0

Azure 内で新しいアプリを作成し、必要なアクセス許可を追加するスクリプトを作成しようとしています。アプリを作成し、Microsoft Graph と Azure Active Directory Graph に関連付けられたアプリケーションのアクセス許可を追加するところまで到達できました。各サービス プリンシパル ID で必要なアクセス許可を列挙できましたが、Microsoft 365 Management API に関連付けられたサービス プリンシパル ID が表示されません。 Get-AzureADServicePrincipal -すべて $true

以下は、動作する私の現在のスクリプトです...

$Test = New-AzureADApplication -DisplayName "Test"


$currentUser = (Get-AzureADUser -ObjectId (Get-AzureADCurrentSessionInfo).Account.Id)
Add-AzureADApplicationOwner -ObjectId $Test.ObjectId -RefObjectId $currentUser.ObjectId

#Get Service Principal of Azure Active Directory Graph 
$azureSP =  Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq "Windows Azure Active Directory"}
 


#Initialize RequiredResourceAccess for Microsoft Graph Resource API 
$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
$requiredGraphAccess.ResourceAppId = $graphSP.AppId
$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
 
#Set Application Permissions
$ApplicationPermissions = @('User.Read.All','AuditLog.Read.All','Directory.Read.All','IdentityRiskEvent.Read.All','IdentityRiskyUser.Read.All','Organization.Read.All','SecurityEvents.Read.All','Group.Read.All','RoleManagement.Read.All')
 
#Add app permissions
ForEach ($permission in $ApplicationPermissions) {
$reqPermission = $null
#Get required app permission
$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $permission}
if($reqPermission)
{
$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
$resourceAccess.Type = "Role"
$resourceAccess.Id = $reqPermission.Id    
#Add required app permission
$requiredGraphAccess.ResourceAccess.Add($resourceAccess)
}
else
{
Write-Host "App permission $permission not found in the Graph Resource API" -ForegroundColor Red
}
}

#Initialize RequiredResourceAccess for Azure Active Directory API 
$requiredAzureAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
$requiredAzureAccess.ResourceAppId = $azureSP.AppId
$requiredAzureAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
 
#Set Application Permissions
$AzurePermissions = @('Directory.Read.All')
 
#Add app permissions
ForEach ($Azurepermission in $AzurePermissions) {
$reqAzurePermission = $null
#Get required app permission
$reqAzurePermission = $azureSP.AppRoles | Where-Object {$_.Value -eq $Azurepermission}
if($reqAzurePermission)
{
$AzureresourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
$AzureresourceAccess.Type = "Role"
$AzureresourceAccess.Id = $reqAzurePermission.Id    
#Add required app permission
$requiredAzureAccess.ResourceAccess.Add($AzureresourceAccess)
}
else
{
Write-Host "App permission $Azurepermission not found in the Azure Active Directory API" -ForegroundColor Red
}
}


#Add required resource accesses
$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
$requiredResourcesAccess.Add($requiredGraphAccess)
$requiredResourcesAccess.Add($requiredAzureAccess)
 
#Set permissions in existing Azure AD App
$appObjectId=$SolutionsGrantedTest.ObjectId
#$appObjectId="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
Set-AzureADApplication -ObjectId $appObjectId -RequiredResourceAccess $requiredResourcesAccess

提供できる知識と洞察力に感謝します。ありがとうございました!

4

0 に答える 0