Microsoft Entra应用程序可实现对Microsoft云中的资源的安全访问。 Microsoft Graph 提供统一的 API 终结点,可让你以编程方式创建、配置和管理这些应用程序及其关联的服务主体。 本文介绍如何使用 Microsoft Graph 自动执行常见应用管理任务,包括注册应用、更新属性、分配权限和管理凭据。
先决条件
使用 Microsoft Entra ID 注册应用程序
通过指定所需的 displayName 属性创建应用。 请求使用其他属性的默认值。
最低特权委托权限: Application.ReadWrite.All。
POST https://graph.microsoft.com/v1.0/applications
Content-type: application/json
{
"displayName": "My application"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new Application
{
DisplayName = "My application",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications.PostAsync(requestBody);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewApplication()
displayName := "My application"
requestBody.SetDisplayName(&displayName)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().Post(context.Background(), requestBody, nil)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
Application application = new Application();
application.setDisplayName("My application");
Application result = graphClient.applications().post(application);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
const application = {
displayName: 'My application'
};
await client.api('/applications')
.post(application);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Application();
$requestBody->setDisplayName('My application');
$result = $graphServiceClient->applications()->post($requestBody)->wait();
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Applications
$params = @{
displayName = "My application"
}
New-MgApplication -BodyParameter $params
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
display_name = "My application",
)
result = await graph_client.applications.post(request_body)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
请求在响应正文中返回 201 Created 带有应用程序对象的响应。 应用程序获取租户中应用唯一的 ID,以及Microsoft Entra ID生态系统中全局唯一的 appId。
为应用程序创建服务主体
最低特权委托权限: Application.ReadWrite.All。
POST https://graph.microsoft.com/v1.0/servicePrincipals
Content-type: application/json
{
"appId": "fc876dd1-6bcb-4304-b9b6-18ddf1526b62"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ServicePrincipal
{
AppId = "fc876dd1-6bcb-4304-b9b6-18ddf1526b62",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals.PostAsync(requestBody);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
mgc service-principals create --body '{\
"appId": "fc876dd1-6bcb-4304-b9b6-18ddf1526b62"\
}\
'
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewServicePrincipal()
appId := "fc876dd1-6bcb-4304-b9b6-18ddf1526b62"
requestBody.SetAppId(&appId)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().Post(context.Background(), requestBody, nil)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipal servicePrincipal = new ServicePrincipal();
servicePrincipal.setAppId("fc876dd1-6bcb-4304-b9b6-18ddf1526b62");
ServicePrincipal result = graphClient.servicePrincipals().post(servicePrincipal);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
const servicePrincipal = {
appId: 'fc876dd1-6bcb-4304-b9b6-18ddf1526b62'
};
await client.api('/servicePrincipals')
.post(servicePrincipal);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ServicePrincipal();
$requestBody->setAppId('fc876dd1-6bcb-4304-b9b6-18ddf1526b62');
$result = $graphServiceClient->servicePrincipals()->post($requestBody)->wait();
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Applications
$params = @{
appId = "fc876dd1-6bcb-4304-b9b6-18ddf1526b62"
}
New-MgServicePrincipal -BodyParameter $params
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ServicePrincipal(
app_id = "fc876dd1-6bcb-4304-b9b6-18ddf1526b62",
)
result = await graph_client.service_principals.post(request_body)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
请求返回一个 201 Created 响应,该响应在响应正文中包含服务主体对象。
寻址应用程序或服务主体对象
按 ID 引用应用程序或服务主体。 此语法支持 GET、PATCH 和 DELETE HTTP 方法。
https://graph.microsoft.com/v1.0/applications/{applicationObjectId}
https://graph.microsoft.com/v1.0/servicePrincipals/{servicePrincipalObjectId}
通过其 appId引用应用程序或服务主体。 此语法支持 GET、PATCH 和 DELETE HTTP 方法。
https://graph.microsoft.com/v1.0/applications(appId='appId')
https://graph.microsoft.com/v1.0/servicePrincipals(appId='appId')
使用 PATCH 方法通过其 uniqueName 对应用程序对象进行寻址。 使用此属性创建具有唯一名称的应用程序(如果不存在),或者更新它(如果存在)。 此作称为 Upsert。
PATCH https://graph.microsoft.com/v1.0/applications(uniqueName='{uniqueName}')
Content-Type: application/json
Prefer: create-if-missing
{
"displayName": "Display name"
}
最低特权委托权限: Application.ReadWrite.All。
为应用设置以下基本属性:
- 为分类添加标记 (用于
HideApp对我的应用和 Microsoft 365 启动器) 隐藏应用
- 添加徽标、服务条款和隐私声明
- 存储联系人信息
PATCH https://graph.microsoft.com/v1.0/applications/0d0021e2-eaab-4b9f-a5ad-38c55337d63e/
Content-type: application/json
{
"tags": [
"HR",
"Payroll",
"HideApp"
],
"info": {
"logoUrl": "https://cdn.contoso.com/photo/2016/03/21/23/25/link-1271843_1280.png",
"marketingUrl": "https://www.contoso.com/app/marketing",
"privacyStatementUrl": "https://www.contoso.com/app/privacy",
"supportUrl": "https://www.contoso.com/app/support",
"termsOfServiceUrl": "https://www.contoso.com/app/termsofservice"
},
"web": {
"homePageUrl": "https://www.contoso.com/",
"logoutUrl": "https://www.contoso.com/frontchannel_logout",
"redirectUris": [
"https://localhost"
]
},
"serviceManagementReference": "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new Application
{
Tags = new List<string>
{
"HR",
"Payroll",
"HideApp",
},
Info = new InformationalUrl
{
LogoUrl = "https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png",
MarketingUrl = "https://www.contoso.com/app/marketing",
PrivacyStatementUrl = "https://www.contoso.com/app/privacy",
SupportUrl = "https://www.contoso.com/app/support",
TermsOfServiceUrl = "https://www.contoso.com/app/termsofservice",
},
Web = new WebApplication
{
HomePageUrl = "https://www.contoso.com/",
LogoutUrl = "https://www.contoso.com/frontchannel_logout",
RedirectUris = new List<string>
{
"https://localhost",
},
},
ServiceManagementReference = "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
mgc applications patch --application-id {application-id} --body '{\
"tags": [\
"HR",\
"Payroll",\
"HideApp"\
],\
"info": {\
"logoUrl": "https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png",\
"marketingUrl": "https://www.contoso.com/app/marketing",\
"privacyStatementUrl": "https://www.contoso.com/app/privacy",\
"supportUrl": "https://www.contoso.com/app/support",\
"termsOfServiceUrl": "https://www.contoso.com/app/termsofservice"\
},\
"web": {\
"homePageUrl": "https://www.contoso.com/",\
"logoutUrl": "https://www.contoso.com/frontchannel_logout",\
"redirectUris": [\
"https://localhost"\
]\
},\
"serviceManagementReference": "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;"\
}\
'
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewApplication()
