问题描述
使用 AzureAD 模块,我可以使用Get-AzureADServicePrincipalOAuth2PermissionGrant
cmdlet检索服务主体的所有委派的权限.但是,在此模块中,我找不到类似的cmdlet来检索服务主体的应用程序权限.
Using the AzureAD module, I can retrieve all delegated permissions for a service principal using the Get-AzureADServicePrincipalOAuth2PermissionGrant
cmdlet. However, I can't find a similar cmdlet to retrieve the application permissions for a service principal in this module.
AzureAD 模块是否提供一种检索服务主体的应用程序权限的方法?
Does the AzureAD module provide a way to retrieve application permissions for a service principal?
推荐答案
应用程序权限分配在目录中表示为 appRoleAssignments .从字面上为应用程序的服务主体分配角色.
Application permission assignments are represented as appRoleAssignments in the directory. Literally assigning a role to the app's service principal.
使用V2模块:
有两种获取角色的方法.
There are two ways to approach getting the roles.
已为主体A分配了哪些权限?
Get-AzureADServiceAppRoleAssignedTo -ObjectId eea0d6cd-20e2-4b81-97ca-5b0cbffac985 | fl
在这里,我正在为该主体分配哪些应用程序权限.
Here I am getting what app permissions have been assigned to this principal.
谁拥有主体A的权限?
Get-AzureADServiceAppRoleAssignment -ObjectId f004dde9-b40f-4259-91be-e257009a444a | fl
此处,对象ID适用于Microsoft Graph.它列出了已为其分配了任何应用程序权限的所有主体.
Here the object id is for Microsoft Graph. It lists out all principals who have been assigned any app permissions on it.
无论哪种方式,您仍然可以获得AppRoleAssignments的列表.
Either way you still get a list of AppRoleAssignments.
- Id =分配的AppRole的ID
- PrincipalId =权限分配给的服务主体的ObjectId
- ResourceId =提供权限的服务主体的ObjectId
您将需要自己加入具有正确角色的作业.您可以打印出应用角色,例如MS Graph非常容易提供:
You will need to join the assignments with the right roles yourself. You can print out the app roles e.g. MS Graph offers quite easily:
$msGraph = Get-AzureADServicePrincipal -ObjectId f004dde9-b40f-4259-91be-e257009a444a
$msGraph.AppRoles | fl
示例:
AllowedMemberTypes : {Application}
Description : (Preview) Allows the app to read all files in all site collections without a signed in user.
DisplayName : Read files in all site collections (preview)
Id : 01d4889c-1287-42c6-ac1f-5d1e02578ef6
IsEnabled : True
Value : Files.Read.All
这篇关于使用AzureAD模块检索服务主体的应用程序权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!