此外,还需要以下资源和特权:
- 登录到 API 客户端(例如 Graph 资源管理器) 以运行 HTTP 请求。
- 必须向用于进行这些更改的应用授予
Application.ReadWrite.All
权限。
使用 Microsoft Graph 应用程序 API
Microsoft Graph 应用程序对象 包括 requiredResourceAccess 属性,该属性是对象的集合,其中包含有关资源 API 和权限的信息。 使用此属性配置 Azure AD Graph 权限,如以下步骤中所述。
步骤 1:确定应用所需的 Azure AD Graph 权限的权限 ID
确定应用所需的 Azure AD Graph 权限、权限 ID,以及它们是应用角色 (应用程序权限) 还是 oauth2PermissionScopes (委托权限) 。 有关详细信息,请参阅 Azure AD Graph 权限参考。
Azure AD Graph 被标识为 servicePrincipal 对象,其 00000002-0000-0000-c000-000000000000
全局唯一 appId 和 Windows Azure Active Directory
displayName 和 appDisplayName。 运行以下请求,检索租户中 Azure AD Graph 的服务主体对象。
请求
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '00000002-0000-0000-c000-000000000000'
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals.GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Filter = "appId eq '00000002-0000-0000-c000-000000000000'";
});
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphserviceprincipals "github.com/microsoftgraph/msgraph-sdk-go/serviceprincipals"
//other-imports
)
requestFilter := "appId eq '00000002-0000-0000-c000-000000000000'"
requestParameters := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetQueryParameters{
Filter: &requestFilter,
}
configuration := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetRequestConfiguration{
QueryParameters: requestParameters,
}
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().Get(context.Background(), configuration)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipalCollectionResponse result = graphClient.servicePrincipals().get(requestConfiguration -> {
requestConfiguration.queryParameters.filter = "appId eq '00000002-0000-0000-c000-000000000000'";
});
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
let servicePrincipals = await client.api('/servicePrincipals')
.filter('appId eq \'00000002-0000-0000-c000-000000000000\'')
.get();
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\ServicePrincipals\ServicePrincipalsRequestBuilderGetRequestConfiguration;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestConfiguration = new ServicePrincipalsRequestBuilderGetRequestConfiguration();
$queryParameters = ServicePrincipalsRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "appId eq '00000002-0000-0000-c000-000000000000'";
$requestConfiguration->queryParameters = $queryParameters;
$result = $graphServiceClient->servicePrincipals()->get($requestConfiguration)->wait();
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Applications
Get-MgServicePrincipal -Filter "appId eq '00000002-0000-0000-c000-000000000000'"
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.service_principals.service_principals_request_builder import ServicePrincipalsRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = ServicePrincipalsRequestBuilder.ServicePrincipalsRequestBuilderGetQueryParameters(
filter = "appId eq '00000002-0000-0000-c000-000000000000'",
)
request_configuration = RequestConfiguration(
query_parameters = query_params,
)
result = await graph_client.service_principals.get(request_configuration = request_configuration)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
响应
在响应对象中,Azure AD Graph 应用程序权限的详细信息在 appRoles 对象中列出,而委托权限的详细信息在 oauth2PermissionScopes 对象中列出。
注意:为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals",
"value": [
{
"id": "1804a6f8-e623-4520-8f40-ba1b0c11c42d",
"accountEnabled": true,
"appDisplayName": "Windows Azure Active Directory",
"appDescription": null,
"appId": "00000002-0000-0000-c000-000000000000",
"appOwnerOrganizationId": "f8cdef31-a31e-4b4a-93e4-5f571e91255a",
"appRoleAssignmentRequired": false,
"displayName": "Windows Azure Active Directory",
"servicePrincipalNames": [
"https://graph.windows.net",
"00000002-0000-0000-c000-000000000000/graph.microsoftazure.us",
"00000002-0000-0000-c000-000000000000/graph.windows.net",
"00000002-0000-0000-c000-000000000000/directory.windows.net",