tags := []string {
"HR",
"Payroll",
"HideApp",
}
requestBody.SetTags(tags)
info := graphmodels.NewInformationalUrl()
logoUrl := "https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png"
info.SetLogoUrl(&logoUrl)
marketingUrl := "https://www.contoso.com/app/marketing"
info.SetMarketingUrl(&marketingUrl)
privacyStatementUrl := "https://www.contoso.com/app/privacy"
info.SetPrivacyStatementUrl(&privacyStatementUrl)
supportUrl := "https://www.contoso.com/app/support"
info.SetSupportUrl(&supportUrl)
termsOfServiceUrl := "https://www.contoso.com/app/termsofservice"
info.SetTermsOfServiceUrl(&termsOfServiceUrl)
requestBody.SetInfo(info)
web := graphmodels.NewWebApplication()
homePageUrl := "https://www.contoso.com/"
web.SetHomePageUrl(&homePageUrl)
logoutUrl := "https://www.contoso.com/frontchannel_logout"
web.SetLogoutUrl(&logoutUrl)
redirectUris := []string {
"https://localhost",
}
web.SetRedirectUris(redirectUris)
requestBody.SetWeb(web)
serviceManagementReference := "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;"
requestBody.SetServiceManagementReference(&serviceManagementReference)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
Application application = new Application();
LinkedList<String> tags = new LinkedList<String>();
tags.add("HR");
tags.add("Payroll");
tags.add("HideApp");
application.setTags(tags);
InformationalUrl info = new InformationalUrl();
info.setLogoUrl("https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png");
info.setMarketingUrl("https://www.contoso.com/app/marketing");
info.setPrivacyStatementUrl("https://www.contoso.com/app/privacy");
info.setSupportUrl("https://www.contoso.com/app/support");
info.setTermsOfServiceUrl("https://www.contoso.com/app/termsofservice");
application.setInfo(info);
WebApplication web = new WebApplication();
web.setHomePageUrl("https://www.contoso.com/");
web.setLogoutUrl("https://www.contoso.com/frontchannel_logout");
LinkedList<String> redirectUris = new LinkedList<String>();
redirectUris.add("https://localhost");
web.setRedirectUris(redirectUris);
application.setWeb(web);
application.setServiceManagementReference("Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;");
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
const application = {
tags: [
'HR',
'Payroll',
'HideApp'
],
info: {
logoUrl: 'https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png',
marketingUrl: 'https://www.contoso.com/app/marketing',
privacyStatementUrl: 'https://www.contoso.com/app/privacy',
supportUrl: 'https://www.contoso.com/app/support',
termsOfServiceUrl: 'https://www.contoso.com/app/termsofservice'
},
web: {
homePageUrl: 'https://www.contoso.com/',
logoutUrl: 'https://www.contoso.com/frontchannel_logout',
redirectUris: [
'https://localhost'
]
},
serviceManagementReference: 'Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;'
};
await client.api('/applications/0d0021e2-eaab-4b9f-a5ad-38c55337d63e/')
.update(application);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\InformationalUrl;
use Microsoft\Graph\Generated\Models\WebApplication;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Application();
$requestBody->setTags(['HR', 'Payroll', 'HideApp', ]);
$info = new InformationalUrl();
$info->setLogoUrl('https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png');
$info->setMarketingUrl('https://www.contoso.com/app/marketing');
$info->setPrivacyStatementUrl('https://www.contoso.com/app/privacy');
$info->setSupportUrl('https://www.contoso.com/app/support');
$info->setTermsOfServiceUrl('https://www.contoso.com/app/termsofservice');
$requestBody->setInfo($info);
$web = new WebApplication();
$web->setHomePageUrl('https://www.contoso.com/');
$web->setLogoutUrl('https://www.contoso.com/frontchannel_logout');
$web->setRedirectUris(['https://localhost', ]);
$requestBody->setWeb($web);
$requestBody->setServiceManagementReference('Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;');
$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Applications
$params = @{
tags = @(
"HR"
"Payroll"
"HideApp"
)
info = @{
logoUrl = "https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png"
marketingUrl = "https://www.contoso.com/app/marketing"
privacyStatementUrl = "https://www.contoso.com/app/privacy"
supportUrl = "https://www.contoso.com/app/support"
termsOfServiceUrl = "https://www.contoso.com/app/termsofservice"
}
web = @{
homePageUrl = "https://www.contoso.com/"
logoutUrl = "https://www.contoso.com/frontchannel_logout"
redirectUris = @(
"https://localhost"
)
}
serviceManagementReference = "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;"
}
Update-MgApplication -ApplicationId $applicationId -BodyParameter $params
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.informational_url import InformationalUrl
from msgraph.generated.models.web_application import WebApplication
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
tags = [
"HR",
"Payroll",
"HideApp",
],
info = InformationalUrl(
logo_url = "https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png",
marketing_url = "https://www.contoso.com/app/marketing",
privacy_statement_url = "https://www.contoso.com/app/privacy",
support_url = "https://www.contoso.com/app/support",
terms_of_service_url = "https://www.contoso.com/app/termsofservice",
),
web = WebApplication(
home_page_url = "https://www.contoso.com/",
logout_url = "https://www.contoso.com/frontchannel_logout",
redirect_uris = [
"https://localhost",
],
),
service_management_reference = "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;",
)
result = await graph_client.applications.by_application_id('application-id').patch(request_body)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
仅限在应用上分配了所有角色的用户登录。
最低特权委托权限: Application.ReadWrite.All。
PATCH https://graph.microsoft.com/v1.0/servicePrincipals/89473e09-0737-41a1-a0c3-1418d6908bcd
{
"appRoleAssignmentRequired": true
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ServicePrincipal
{
AppRoleAssignmentRequired = true,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewServicePrincipal()
appRoleAssignmentRequired := true
requestBody.SetAppRoleAssignmentRequired(&appRoleAssignmentRequired)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").Patch(context.Background(), requestBody, nil)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipal servicePrincipal = new ServicePrincipal();
servicePrincipal.setAppRoleAssignmentRequired(true);
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").patch(servicePrincipal);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
const servicePrincipal = {
appRoleAssignmentRequired: true
};
await client.api('/servicePrincipals/89473e09-0737-41a1-a0c3-1418d6908bcd')
