使用 Microsoft Graph 管理Microsoft Entra应用程序

应用必须在 Microsoft Entra ID 中注册，Microsoft 标识平台才能授权其访问存储在 Microsoft Entra 或 Microsoft 365 租户中的数据。 此条件适用于你自己开发的应用、租户拥有的应用或通过活动订阅访问的应用。

许多应用的设置记录为对象，可以使用 Microsoft Graph 访问、更新或删除这些设置。 本文介绍如何使用 Microsoft Graph 管理应用和服务主体对象，包括属性、权限和角色分配。

先决条件

若要测试 API 操作，需要以下资源和特权：

• 工作Microsoft Entra租户。
• 以有权在租户中创建和管理应用程序的用户身份登录 Graph 资源管理器 。
• 向自己授予为操作指示的最小特权委托权限。

使用 Microsoft Entra ID 注册应用程序

以下请求通过仅指定所需的 displayName 属性来创建应用。

最低特权委托权限： Application.ReadWrite.All。

HTTP

POST https://graph.microsoft.com/v1.0/applications
Content-type: application/json

{
  "displayName": "My application"
}

C#

// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new Application
{
	DisplayName = "My application",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications.PostAsync(requestBody);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

CLI

mgc applications create --body '{\
  "displayName": "My application"\
}\
'

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Go

// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()
displayName := "My application"
requestBody.SetDisplayName(&displayName) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().Post(context.Background(), requestBody, nil)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Java

// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
application.setDisplayName("My application");
Application result = graphClient.applications().post(application);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

JavaScript

const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
  displayName: 'My application'
};

await client.api('/applications')
	.post(application);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PHP

<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$requestBody->setDisplayName('My application');

$result = $graphServiceClient->applications()->post($requestBody)->wait();

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PowerShell

Import-Module Microsoft.Graph.Applications

$params = @{
	displayName = "My application"
}

New-MgApplication -BodyParameter $params

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Python

from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application

graph_client = GraphServiceClient(credentials, scopes)

request_body = Application(
	display_name = "My application",
)

result = await graph_client.applications.post(request_body)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

请求在响应正文中返回 201 Created 带有应用程序对象的响应。 为应用程序分配了一个对租户中应用唯一的 ID，以及一个在Microsoft Entra ID生态系统中全局唯一的 appId。

Create应用程序的服务主体

最低特权委托权限： Application.ReadWrite.All。

HTTP

POST https://graph.microsoft.com/v1.0/servicePrincipals
Content-type: application/json

{
  "appId": "fc876dd1-6bcb-4304-b9b6-18ddf1526b62"
}

C#

// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ServicePrincipal
{
	AppId = "fc876dd1-6bcb-4304-b9b6-18ddf1526b62",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals.PostAsync(requestBody);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

CLI

mgc service-principals create --body '{\
  "appId": "fc876dd1-6bcb-4304-b9b6-18ddf1526b62"\
}\
'

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Go

// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewServicePrincipal()
appId := "fc876dd1-6bcb-4304-b9b6-18ddf1526b62"
requestBody.SetAppId(&appId) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().Post(context.Background(), requestBody, nil)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Java

// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ServicePrincipal servicePrincipal = new ServicePrincipal();
servicePrincipal.setAppId("fc876dd1-6bcb-4304-b9b6-18ddf1526b62");
ServicePrincipal result = graphClient.servicePrincipals().post(servicePrincipal);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

JavaScript

const options = {
	authProvider,
};

const client = Client.init(options);

const servicePrincipal = {
  appId: 'fc876dd1-6bcb-4304-b9b6-18ddf1526b62'
};

await client.api('/servicePrincipals')
	.post(servicePrincipal);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PHP

<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ServicePrincipal();
$requestBody->setAppId('fc876dd1-6bcb-4304-b9b6-18ddf1526b62');

$result = $graphServiceClient->servicePrincipals()->post($requestBody)->wait();

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PowerShell

Import-Module Microsoft.Graph.Applications

$params = @{
	appId = "fc876dd1-6bcb-4304-b9b6-18ddf1526b62"
}

New-MgServicePrincipal -BodyParameter $params

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Python

from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal

graph_client = GraphServiceClient(credentials, scopes)

request_body = ServicePrincipal(
	app_id = "fc876dd1-6bcb-4304-b9b6-18ddf1526b62",
)

result = await graph_client.service_principals.post(request_body)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

请求返回响应 201 Created 正文中包含服务主体对象的响应。

寻址应用程序或服务主体对象

可以通过应用程序或服务主体的 ID 或其 appId 来寻址，其中 ID 称为“对象 ID”，appId 在Microsoft Entra 管理中心上称为“应用程序 (客户端) ID”。 应用程序和服务主体上的所有 HTTP CRUD 操作都支持这些语法。

按应用程序或服务主体 ID 寻址。

https://graph.microsoft.com/v1.0/applications/{applicationObjectId}
https://graph.microsoft.com/v1.0/servicePrincipals/{servicePrincipalObjectId}

按 appId 对应用程序或服务主体进行寻址。

https://graph.microsoft.com/v1.0/applications(appId='appId')
https://graph.microsoft.com/v1.0/servicePrincipals(appId='appId')

