
}
}

#Initialize RequiredResourceAccess for Azure Active Directory API 
$requiredAzureAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
$requiredAzureAccess.ResourceAppId = $azureSP.AppId
$requiredAzureAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
 
#Set Application Permissions
$AzurePermissions = @('Directory.Read.All')
 
#Add app permissions
ForEach ($Azurepermission in $AzurePermissions) {
$reqAzurePermission = $null
#Get required app permission
$reqAzurePermission = $azureSP.AppRoles | Where-Object {$_.Value -eq $Azurepermission}
if($reqAzurePermission)
{
$AzureresourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
$AzureresourceAccess.Type = "Role"
$AzureresourceAccess.Id = $reqAzurePermission.Id    
#Add required app permission
$requiredAzureAccess.ResourceAccess.Add($AzureresourceAccess)
}
else
{
Write-Host "App permission $Azurepermission not found in the Azure Active Directory API" -ForegroundColor Red
}
}


#Add required resource accesses
$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
$requiredResourcesAccess.Add($requiredGraphAccess)
$requiredResourcesAccess.Add($requiredAzureAccess)
 
#Set permissions in existing Azure AD App
$appObjectId=$SolutionsGrantedTest.ObjectId
#$appObjectId="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
Set-AzureADApplication -ObjectId $appObjectId -RequiredResourceAccess $requiredResourcesAccess

我感谢可以提供的任何知识和见解。谢谢!

4

0 回答 0