.update(servicePrincipal);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ServicePrincipal();
$requestBody->setAppRoleAssignmentRequired(true);
$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->patch($requestBody)->wait();
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Applications
$params = @{
appRoleAssignmentRequired = $true
}
Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -BodyParameter $params
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ServicePrincipal(
app_role_assignment_required = True,
)
result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
为应用分配权限
通过更新应用对象的 requiredResourceAccess 属性,通过 Microsoft Graph 分配权限。 此方法是使用 Microsoft Entra 管理中心 的编程替代方法。 包括现有权限和新权限,以避免删除已分配但未授予的权限。
分配 权限不会 授予 他们权限。 在Microsoft Entra 管理中心中或使用 Microsoft Graph API 以编程方式授予管理员同意。
最低特权委托权限: Application.ReadWrite.All。
PATCH https://graph.microsoft.com/v1.0/applications/581088ba-83c5-4975-b8af-11d2d7a76e98
Content-Type: application/json
{
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
},
{
"id": "3afa6a7d-9b1a-42eb-948e-1650a849e176",
"type": "Role"
}
]
}
]
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new Application
{
RequiredResourceAccess = new List<RequiredResourceAccess>
{
new RequiredResourceAccess
{
ResourceAppId = "00000002-0000-0000-c000-000000000000",
ResourceAccess = new List<ResourceAccess>
{
new ResourceAccess
{
Id = Guid.Parse("311a71cc-e848-46a1-bdf8-97ff7156d8e6"),
Type = "Scope",
},
new ResourceAccess
{
Id = Guid.Parse("3afa6a7d-9b1a-42eb-948e-1650a849e176"),
Type = "Role",
},
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
mgc applications patch --application-id {application-id} --body '{\
"requiredResourceAccess": [\
{\
"resourceAppId": "00000002-0000-0000-c000-000000000000",\
"resourceAccess": [\
{\
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",\
"type": "Scope"\
},\
{\
"id": "3afa6a7d-9b1a-42eb-948e-1650a849e176",\
"type": "Role"\
}\
]\
}\
]\
}\
'
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewApplication()
requiredResourceAccess := graphmodels.NewRequiredResourceAccess()
resourceAppId := "00000002-0000-0000-c000-000000000000"
requiredResourceAccess.SetResourceAppId(&resourceAppId)
resourceAccess := graphmodels.NewResourceAccess()
id := uuid.MustParse("311a71cc-e848-46a1-bdf8-97ff7156d8e6")
resourceAccess.SetId(&id)
type := "Scope"
resourceAccess.SetType(&type)
resourceAccess1 := graphmodels.NewResourceAccess()
id := uuid.MustParse("3afa6a7d-9b1a-42eb-948e-1650a849e176")
resourceAccess1.SetId(&id)
type := "Role"
resourceAccess1.SetType(&type)
resourceAccess := []graphmodels.ResourceAccessable {
resourceAccess,
resourceAccess1,
}
requiredResourceAccess.SetResourceAccess(resourceAccess)
requiredResourceAccess := []graphmodels.RequiredResourceAccessable {
requiredResourceAccess,
}
requestBody.SetRequiredResourceAccess(requiredResourceAccess)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
Application application = new Application();
LinkedList<RequiredResourceAccess> requiredResourceAccess = new LinkedList<RequiredResourceAccess>();
RequiredResourceAccess requiredResourceAccess1 = new RequiredResourceAccess();
requiredResourceAccess1.setResourceAppId("00000002-0000-0000-c000-000000000000");
LinkedList<ResourceAccess> resourceAccess = new LinkedList<ResourceAccess>();
ResourceAccess resourceAccess1 = new ResourceAccess();
resourceAccess1.setId(UUID.fromString("311a71cc-e848-46a1-bdf8-97ff7156d8e6"));
resourceAccess1.setType("Scope");
resourceAccess.add(resourceAccess1);
ResourceAccess resourceAccess2 = new ResourceAccess();
resourceAccess2.setId(UUID.fromString("3afa6a7d-9b1a-42eb-948e-1650a849e176"));
resourceAccess2.setType("Role");
resourceAccess.add(resourceAccess2);
requiredResourceAccess1.setResourceAccess(resourceAccess);
requiredResourceAccess.add(requiredResourceAccess1);
application.setRequiredResourceAccess(requiredResourceAccess);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
const application = {
requiredResourceAccess: [
{
resourceAppId: '00000002-0000-0000-c000-000000000000',
resourceAccess: [
{
id: '311a71cc-e848-46a1-bdf8-97ff7156d8e6',
type: 'Scope'
},
{
id: '3afa6a7d-9b1a-42eb-948e-1650a849e176',
type: 'Role'
}
]
}
]
};
await client.api('/applications/581088ba-83c5-4975-b8af-11d2d7a76e98')
.update(application);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\RequiredResourceAccess;
use Microsoft\Graph\Generated\Models\ResourceAccess;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Application();
$requiredResourceAccessRequiredResourceAccess1 = new RequiredResourceAccess();
$requiredResourceAccessRequiredResourceAccess1->setResourceAppId('00000002-0000-0000-c000-000000000000');
$resourceAccessResourceAccess1 = new ResourceAccess();
$resourceAccessResourceAccess1->setId('311a71cc-e848-46a1-bdf8-97ff7156d8e6');
$resourceAccessResourceAccess1->setType('Scope');
$resourceAccessArray []= $resourceAccessResourceAccess1;
$resourceAccessResourceAccess2 = new ResourceAccess();
$resourceAccessResourceAccess2->setId('3afa6a7d-9b1a-42eb-948e-1650a849e176');
$resourceAccessResourceAccess2->setType('Role');
$resourceAccessArray []= $resourceAccessResourceAccess2;
$requiredResourceAccessRequiredResourceAccess1->setResourceAccess($resourceAccessArray);
$requiredResourceAccessArray []= $requiredResourceAccessRequiredResourceAccess1;
$requestBody->setRequiredResourceAccess($requiredResourceAccessArray);
$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Applications
$params = @{
requiredResourceAccess = @(
@{
resourceAppId = "00000002-0000-0000-c000-000000000000"
resourceAccess = @(
@{
id = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"
type = "Scope"
}
@{
id = "3afa6a7d-9b1a-42eb-948e-1650a849e176"
type = "Role"
}
)
}
)
}
Update-MgApplication -ApplicationId $applicationId -BodyParameter $params
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.required_resource_access import RequiredResourceAccess
from msgraph.generated.models.resource_access import ResourceAccess
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
required_resource_access = [
RequiredResourceAccess(
resource_app_id = "00000002-0000-0000-c000-000000000000",
resource_access = [
ResourceAccess(
id = UUID("311a71cc-e848-46a1-bdf8-97ff7156d8e6"),
type = "Scope",
),
ResourceAccess(
id = UUID("3afa6a7d-9b1a-42eb-948e-1650a849e176"),
type = "Role",
),
],
),
],
)
result = await graph_client.applications.by_application_id('application-id').patch(request_body)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
创建应用角色
在应用程序对象上创建应用角色
若要添加或更新应用角色,请在请求中包含所有现有角色。 如果省略现有角色,则会删除这些角色。
PATCH https://graph.microsoft.com/v1.0/applications/bbd46130-e957-4c38-a116-d4d02afd1057
Content-Type: application/json
{
"appRoles": [
{
"allowedMemberTypes": [
"User",
