Gérer l’authentification des applicationsBehaviors
Article
La propriété authenticationBehaviors de l’objet application vous permet de configurer des comportements de changement cassants liés à l’émission de jetons. Les applications peuvent adopter de nouvelles modifications cassantes en activant un comportement ou continuer à utiliser un comportement préexistant en le désactivant.
Exiger que les applications multilocataires aient un principal de service dans le locataire de ressource dans le cadre des vérifications d’autorisation avant de recevoir des jetons d’accès.
Remarque
La propriété authenticationBehaviors de l’objet application est actuellement disponible uniquement dans beta .
Lire le paramètre authenticationBehaviors pour une application
La propriété authenticationBehaviors est retournée uniquement sur les $select requêtes.
Pour lire la propriété et les autres propriétés spécifiées de toutes les applications du locataire, exécutez l’exemple de requête suivant. La requête retourne un 200 OK code de réponse et une représentation JSON de l’objet d’application qui affiche uniquement les propriétés sélectionnées.
GET https://graph.microsoft.com/beta/applications?$select=id,displayName,appId,authenticationBehaviors
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications.GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Select = new string []{ "id","displayName","appId","authenticationBehaviors" };
});
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphapplications "github.com/microsoftgraph/msgraph-beta-sdk-go/applications"
//other-imports
)
requestParameters := &graphapplications.ApplicationsRequestBuilderGetQueryParameters{
Select: [] string {"id","displayName","appId","authenticationBehaviors"},
}
configuration := &graphapplications.ApplicationsRequestBuilderGetRequestConfiguration{
QueryParameters: requestParameters,
}
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().Get(context.Background(), configuration)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ApplicationCollectionResponse result = graphClient.applications().get(requestConfiguration -> {
requestConfiguration.queryParameters.select = new String []{"id", "displayName", "appId", "authenticationBehaviors"};
});
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.applications.applications_request_builder import ApplicationsRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = ApplicationsRequestBuilder.ApplicationsRequestBuilderGetQueryParameters(
select = ["id","displayName","appId","authenticationBehaviors"],
)
request_configuration = RequestConfiguration(
query_parameters = query_params,
)
result = await graph_client.applications.get(request_configuration = request_configuration)
Vous pouvez également utiliser la propriété appId comme suit :
GET https://graph.microsoft.com/beta/applications(appId='37bf1fd4-78b0-4fea-ac2d-6c82829e9365')/authenticationBehaviors
Empêcher l’émission de revendications d’e-mail avec des propriétaires de domaine non vérifiés
Comme décrit dans l’avis de sécurité Microsoft Risque potentiel d’escalade de privilèges dans les applications Microsoft Entra, les applications ne doivent jamais utiliser la revendication d’e-mail à des fins d’autorisation. Si votre application utilise la revendication e-mail à des fins d’autorisation ou d’identification de l’utilisateur principal, elle est sujette à des attaques d’escalade de comptes et de privilèges. Ce risque d’accès non autorisé est particulièrement identifié dans les scénarios suivants :
Lorsque l’attribut de messagerie de l’objet utilisateur contient une adresse e-mail avec un propriétaire de domaine non vérifié
Pour les applications multilocataires où un utilisateur d’un locataire peut élever ses privilèges d’accès aux ressources d’un autre locataire par la modification de son attribut de messagerie
Aujourd’hui, le comportement par défaut consiste à supprimer les adresses e-mail avec des propriétaires de domaine non vérifiés dans les revendications, à l’exception des applications monolocataires et des applications multilocataires avec une activité de connexion précédente avec des e-mails non vérifiés. Si votre application tombe dans l’une de ces exceptions et que vous souhaitez supprimer les adresses e-mail non vérifiées, définissez la propriété removeUnverifiedEmailClaimd’authenticationBehaviors sur true comme illustré dans les exemples suivants. La requête retourne un code de réponse 204 No Content .
Supprimer des revendications les adresses e-mail avec des propriétaires de domaine non vérifiés
Option 1
Ce modèle de spécification de la propriété dans l’URL de la requête vous permet de mettre à jour uniquement la propriété spécifiée dans la requête.