"00000002-0000-0000-c000-000000000000",
"https://graph.windows.net/",
"https://graph.microsoftazure.us"
],
"servicePrincipalType": "Application",
"signInAudience": "AzureADMultipleOrgs",
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Allows the app to read applications and service principals without a signed-in user",
"displayName": "Read all applications",
"id": "3afa6a7d-9b1a-42eb-948e-1650a849e176",
"isEnabled": true,
"origin": "Application",
"value": "Application.Read.All"
}
],
"oauth2PermissionScopes": [
{
"adminConsentDescription": "Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allow the app to read basic company information of signed-in users.",
"adminConsentDisplayName": "Sign in and read user profile",
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allows you to sign in to the app with your work account and let the app read your profile. It also allows the app to read basic company information.",
"userConsentDisplayName": "Sign you in and read your profile",
"value": "User.Read"
}
]
}
]
}
在上述截断输出中, 是 User.Read 委托权限的权限 ID,311a71cc-e848-46a1-bdf8-97ff7156d8e6
而3afa6a7d-9b1a-42eb-948e-1650a849e176
是 Azure AD Graph 中 Application.Read.All 应用程序权限的权限 ID。
步骤 2:向应用添加 Azure AD Graph 权限
以下示例调用 更新应用程序 API,将 Azure AD Graph User.Read 和 Application.Read.All 委托和应用程序权限添加到由对象 ID 581088ba-83c5-4975-b8af-11d2d7a76e98
标识的应用注册。
重要
若要更新 requiredResourceAccess 属性,必须传入现有权限和新权限。 仅传入新权限会覆盖并删除现有权限。
请求
PATCH https://graph.microsoft.com/v1.0/applications/581088ba-83c5-4975-b8af-11d2d7a76e98
Content-Type: application/json
{
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
},
{
"id": "3afa6a7d-9b1a-42eb-948e-1650a849e176",
"type": "Role"
}
]
}
]
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new Application
{
RequiredResourceAccess = new List<RequiredResourceAccess>
{
new RequiredResourceAccess
{
ResourceAppId = "00000002-0000-0000-c000-000000000000",
ResourceAccess = new List<ResourceAccess>
{
new ResourceAccess
{
Id = Guid.Parse("311a71cc-e848-46a1-bdf8-97ff7156d8e6"),
Type = "Scope",
},
new ResourceAccess
{
Id = Guid.Parse("3afa6a7d-9b1a-42eb-948e-1650a849e176"),
Type = "Role",
},
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
mgc applications patch --application-id {application-id} --body '{\
"requiredResourceAccess": [\
{\
"resourceAppId": "00000002-0000-0000-c000-000000000000",\
"resourceAccess": [\
{\
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",\
"type": "Scope"\
},\
{\
"id": "3afa6a7d-9b1a-42eb-948e-1650a849e176",\
"type": "Role"\
}\
]\
}\
]\
}\
'
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewApplication()
requiredResourceAccess := graphmodels.NewRequiredResourceAccess()
resourceAppId := "00000002-0000-0000-c000-000000000000"
requiredResourceAccess.SetResourceAppId(&resourceAppId)
resourceAccess := graphmodels.NewResourceAccess()
id := uuid.MustParse("311a71cc-e848-46a1-bdf8-97ff7156d8e6")
resourceAccess.SetId(&id)
type := "Scope"
resourceAccess.SetType(&type)
resourceAccess1 := graphmodels.NewResourceAccess()
id := uuid.MustParse("3afa6a7d-9b1a-42eb-948e-1650a849e176")
resourceAccess1.SetId(&id)
type := "Role"
resourceAccess1.SetType(&type)
resourceAccess := []graphmodels.ResourceAccessable {
resourceAccess,
resourceAccess1,
}
requiredResourceAccess.SetResourceAccess(resourceAccess)
requiredResourceAccess := []graphmodels.RequiredResourceAccessable {
requiredResourceAccess,
}
requestBody.SetRequiredResourceAccess(requiredResourceAccess)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
Application application = new Application();
LinkedList<RequiredResourceAccess> requiredResourceAccess = new LinkedList<RequiredResourceAccess>();
RequiredResourceAccess requiredResourceAccess1 = new RequiredResourceAccess();
requiredResourceAccess1.setResourceAppId("00000002-0000-0000-c000-000000000000");
LinkedList<ResourceAccess> resourceAccess = new LinkedList<ResourceAccess>();