"Application"
],
"description": "Survey.Read",
"displayName": "Survey.Read",
"id": "7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0",
"isEnabled": false,
"origin": "Application",
"value": "Survey.Read"
}
]
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new Application
{
AppRoles = new List<AppRole>
{
new AppRole
{
AllowedMemberTypes = new List<string>
{
"User",
"Application",
},
Description = "Survey.Read",
DisplayName = "Survey.Read",
Id = Guid.Parse("7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0"),
IsEnabled = false,
Origin = "Application",
Value = "Survey.Read",
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
mgc applications patch --application-id {application-id} --body '{\
"appRoles": [\
{\
"allowedMemberTypes": [\
"User",\
"Application"\
],\
"description": "Survey.Read",\
"displayName": "Survey.Read",\
"id": "7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0",\
"isEnabled": false,\
"origin": "Application",\
"value": "Survey.Read"\
}\
]\
}\
'
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewApplication()
appRole := graphmodels.NewAppRole()
allowedMemberTypes := []string {
"User",
"Application",
}
appRole.SetAllowedMemberTypes(allowedMemberTypes)
description := "Survey.Read"
appRole.SetDescription(&description)
displayName := "Survey.Read"
appRole.SetDisplayName(&displayName)
id := uuid.MustParse("7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0")
appRole.SetId(&id)
isEnabled := false
appRole.SetIsEnabled(&isEnabled)
origin := "Application"
appRole.SetOrigin(&origin)
value := "Survey.Read"
appRole.SetValue(&value)
appRoles := []graphmodels.AppRoleable {
appRole,
}
requestBody.SetAppRoles(appRoles)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
Application application = new Application();
LinkedList<AppRole> appRoles = new LinkedList<AppRole>();
AppRole appRole = new AppRole();
LinkedList<String> allowedMemberTypes = new LinkedList<String>();
allowedMemberTypes.add("User");
allowedMemberTypes.add("Application");
appRole.setAllowedMemberTypes(allowedMemberTypes);
appRole.setDescription("Survey.Read");
appRole.setDisplayName("Survey.Read");
appRole.setId(UUID.fromString("7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0"));
appRole.setIsEnabled(false);
appRole.setOrigin("Application");
appRole.setValue("Survey.Read");
appRoles.add(appRole);
application.setAppRoles(appRoles);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
const application = {
appRoles: [
{
allowedMemberTypes: [
'User',
'Application'
],
description: 'Survey.Read',
displayName: 'Survey.Read',
id: '7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0',
isEnabled: false,
origin: 'Application',
value: 'Survey.Read'
}
]
};
await client.api('/applications/bbd46130-e957-4c38-a116-d4d02afd1057')
.update(application);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\AppRole;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Application();
$appRolesAppRole1 = new AppRole();
$appRolesAppRole1->setAllowedMemberTypes(['User', 'Application', ]);
$appRolesAppRole1->setDescription('Survey.Read');
$appRolesAppRole1->setDisplayName('Survey.Read');
$appRolesAppRole1->setId('7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0');
$appRolesAppRole1->setIsEnabled(false);
$appRolesAppRole1->setOrigin('Application');
$appRolesAppRole1->setValue('Survey.Read');
$appRolesArray []= $appRolesAppRole1;
$requestBody->setAppRoles($appRolesArray);
$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Applications
$params = @{
appRoles = @(
@{
allowedMemberTypes = @(
"User"
"Application"
)
description = "Survey.Read"
displayName = "Survey.Read"
id = "7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0"
isEnabled = $false
origin = "Application"
value = "Survey.Read"
}
)
}
Update-MgApplication -ApplicationId $applicationId -BodyParameter $params
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.app_role import AppRole
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
app_roles = [
AppRole(
allowed_member_types = [
"User",
"Application",
],
description = "Survey.Read",
display_name = "Survey.Read",
id = UUID("7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0"),
is_enabled = False,
origin = "Application",
value = "Survey.Read",
),
],
)
result = await graph_client.applications.by_application_id('application-id').patch(request_body)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
管理所有者
标识无所有者服务主体或只有一个所有者的服务主体
最低特权委托权限: Application.ReadWrite.All。
此请求要求将 ConsistencyLevel 标头设置为 eventual,因为在请求中有 $count。 有关使用 ConsistencyLevel 和 $count的详细信息,请参阅 目录对象的高级查询功能。
此请求还返回与筛选条件匹配的应用计数。
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=owners/$count eq 0 or owners/$count eq 1&$count=true
ConsistencyLevel: eventual
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals.GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Filter = "owners/$count eq 0 or owners/$count eq 1";
requestConfiguration.QueryParameters.Count = true;
requestConfiguration.Headers.Add("ConsistencyLevel", "eventual");
});
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
mgc service-principals list --filter "owners/$count eq 0 or owners/$count eq 1" --count "true" --consistency-level "eventual"
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
abstractions "github.com/microsoft/kiota-abstractions-go"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphserviceprincipals "github.com/microsoftgraph/msgraph-sdk-go/serviceprincipals"
//other-imports
)
headers := abstractions.NewRequestHeaders()
headers.Add("ConsistencyLevel", "eventual")
requestFilter := "owners/$count eq 0 or owners/$count eq 1"
requestCount := true
requestParameters := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetQueryParameters{
Filter: &requestFilter,
Count: &requestCount,
}
configuration := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetRequestConfiguration{
Headers: headers,
QueryParameters: requestParameters,
}
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().Get(context.Background(), configuration)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipalCollectionResponse result = graphClient.servicePrincipals().get(requestConfiguration -> {
requestConfiguration.queryParameters.filter = "owners/$count eq 0 or owners/$count eq 1";
requestConfiguration.queryParameters.count = true;
requestConfiguration.headers.add("ConsistencyLevel", "eventual");
});
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
let servicePrincipals = await client.api('/servicePrincipals')
.header('ConsistencyLevel','eventual')
.filter('owners/$count eq 0 or owners/$count eq 1')
.get();
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\ServicePrincipals\ServicePrincipalsRequestBuilderGetRequestConfiguration;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestConfiguration = new ServicePrincipalsRequestBuilderGetRequestConfiguration();