Ce modèle de spécification de la propriété dans le corps de la demande vous permet de mettre à jour d’autres propriétés homologues dans la même requête.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new Application
{
AuthenticationBehaviors = new AuthenticationBehaviors
{
RemoveUnverifiedEmailClaim = true,
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewApplication()
authenticationBehaviors := graphmodels.NewAuthenticationBehaviors()
removeUnverifiedEmailClaim := true
authenticationBehaviors.SetRemoveUnverifiedEmailClaim(&removeUnverifiedEmailClaim)
requestBody.SetAuthenticationBehaviors(authenticationBehaviors)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
Application application = new Application();
AuthenticationBehaviors authenticationBehaviors = new AuthenticationBehaviors();
authenticationBehaviors.setRemoveUnverifiedEmailClaim(true);
application.setAuthenticationBehaviors(authenticationBehaviors);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Application;
use Microsoft\Graph\Beta\Generated\Models\AuthenticationBehaviors;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Application();
$authenticationBehaviors = new AuthenticationBehaviors();
$authenticationBehaviors->setRemoveUnverifiedEmailClaim(true);
$requestBody->setAuthenticationBehaviors($authenticationBehaviors);
$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.application import Application
from msgraph_beta.generated.models.authentication_behaviors import AuthenticationBehaviors
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
authentication_behaviors = AuthenticationBehaviors(
remove_unverified_email_claim = True,
),
)
result = await graph_client.applications.by_application_id('application-id').patch(request_body)
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new Application
{
AuthenticationBehaviors = new AuthenticationBehaviors
{
RemoveUnverifiedEmailClaim = false,
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewApplication()
authenticationBehaviors := graphmodels.NewAuthenticationBehaviors()
removeUnverifiedEmailClaim := false
authenticationBehaviors.SetRemoveUnverifiedEmailClaim(&removeUnverifiedEmailClaim)
requestBody.SetAuthenticationBehaviors(authenticationBehaviors)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
Application application = new Application();
AuthenticationBehaviors authenticationBehaviors = new AuthenticationBehaviors();
authenticationBehaviors.setRemoveUnverifiedEmailClaim(false);
application.setAuthenticationBehaviors(authenticationBehaviors);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Application;
use Microsoft\Graph\Beta\Generated\Models\AuthenticationBehaviors;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Application();
$authenticationBehaviors = new AuthenticationBehaviors();
$authenticationBehaviors->setRemoveUnverifiedEmailClaim(false);
$requestBody->setAuthenticationBehaviors($authenticationBehaviors);
$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.application import Application
from msgraph_beta.generated.models.authentication_behaviors import AuthenticationBehaviors
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
authentication_behaviors = AuthenticationBehaviors(
remove_unverified_email_claim = False,
),
)
result = await graph_client.applications.by_application_id('application-id').patch(request_body)
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new Application
{
AuthenticationBehaviors = new AuthenticationBehaviors
{
RemoveUnverifiedEmailClaim = null,
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewApplication()
authenticationBehaviors := graphmodels.NewAuthenticationBehaviors()
removeUnverifiedEmailClaim := null
authenticationBehaviors.SetRemoveUnverifiedEmailClaim(&removeUnverifiedEmailClaim)
requestBody.SetAuthenticationBehaviors(authenticationBehaviors)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
Application application = new Application();
AuthenticationBehaviors authenticationBehaviors = new AuthenticationBehaviors();
authenticationBehaviors.setRemoveUnverifiedEmailClaim(null);
application.setAuthenticationBehaviors(authenticationBehaviors);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Application;
use Microsoft\Graph\Beta\Generated\Models\AuthenticationBehaviors;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Application();
$authenticationBehaviors = new AuthenticationBehaviors();
$authenticationBehaviors->setRemoveUnverifiedEmailClaim(null);
$requestBody->setAuthenticationBehaviors($authenticationBehaviors);
$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.application import Application
from msgraph_beta.generated.models.authentication_behaviors import AuthenticationBehaviors
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
authentication_behaviors = AuthenticationBehaviors(
remove_unverified_email_claim = None,
),
)
result = await graph_client.applications.by_application_id('application-id').patch(request_body)
Autoriser l’accès étendu à Azure AD Graph jusqu’au 30 juin 2025
Par défaut, les applications créées après le 31 août 2024 recevront une 403 Unauthorized erreur lors de l’envoi de demandes aux API Graph Azure AD, sauf si elles sont configurées pour autoriser l’accès Étendu à Azure AD Graph. En outre, les applications existantes créées avant le 31 août 2024 et qui effectuent des demandes aux API Azure AD Graph doivent être configurées pour autoriser l’accès Étendu à Azure AD Graph d’ici le 1er février 2025. Cet accès étendu est disponible uniquement jusqu’au 30 juin 2025, date à laquelle Azure AD Graph sera entièrement mis hors service. Après cette date, toutes les applications recevront une 403 Unauthorized erreur lors de l’envoi de requêtes aux API Azure AD Graph, quelle que soit leur configuration d’accès étendu. Pour plus d’informations, consultez Mise à jour de juin 2024 sur Azure AD API Graph mise hors service.
La requête suivante montre comment mettre à jour une application pour activer l’accès Étendu à Azure AD Graph. La requête retourne un code de réponse 204 No Content .
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new Application
{
AuthenticationBehaviors = new AuthenticationBehaviors
{
BlockAzureADGraphAccess = false,
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewApplication()
authenticationBehaviors := graphmodels.NewAuthenticationBehaviors()
blockAzureADGraphAccess := false
authenticationBehaviors.SetBlockAzureADGraphAccess(&blockAzureADGraphAccess)
requestBody.SetAuthenticationBehaviors(authenticationBehaviors)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
Application application = new Application();
AuthenticationBehaviors authenticationBehaviors = new AuthenticationBehaviors();
authenticationBehaviors.setBlockAzureADGraphAccess(false);
application.setAuthenticationBehaviors(authenticationBehaviors);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Application;
use Microsoft\Graph\Beta\Generated\Models\AuthenticationBehaviors;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Application();
$authenticationBehaviors = new AuthenticationBehaviors();
$authenticationBehaviors->setBlockAzureADGraphAccess(false);
$requestBody->setAuthenticationBehaviors($authenticationBehaviors);
$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.application import Application
from msgraph_beta.generated.models.authentication_behaviors import AuthenticationBehaviors
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
authentication_behaviors = AuthenticationBehaviors(
block_azure_a_d_graph_access = False,
),
)
result = await graph_client.applications.by_application_id('application-id').patch(request_body)