ResourceAccess resourceAccess1 = new ResourceAccess();
resourceAccess1.setId(UUID.fromString("311a71cc-e848-46a1-bdf8-97ff7156d8e6"));
resourceAccess1.setType("Scope");
resourceAccess.add(resourceAccess1);
ResourceAccess resourceAccess2 = new ResourceAccess();
resourceAccess2.setId(UUID.fromString("3afa6a7d-9b1a-42eb-948e-1650a849e176"));
resourceAccess2.setType("Role");
resourceAccess.add(resourceAccess2);
requiredResourceAccess1.setResourceAccess(resourceAccess);
requiredResourceAccess.add(requiredResourceAccess1);
application.setRequiredResourceAccess(requiredResourceAccess);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
const application = {
requiredResourceAccess: [
{
resourceAppId: '00000002-0000-0000-c000-000000000000',
resourceAccess: [
{
id: '311a71cc-e848-46a1-bdf8-97ff7156d8e6',
type: 'Scope'
},
{
id: '3afa6a7d-9b1a-42eb-948e-1650a849e176',
type: 'Role'
}
]
}
]
};
await client.api('/applications/581088ba-83c5-4975-b8af-11d2d7a76e98')
.update(application);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\RequiredResourceAccess;
use Microsoft\Graph\Generated\Models\ResourceAccess;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Application();
$requiredResourceAccessRequiredResourceAccess1 = new RequiredResourceAccess();
$requiredResourceAccessRequiredResourceAccess1->setResourceAppId('00000002-0000-0000-c000-000000000000');
$resourceAccessResourceAccess1 = new ResourceAccess();
$resourceAccessResourceAccess1->setId('311a71cc-e848-46a1-bdf8-97ff7156d8e6');
$resourceAccessResourceAccess1->setType('Scope');
$resourceAccessArray []= $resourceAccessResourceAccess1;
$resourceAccessResourceAccess2 = new ResourceAccess();
$resourceAccessResourceAccess2->setId('3afa6a7d-9b1a-42eb-948e-1650a849e176');
$resourceAccessResourceAccess2->setType('Role');
$resourceAccessArray []= $resourceAccessResourceAccess2;
$requiredResourceAccessRequiredResourceAccess1->setResourceAccess($resourceAccessArray);
$requiredResourceAccessArray []= $requiredResourceAccessRequiredResourceAccess1;
$requestBody->setRequiredResourceAccess($requiredResourceAccessArray);
$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Applications
$params = @{
requiredResourceAccess = @(
@{
resourceAppId = "00000002-0000-0000-c000-000000000000"
resourceAccess = @(
@{
id = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"
type = "Scope"
}
@{
id = "3afa6a7d-9b1a-42eb-948e-1650a849e176"
type = "Role"
}
)
}
)
}
Update-MgApplication -ApplicationId $applicationId -BodyParameter $params
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.required_resource_access import RequiredResourceAccess
from msgraph.generated.models.resource_access import ResourceAccess
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
required_resource_access = [
RequiredResourceAccess(
resource_app_id = "00000002-0000-0000-c000-000000000000",
resource_access = [
ResourceAccess(
id = UUID("311a71cc-e848-46a1-bdf8-97ff7156d8e6"),
type = "Scope",
),
ResourceAccess(
id = UUID("3afa6a7d-9b1a-42eb-948e-1650a849e176"),
type = "Role",
),
],
),
],
)
result = await graph_client.applications.by_application_id('application-id').patch(request_body)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
响应
HTTP/1.1 204 No Content
步骤 3:验证是否已将 Azure AD Graph 权限添加到应用
通过以下方式验证应用注册是否具有在步骤 2 中添加的 Azure AD 图形 API 权限:
调用 Microsoft Graph GET /application/{id} 终结点并读取 requiredResourceAccess 属性,如下所示:
GET https://graph.microsoft.com/v1.0/applications/581088ba-83c5-4975-b8af-11d2d7a76e98?$select=id,requiredResourceAccess
查看 Microsoft Entra 管理中心中的应用 注册 页。
步骤 4:授予管理员同意
虽然添加了 Azure AD Graph 权限,但尚未向应用授予这些权限。 许多权限需要管理员同意才能用于访问组织数据。 以特权角色管理员身份登录到 Microsoft Entra 管理中心 ,并授予管理员对应用注册权限的同意。
在不使用同意提示的情况下授予 API 权限
使用 Microsoft Graph 和任何相关 SDK 时,可以授予对应用注册的权限,而无需使用 Microsoft Entra 管理中心,并在 API 权限页上选择“ 授予对 [公司] 的管理员同意 ”按钮。 有关详细信息,请参阅 以编程方式授予或撤销 API 权限。