$headers = [
'ConsistencyLevel' => 'eventual',
];
$requestConfiguration->headers = $headers;
$queryParameters = ServicePrincipalsRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "owners/\$count eq 0 or owners/\$count eq 1";
$queryParameters->count = true;
$requestConfiguration->queryParameters = $queryParameters;
$result = $graphServiceClient->servicePrincipals()->get($requestConfiguration)->wait();
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Applications
Get-MgServicePrincipal -Filter "owners/`$count eq 0 or owners/`$count eq 1" -CountVariable CountVar -ConsistencyLevel eventual
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.service_principals.service_principals_request_builder import ServicePrincipalsRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = ServicePrincipalsRequestBuilder.ServicePrincipalsRequestBuilderGetQueryParameters(
filter = "owners/$count eq 0 or owners/$count eq 1",
count = True,
)
request_configuration = RequestConfiguration(
query_parameters = query_params,
)
request_configuration.headers.add("ConsistencyLevel", "eventual")
result = await graph_client.service_principals.get(request_configuration = request_configuration)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
将所有者分配到应用
最低特权委托权限: Application.ReadWrite.All。
在以下请求中, 8afc02cb-4d62-4dba-b536-9f6d73e9be26 是用户或服务主体的对象 ID。
POST https://graph.microsoft.com/v1.0/applications/7b45cf6d-9083-4eb2-92c4-a7e090f1fc40/owners/$ref
Content-Type: application/json
{
"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ReferenceCreate
{
OdataId = "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Applications["{application-id}"].Owners.Ref.PostAsync(requestBody);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
mgc applications owners ref post --application-id {application-id} --body '{\
"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26"\
}\
'
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewReferenceCreate()
odataId := "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26"
requestBody.SetOdataId(&odataId)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.Applications().ByApplicationId("application-id").Owners().Ref().Post(context.Background(), requestBody, nil)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.models.ReferenceCreate referenceCreate = new com.microsoft.graph.models.ReferenceCreate();
referenceCreate.setOdataId("https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26");
graphClient.applications().byApplicationId("{application-id}").owners().ref().post(referenceCreate);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
const directoryObject = {
'@odata.id': 'https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26'
};
await client.api('/applications/7b45cf6d-9083-4eb2-92c4-a7e090f1fc40/owners/$ref')
.post(directoryObject);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ReferenceCreate;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ReferenceCreate();
$requestBody->setOdataId('https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26');
$graphServiceClient->applications()->byApplicationId('application-id')->owners()->ref()->post($requestBody)->wait();
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Applications
$params = @{
"@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26"
}
New-MgApplicationOwnerByRef -ApplicationId $applicationId -BodyParameter $params
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.reference_create import ReferenceCreate
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ReferenceCreate(
odata_id = "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26",
)
await graph_client.applications.by_application_id('application-id').owners.ref.post(request_body)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
将所有者分配到服务主体
最低特权委托权限: Application.ReadWrite.All。
以下请求使用 其 appId 引用服务主体。 或者,可以使用模式 ../servicePrincipals/{object ID}/owners/$ref中的对象 ID 来引用它。
dddddddd-9999-0000-1111-eeeeeeeeeeee 是用户或服务主体的对象 ID。
POST https://graph.microsoft.com/v1.0/servicePrincipals(appId='00001111-aaaa-2222-bbbb-3333cccc4444')/owners/$ref
Content-Type: application/json
{
"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/dddddddd-9999-0000-1111-eeeeeeeeeeee"
}
锁定服务主体的敏感属性
使用应用实例锁定功能保护服务主体的敏感属性免受未经授权的更改。 Yo 可以锁定以下属性:
-
keyCredentials ,其中使用类型为
Sign 或 Verify。
-
passwordCredentials ,其中使用类型为
Sign 或 Verify。
-
tokenEncryptionKeyId 属性。
可以通过多租户应用的应用程序对象的servicePrincipalLockConfiguration 属性管理应用实例锁功能。
锁定服务主体的所有敏感属性
当 isEnabled 且 allProperties 设置为 true时,即使 servicePrincipalLockConfiguration 对象的其他属性为 null,也会锁定服务主体的所有敏感属性。
PATCH https://graph.microsoft.com/beta/applications/a0b7f39e-3139-48aa-9397-f46fb63102f7
{
"servicePrincipalLockConfiguration": {
"isEnabled": true,
"allProperties": true
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new Application
{
ServicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration
{
IsEnabled = true,
AllProperties = true,
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewApplication()
servicePrincipalLockConfiguration := graphmodels.NewServicePrincipalLockConfiguration()
isEnabled := true
servicePrincipalLockConfiguration.SetIsEnabled(&isEnabled)
allProperties := true
servicePrincipalLockConfiguration.SetAllProperties(&allProperties)
requestBody.SetServicePrincipalLockConfiguration(servicePrincipalLockConfiguration)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
Application application = new Application();
ServicePrincipalLockConfiguration servicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration();
servicePrincipalLockConfiguration.setIsEnabled(true);
servicePrincipalLockConfiguration.setAllProperties(true);
application.setServicePrincipalLockConfiguration(servicePrincipalLockConfiguration);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
const application = {
servicePrincipalLockConfiguration: {
isEnabled: true,
allProperties: true
}
};
await client.api('/applications/a0b7f39e-3139-48aa-9397-f46fb63102f7')
.version('beta')
.update(application);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Application;
use Microsoft\Graph\Beta\Generated\Models\ServicePrincipalLockConfiguration;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Application();
$servicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration();
$servicePrincipalLockConfiguration->setIsEnabled(true);
$servicePrincipalLockConfiguration->setAllProperties(true);
$requestBody->setServicePrincipalLockConfiguration($servicePrincipalLockConfiguration);
$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Beta.Applications
$params = @{
servicePrincipalLockConfiguration = @{
