第一次在这里发帖,所以如果我需要对我的问题进行任何更改或添加更多详细信息,请告诉我。我无法按照配置添加 API 权限。
我在这里关注帖子/答案:https://stackoverflow.com/a/78951253/12567070
但是当运行二头肌时,我获得了添加到我的应用程序注册中的权限。但是,它们仅添加为“授予的其他权限” - 我相信这是因为我尝试添加的权限“需要管理员同意”。是否可以用二头肌获得管理员同意?
使用的示例代码:
targetScope = 'tenant'
// entra-external-setup.bicep
extension microsoftGraph
param appName string = 'cspm'
param deployEnvironment string = 'lb'
var applicationRegistrationName = '${appName}-${deployEnvironment}-app-01'
var redirectUris = deployEnvironment == 'prod'
? ['https://app.${appName}.io']
: ['https://${applicationRegistrationName}.azurewebsites.net', 'https://localhost:44305']
resource microsoftGraphServicePrincipal 'Microsoft.Graph/[email protected]' existing = {
appId: '00000003-0000-0000-c000-000000000000'
}
resource applicationRegistration 'Microsoft.Graph/[email protected]' = {
uniqueName: applicationRegistrationName
displayName: applicationRegistrationName
web: {
redirectUris: [for item in redirectUris: '${item}/sigin-oidc']
implicitGrantSettings: {
enableIdTokenIssuance: true
}
}
requiredResourceAccess: [
{
resourceAppId: microsoftGraphServicePrincipal.appId
resourceAccess: [
{
id: '246dd0d5-5bd0-4def-940b-0421030a5b68', type: 'Scope'
}
]
}
]
}
resource applicationRegistrationServicePrincipal 'Microsoft.Graph/[email protected]' = {
appId: applicationRegistration.appId
}
resource grants 'Microsoft.Graph/[email protected]' = {
clientId: applicationRegistrationServicePrincipal.id
resourceId: microsoftGraphServicePrincipal.id
consentType: 'AllPrincipals'
scope: 'Policy.Read.All'
}
我的目标是使用 Bicep 添加 API 权限,在此授予:
我错过了什么?
在您的二头肌文件中,您使用的是
246dd0d5-5bd0-4def-940b-0421030a5b68
,这是应用程序角色的 id。您需要使用 oauth 范围的 id,即 572fea84-0151-49b2-9301-11cb16974376
。
为了确保正确,您可以从 MS Graph SP 检索值:
// Get a reference to the MS Graph Sp in the tenant
resource msGraphAppSp 'Microsoft.Graph/[email protected]' existing = {
appId: '00000003-0000-0000-c000-000000000000'
}
// space seperated list of scopes to apply
var msGraphAppOauth2PermissionScopes = 'Policy.Read.All APIConnectors.Read.All'
// create the app registration
resource applicationRegistration 'Microsoft.Graph/[email protected]' = {
uniqueName: applicationRegistrationName
displayName: applicationRegistrationName
web: {
redirectUris: [for item in redirectUris: '${item}/sigin-oidc']
implicitGrantSettings: {
enableIdTokenIssuance: true
}
}
requiredResourceAccess: [
{
resourceAppId: msGraphAppSp.appId
// Add all required delegated permissions: we get the id from the SP object
resourceAccess: [
for scope in split(msGraphAppOauth2PermissionScopes, ' '): {
id: first(filter(msGraphAppSp.oauth2PermissionScopes, (val, i) => val.value == scope)).id
type: 'Scope'
}
]
}
]
}
// Create the service principal
resource applicationRegistrationServicePrincipal 'Microsoft.Graph/[email protected]' = {
appId: applicationRegistration.appId
}
// Grant required access to MS graph
resource msGraphGrants 'Microsoft.Graph/[email protected]' = {
clientId: applicationRegistrationServicePrincipal.id
resourceId: msGraphAppSp.id
consentType: 'AllPrincipals'
scope: msGraphAppOauth2PermissionScopes
}