isEnabled = $true
allProperties = $true
}
}
Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.application import Application
from msgraph_beta.generated.models.service_principal_lock_configuration import ServicePrincipalLockConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
service_principal_lock_configuration = ServicePrincipalLockConfiguration(
is_enabled = True,
all_properties = True,
),
)
result = await graph_client.applications.by_application_id('application-id').patch(request_body)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
锁定服务主体的特定敏感属性
以下示例锁定服务主体的 keyCredentials 和 passwordCredentials 属性,并启用应用实例锁定功能。
PATCH https://graph.microsoft.com/beta/applications/a0b7f39e-3139-48aa-9397-f46fb63102f7
{
"servicePrincipalLockConfiguration": {
"isEnabled": true,
"credentialsWithUsageSign": true,
"credentialsWithUsageVerify": true
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new Application
{
ServicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration
{
IsEnabled = true,
CredentialsWithUsageSign = true,
CredentialsWithUsageVerify = true,
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewApplication()
servicePrincipalLockConfiguration := graphmodels.NewServicePrincipalLockConfiguration()
isEnabled := true
servicePrincipalLockConfiguration.SetIsEnabled(&isEnabled)
credentialsWithUsageSign := true
servicePrincipalLockConfiguration.SetCredentialsWithUsageSign(&credentialsWithUsageSign)
credentialsWithUsageVerify := true
servicePrincipalLockConfiguration.SetCredentialsWithUsageVerify(&credentialsWithUsageVerify)
requestBody.SetServicePrincipalLockConfiguration(servicePrincipalLockConfiguration)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
Application application = new Application();
ServicePrincipalLockConfiguration servicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration();
servicePrincipalLockConfiguration.setIsEnabled(true);
servicePrincipalLockConfiguration.setCredentialsWithUsageSign(true);
servicePrincipalLockConfiguration.setCredentialsWithUsageVerify(true);
application.setServicePrincipalLockConfiguration(servicePrincipalLockConfiguration);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
const application = {
servicePrincipalLockConfiguration: {
isEnabled: true,
credentialsWithUsageSign: true,
credentialsWithUsageVerify: true
}
};
await client.api('/applications/a0b7f39e-3139-48aa-9397-f46fb63102f7')
.version('beta')
.update(application);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Application;
use Microsoft\Graph\Beta\Generated\Models\ServicePrincipalLockConfiguration;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Application();
$servicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration();
$servicePrincipalLockConfiguration->setIsEnabled(true);
$servicePrincipalLockConfiguration->setCredentialsWithUsageSign(true);
$servicePrincipalLockConfiguration->setCredentialsWithUsageVerify(true);
$requestBody->setServicePrincipalLockConfiguration($servicePrincipalLockConfiguration);
$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Beta.Applications
$params = @{
servicePrincipalLockConfiguration = @{
isEnabled = $true
credentialsWithUsageSign = $true
credentialsWithUsageVerify = $true
}
}
Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.application import Application
from msgraph_beta.generated.models.service_principal_lock_configuration import ServicePrincipalLockConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
service_principal_lock_configuration = ServicePrincipalLockConfiguration(
is_enabled = True,
credentials_with_usage_sign = True,
credentials_with_usage_verify = True,
),
)
result = await graph_client.applications.by_application_id('application-id').patch(request_body)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
可以将租户中应用的证书凭据使用情况限制为仅受信任的证书颁发机构颁发的证书。 向应用添加证书时会强制实施此策略,除非轮换现有证书,否则不会影响现有证书。 当应用尝试轮换其证书凭据时,它会经历策略评估,以确保添加的凭据符合受信任的证书颁发机构限制。
步骤 1:创建信任证书链
最低特权委派权限:AppCertTrustConfiguration.Read.All最低特权Microsoft Entra角色:Application Administrator
POST https://graph.microsoft.com/beta/certificateAuthorities/certificateBasedApplicationConfigurations
{
"displayName": "Trusted Certificate Chain of Trust for Contoso",
"description": "The Trusted Certificate Chain of Trust containing a certificate chain used by app policy, to only allow application certificates from selected issuer.",
"trustedCertificateAuthorities": [
{
"isRootAuthority": true,
"certificate": "MIIFVjCCAz6gAwIBAgIQJdrL...UyNDIyNTcwM1owPDE …="
},
{
"isRootAuthority": false,
"certificate": QAAAAAAWjABAQsFADA8M...UyNDIyNTcwM1o …="
}
]
}
const options = {
authProvider,
};
const client = Client.init(options);
const certificateBasedApplicationConfiguration = {
displayName: 'Trusted Certificate Chain of Trust for Contoso',
description: 'The Trusted Certificate Chain of Trust containing a certificate chain used by app policy, to only allow application certificates from selected issuer.',
trustedCertificateAuthorities: [
{
isRootAuthority: true,
certificate: 'MIIFVjCCAz6gAwIBAgIQJdrL...UyNDIyNTcwM1owPDE …='
},
{
isRootAuthority: false,
certificate: QAAAAAAWjABAQsFADA8M...UyNDIyNTcwM1o …="
}
]
};
await client.api('/certificateAuthorities/certificateBasedApplicationConfigurations')
.version('beta')
.post(certificateBasedApplicationConfiguration);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
请求会返回 200 OK 响应对象。 响应包括信任对象的证书链的 ID。 假设在步骤 2 中使用了 ID eec5ba11-2fc0-4113-83a2-ed986ed13743 。
步骤 2:将证书信任链分配给应用程序管理策略
以下示例设置一个策略,以确保只能将上一步中定义的中间证书颁发机构颁发的证书添加到租户中的应用。
applicationRestrictions>keyCredentials 对象使用 值 trustedCertificateAuthority定义一个 restrictionType,该值引用创建的 ID。 由于此策略应用于默认租户级应用管理策略,因此将对租户中创建的所有应用强制实施此策略,并拒绝尝试添加不合规证书作为应用的证书凭据的一部分。
此策略确保只能将来自指定中间证书颁发机构的证书添加到应用。
applicationRestrictions>keyCredentials 对象将 restrictionType 设置为 trustedCertificateAuthority,引用创建的 ID。 此策略适用于租户中的所有应用,拒绝任何不符合要求的证书。
最低特权委派权限:Policy.Read.ApplicationConfiguration最低特权Microsoft Entra角色:Security Administrator
PATCH https://graph.microsoft.com/v1.0/policies/defaultAppManagementPolicy
{
"id": "d015220e-9789-4e8e-bbcc-270fe419229d",
"description": "Lorem ipsum",
"displayName": "Credential management policy",
"isEnabled": true,
"applicationRestrictions": {
"passwordCredentials": [
{
"restrictionType": "passwordLifetime",
"maxLifetime": "P14D",
"restrictForAppsCreatedAfterDateTime": "2020-01-01T07:00:00Z"
}
],
"keyCredentials": [
{
"restrictionType": "certificateLifetime",
"restrictForAppsCreatedAfterDateTime": "2020-01-01T10:37:00Z",
"maxLifetime": "P90D"
},
{
"restrictionType": "trustedCertificateAuthority",
"certificateBasedApplicationConfigurationIds": [
"eec5ba11-2fc0-4113-83a2-ed986ed13743"
],
"restrictForAppsCreatedAfterDateTime": "2019-10-19T10:37:00Z"
}
]
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new TenantAppManagementPolicy
{
Id = "d015220e-9789-4e8e-bbcc-270fe419229d",
Description = "Lorem ipsum",
DisplayName = "Credential management policy",
IsEnabled = true,
ApplicationRestrictions = new AppManagementApplicationConfiguration
{
PasswordCredentials = new List<PasswordCredentialConfiguration>
{
new PasswordCredentialConfiguration
{
RestrictionType = AppCredentialRestrictionType.PasswordLifetime,
MaxLifetime = TimeSpan.Parse("P14D"),
RestrictForAppsCreatedAfterDateTime = DateTimeOffset.Parse("2020-01-01T07:00:00Z"),
},
},
KeyCredentials = new List<KeyCredentialConfiguration>
{
new KeyCredentialConfiguration
{
RestrictionType = AppKeyCredentialRestrictionType.AsymmetricKeyLifetime,
RestrictForAppsCreatedAfterDateTime = DateTimeOffset.Parse("2020-01-01T10:37:00Z"),
MaxLifetime = TimeSpan.Parse("P90D"),
},
new KeyCredentialConfiguration
{
RestrictionType = AppKeyCredentialRestrictionType.AsymmetricKeyLifetime,
RestrictForAppsCreatedAfterDateTime = DateTimeOffset.Parse("2019-10-19T10:37:00Z"),
AdditionalData = new Dictionary<string, object>
{
{
"certificateBasedApplicationConfigurationIds" , new List<string>
{
"eec5ba11-2fc0-4113-83a2-ed986ed13743",
}
},
},
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.DefaultAppManagementPolicy.PatchAsync(requestBody);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewTenantAppManagementPolicy()
id := "d015220e-9789-4e8e-bbcc-270fe419229d"
requestBody.SetId(&id)
description := "Lorem ipsum"
requestBody.SetDescription(&description)
displayName := "Credential management policy"
requestBody.SetDisplayName(&displayName)
isEnabled := true
requestBody.SetIsEnabled(&isEnabled)
applicationRestrictions := graphmodels.NewAppManagementApplicationConfiguration()
passwordCredentialConfiguration := graphmodels.NewPasswordCredentialConfiguration()
restrictionType := graphmodels.PASSWORDLIFETIME_APPCREDENTIALRESTRICTIONTYPE
passwordCredentialConfiguration.SetRestrictionType(&restrictionType)
maxLifetime , err := abstractions.ParseISODuration("P14D")
passwordCredentialConfiguration.SetMaxLifetime(&maxLifetime)
restrictForAppsCreatedAfterDateTime , err := time.Parse(time.RFC3339, "2020-01-01T07:00:00Z")
passwordCredentialConfiguration.SetRestrictForAppsCreatedAfterDateTime(&restrictForAppsCreatedAfterDateTime)
passwordCredentials := []graphmodels.PasswordCredentialConfigurationable {
passwordCredentialConfiguration,
}
applicationRestrictions.SetPasswordCredentials(passwordCredentials)
keyCredentialConfiguration := graphmodels.NewKeyCredentialConfiguration()
restrictionType := graphmodels.CERTIFICATELIFETIME_APPKEYCREDENTIALRESTRICTIONTYPE
keyCredentialConfiguration.SetRestrictionType(&restrictionType)
restrictForAppsCreatedAfterDateTime , err := time.Parse(time.RFC3339, "2020-01-01T10:37:00Z")
keyCredentialConfiguration.SetRestrictForAppsCreatedAfterDateTime(&restrictForAppsCreatedAfterDateTime)
maxLifetime , err := abstractions.ParseISODuration("P90D")
keyCredentialConfiguration.SetMaxLifetime(&maxLifetime)
keyCredentialConfiguration1 := graphmodels.NewKeyCredentialConfiguration()
restrictionType := graphmodels.TRUSTEDCERTIFICATEAUTHORITY_APPKEYCREDENTIALRESTRICTIONTYPE
keyCredentialConfiguration1.SetRestrictionType(&restrictionType)
restrictForAppsCreatedAfterDateTime , err := time.Parse(time.RFC3339, "2019-10-19T10:37:00Z")
keyCredentialConfiguration1.SetRestrictForAppsCreatedAfterDateTime(&restrictForAppsCreatedAfterDateTime)
additionalData := map[string]interface{}{
certificateBasedApplicationConfigurationIds := []string {
"eec5ba11-2fc0-4113-83a2-ed986ed13743",
}
}
keyCredentialConfiguration1.SetAdditionalData(additionalData)
keyCredentials := []graphmodels.KeyCredentialConfigurationable {
keyCredentialConfiguration,
keyCredentialConfiguration1,
}
applicationRestrictions.SetKeyCredentials(keyCredentials)
requestBody.SetApplicationRestrictions(applicationRestrictions)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
defaultAppManagementPolicy, err := graphClient.Policies().DefaultAppManagementPolicy().Patch(context.Background(), requestBody, nil)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
TenantAppManagementPolicy tenantAppManagementPolicy = new TenantAppManagementPolicy();
tenantAppManagementPolicy.setId("d015220e-9789-4e8e-bbcc-270fe419229d");
tenantAppManagementPolicy.setDescription("Lorem ipsum");
tenantAppManagementPolicy.setDisplayName("Credential management policy");
tenantAppManagementPolicy.setIsEnabled(true);
AppManagementApplicationConfiguration applicationRestrictions = new AppManagementApplicationConfiguration();
LinkedList<PasswordCredentialConfiguration> passwordCredentials = new LinkedList<PasswordCredentialConfiguration>();
PasswordCredentialConfiguration passwordCredentialConfiguration = new PasswordCredentialConfiguration();
passwordCredentialConfiguration.setRestrictionType(AppCredentialRestrictionType.PasswordLifetime);
PeriodAndDuration maxLifetime = PeriodAndDuration.ofDuration(Duration.parse("P14D"));
passwordCredentialConfiguration.setMaxLifetime(maxLifetime);
OffsetDateTime restrictForAppsCreatedAfterDateTime = OffsetDateTime.parse("2020-01-01T07:00:00Z");
passwordCredentialConfiguration.setRestrictForAppsCreatedAfterDateTime(restrictForAppsCreatedAfterDateTime);
passwordCredentials.add(passwordCredentialConfiguration);
applicationRestrictions.setPasswordCredentials(passwordCredentials);
LinkedList<KeyCredentialConfiguration> keyCredentials = new LinkedList<KeyCredentialConfiguration>();
KeyCredentialConfiguration keyCredentialConfiguration = new KeyCredentialConfiguration();
keyCredentialConfiguration.setRestrictionType(AppKeyCredentialRestrictionType.AsymmetricKeyLifetime);
OffsetDateTime restrictForAppsCreatedAfterDateTime1 = OffsetDateTime.parse("2020-01-01T10:37:00Z");
keyCredentialConfiguration.setRestrictForAppsCreatedAfterDateTime(restrictForAppsCreatedAfterDateTime1);
PeriodAndDuration maxLifetime1 = PeriodAndDuration.ofDuration(Duration.parse("P90D"));
keyCredentialConfiguration.setMaxLifetime(maxLifetime1);
keyCredentials.add(keyCredentialConfiguration);
KeyCredentialConfiguration keyCredentialConfiguration1 = new KeyCredentialConfiguration();
keyCredentialConfiguration1.setRestrictionType(AppKeyCredentialRestrictionType.AsymmetricKeyLifetime);
OffsetDateTime restrictForAppsCreatedAfterDateTime2 = OffsetDateTime.parse("2019-10-19T10:37:00Z");
keyCredentialConfiguration1.setRestrictForAppsCreatedAfterDateTime(restrictForAppsCreatedAfterDateTime2);
HashMap<String, Object> additionalData = new HashMap<String, Object>();
LinkedList<String> certificateBasedApplicationConfigurationIds = new LinkedList<String>();
certificateBasedApplicationConfigurationIds.add("eec5ba11-2fc0-4113-83a2-ed986ed13743");
additionalData.put("certificateBasedApplicationConfigurationIds", certificateBasedApplicationConfigurationIds);
keyCredentialConfiguration1.setAdditionalData(additionalData);
keyCredentials.add(keyCredentialConfiguration1);
applicationRestrictions.setKeyCredentials(keyCredentials);
tenantAppManagementPolicy.setApplicationRestrictions(applicationRestrictions);
TenantAppManagementPolicy result = graphClient.policies().defaultAppManagementPolicy().patch(tenantAppManagementPolicy);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
const tenantAppManagementPolicy = {
id: 'd015220e-9789-4e8e-bbcc-270fe419229d',
description: 'Lorem ipsum',
displayName: 'Credential management policy',
isEnabled: true,
applicationRestrictions: {
passwordCredentials: [
{
restrictionType: 'passwordLifetime',
maxLifetime: 'P14D',
restrictForAppsCreatedAfterDateTime: '2020-01-01T07:00:00Z'
}
],
keyCredentials: [
{
restrictionType: 'certificateLifetime',
restrictForAppsCreatedAfterDateTime: '2020-01-01T10:37:00Z',
maxLifetime: 'P90D'
},
{
restrictionType: 'trustedCertificateAuthority',
certificateBasedApplicationConfigurationIds: [
'eec5ba11-2fc0-4113-83a2-ed986ed13743'
],
restrictForAppsCreatedAfterDateTime: '2019-10-19T10:37:00Z'
}
]
}
};
await client.api('/policies/defaultAppManagementPolicy')
.update(tenantAppManagementPolicy);
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\TenantAppManagementPolicy;
use Microsoft\Graph\Generated\Models\AppManagementApplicationConfiguration;
use Microsoft\Graph\Generated\Models\PasswordCredentialConfiguration;
use Microsoft\Graph\Generated\Models\AppCredentialRestrictionType;
use Microsoft\Graph\Generated\Models\KeyCredentialConfiguration;
use Microsoft\Graph\Generated\Models\AppKeyCredentialRestrictionType;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new TenantAppManagementPolicy();
$requestBody->setId('d015220e-9789-4e8e-bbcc-270fe419229d');
$requestBody->setDescription('Lorem ipsum');
$requestBody->setDisplayName('Credential management policy');
$requestBody->setIsEnabled(true);
$applicationRestrictions = new AppManagementApplicationConfiguration();
$passwordCredentialsPasswordCredentialConfiguration1 = new PasswordCredentialConfiguration();
$passwordCredentialsPasswordCredentialConfiguration1->setRestrictionType(new AppCredentialRestrictionType('passwordLifetime'));
$passwordCredentialsPasswordCredentialConfiguration1->setMaxLifetime(new \DateInterval('P14D'));
$passwordCredentialsPasswordCredentialConfiguration1->setRestrictForAppsCreatedAfterDateTime(new \DateTime('2020-01-01T07:00:00Z'));
$passwordCredentialsArray []= $passwordCredentialsPasswordCredentialConfiguration1;
$applicationRestrictions->setPasswordCredentials($passwordCredentialsArray);
$keyCredentialsKeyCredentialConfiguration1 = new KeyCredentialConfiguration();
$keyCredentialsKeyCredentialConfiguration1->setRestrictionType(new AppKeyCredentialRestrictionType('certificateLifetime'));
$keyCredentialsKeyCredentialConfiguration1->setRestrictForAppsCreatedAfterDateTime(new \DateTime('2020-01-01T10:37:00Z'));
$keyCredentialsKeyCredentialConfiguration1->setMaxLifetime(new \DateInterval('P90D'));
$keyCredentialsArray []= $keyCredentialsKeyCredentialConfiguration1;
$keyCredentialsKeyCredentialConfiguration2 = new KeyCredentialConfiguration();
$keyCredentialsKeyCredentialConfiguration2->setRestrictionType(new AppKeyCredentialRestrictionType('trustedCertificateAuthority'));
$keyCredentialsKeyCredentialConfiguration2->setRestrictForAppsCreatedAfterDateTime(new \DateTime('2019-10-19T10:37:00Z'));
$additionalData = [
'certificateBasedApplicationConfigurationIds' => [
'eec5ba11-2fc0-4113-83a2-ed986ed13743', ],
];
$keyCredentialsKeyCredentialConfiguration2->setAdditionalData($additionalData);
$keyCredentialsArray []= $keyCredentialsKeyCredentialConfiguration2;
$applicationRestrictions->setKeyCredentials($keyCredentialsArray);
$requestBody->setApplicationRestrictions($applicationRestrictions);
$result = $graphServiceClient->policies()->defaultAppManagementPolicy()->patch($requestBody)->wait();
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
id = "d015220e-9789-4e8e-bbcc-270fe419229d"
description = "Lorem ipsum"
displayName = "Credential management policy"
isEnabled = $true
applicationRestrictions = @{
passwordCredentials = @(
@{
restrictionType = "passwordLifetime"
maxLifetime = "P14D"
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2020-01-01T07:00:00Z")
}
)
keyCredentials = @(
@{
restrictionType = "certificateLifetime"
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2020-01-01T10:37:00Z")
maxLifetime = "P90D"
}
@{
restrictionType = "trustedCertificateAuthority"
certificateBasedApplicationConfigurationIds = @(
"eec5ba11-2fc0-4113-83a2-ed986ed13743"
)
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2019-10-19T10:37:00Z")
}
)
}
}
Update-MgPolicyDefaultAppManagementPolicy -BodyParameter $params
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.tenant_app_management_policy import TenantAppManagementPolicy
from msgraph.generated.models.app_management_application_configuration import AppManagementApplicationConfiguration
from msgraph.generated.models.password_credential_configuration import PasswordCredentialConfiguration
from msgraph.generated.models.app_credential_restriction_type import AppCredentialRestrictionType
from msgraph.generated.models.key_credential_configuration import KeyCredentialConfiguration
from msgraph.generated.models.app_key_credential_restriction_type import AppKeyCredentialRestrictionType
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = TenantAppManagementPolicy(
id = "d015220e-9789-4e8e-bbcc-270fe419229d",
description = "Lorem ipsum",
display_name = "Credential management policy",
is_enabled = True,
application_restrictions = AppManagementApplicationConfiguration(
password_credentials = [
PasswordCredentialConfiguration(
restriction_type = AppCredentialRestrictionType.PasswordLifetime,
max_lifetime = "P14D",
restrict_for_apps_created_after_date_time = "2020-01-01T07:00:00Z",
),
],
key_credentials = [
KeyCredentialConfiguration(
restriction_type = AppKeyCredentialRestrictionType.AsymmetricKeyLifetime,
restrict_for_apps_created_after_date_time = "2020-01-01T10:37:00Z",
max_lifetime = "P90D",
),
KeyCredentialConfiguration(
restriction_type = AppKeyCredentialRestrictionType.AsymmetricKeyLifetime,
restrict_for_apps_created_after_date_time = "2019-10-19T10:37:00Z",
additional_data = {
"certificate_based_application_configuration_ids" : [
"eec5ba11-2fc0-4113-83a2-ed986ed13743",
],
}
),
],
),
)
result = await graph_client.policies.default_app_management_policy.patch(request_body)
请阅读 SDK 文档,了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。
相关内容