为应用配置其他基本属性

最低特权委托权限： Application.ReadWrite.All。

为应用配置以下基本属性。

• 在组织中添加用于分类的标记。 此外，使用 HideApp 标记对我的应用和 Microsoft 365 启动器隐藏应用。
• 添加基本信息，包括徽标、服务条款和隐私声明。
• 存储有关应用程序的联系人信息

HTTP

PATCH https://graph.microsoft.com/v1.0/applications/0d0021e2-eaab-4b9f-a5ad-38c55337d63e/
Content-type: application/json

{
    "tags": [
        "HR",
        "Payroll",
        "HideApp"
    ],
    "info": {
        "logoUrl": "https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png",
        "marketingUrl": "https://www.contoso.com/app/marketing",
        "privacyStatementUrl": "https://www.contoso.com/app/privacy",
        "supportUrl": "https://www.contoso.com/app/support",
        "termsOfServiceUrl": "https://www.contoso.com/app/termsofservice"
    },
    "web": {
        "homePageUrl": "https://www.contoso.com/",
        "logoutUrl": "https://www.contoso.com/frontchannel_logout",
        "redirectUris": [
            "https://localhost"
        ]
    },
    "serviceManagementReference": "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;"
}

C#

// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new Application
{
	Tags = new List<string>
	{
		"HR",
		"Payroll",
		"HideApp",
	},
	Info = new InformationalUrl
	{
		LogoUrl = "https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png",
		MarketingUrl = "https://www.contoso.com/app/marketing",
		PrivacyStatementUrl = "https://www.contoso.com/app/privacy",
		SupportUrl = "https://www.contoso.com/app/support",
		TermsOfServiceUrl = "https://www.contoso.com/app/termsofservice",
	},
	Web = new WebApplication
	{
		HomePageUrl = "https://www.contoso.com/",
		LogoutUrl = "https://www.contoso.com/frontchannel_logout",
		RedirectUris = new List<string>
		{
			"https://localhost",
		},
	},
	ServiceManagementReference = "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

CLI

mgc applications patch --application-id {application-id} --body '{\
    "tags": [\
        "HR",\
        "Payroll",\
        "HideApp"\
    ],\
    "info": {\
        "logoUrl": "https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png",\
        "marketingUrl": "https://www.contoso.com/app/marketing",\
        "privacyStatementUrl": "https://www.contoso.com/app/privacy",\
        "supportUrl": "https://www.contoso.com/app/support",\
        "termsOfServiceUrl": "https://www.contoso.com/app/termsofservice"\
    },\
    "web": {\
        "homePageUrl": "https://www.contoso.com/",\
        "logoutUrl": "https://www.contoso.com/frontchannel_logout",\
        "redirectUris": [\
            "https://localhost"\
        ]\
    },\
    "serviceManagementReference": "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;"\
}\
'

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Go

// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()
tags := []string {
	"HR",
	"Payroll",
	"HideApp",
}
requestBody.SetTags(tags)
info := graphmodels.NewInformationalUrl()
logoUrl := "https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png"
info.SetLogoUrl(&logoUrl) 
marketingUrl := "https://www.contoso.com/app/marketing"
info.SetMarketingUrl(&marketingUrl) 
privacyStatementUrl := "https://www.contoso.com/app/privacy"
info.SetPrivacyStatementUrl(&privacyStatementUrl) 
supportUrl := "https://www.contoso.com/app/support"
info.SetSupportUrl(&supportUrl) 
termsOfServiceUrl := "https://www.contoso.com/app/termsofservice"
info.SetTermsOfServiceUrl(&termsOfServiceUrl) 
requestBody.SetInfo(info)
web := graphmodels.NewWebApplication()
homePageUrl := "https://www.contoso.com/"
web.SetHomePageUrl(&homePageUrl) 
logoutUrl := "https://www.contoso.com/frontchannel_logout"
web.SetLogoutUrl(&logoutUrl) 
redirectUris := []string {
	"https://localhost",
}
web.SetRedirectUris(redirectUris)
requestBody.SetWeb(web)
serviceManagementReference := "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;"
requestBody.SetServiceManagementReference(&serviceManagementReference) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Java

// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
LinkedList<String> tags = new LinkedList<String>();
tags.add("HR");
tags.add("Payroll");
tags.add("HideApp");
application.setTags(tags);
InformationalUrl info = new InformationalUrl();
info.setLogoUrl("https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png");
info.setMarketingUrl("https://www.contoso.com/app/marketing");
info.setPrivacyStatementUrl("https://www.contoso.com/app/privacy");
info.setSupportUrl("https://www.contoso.com/app/support");
info.setTermsOfServiceUrl("https://www.contoso.com/app/termsofservice");
application.setInfo(info);
WebApplication web = new WebApplication();
web.setHomePageUrl("https://www.contoso.com/");
web.setLogoutUrl("https://www.contoso.com/frontchannel_logout");
LinkedList<String> redirectUris = new LinkedList<String>();
redirectUris.add("https://localhost");
web.setRedirectUris(redirectUris);
application.setWeb(web);
application.setServiceManagementReference("Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;");
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

JavaScript

const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
    tags: [
        'HR',
        'Payroll',
        'HideApp'
    ],
    info: {
        logoUrl: 'https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png',
        marketingUrl: 'https://www.contoso.com/app/marketing',
        privacyStatementUrl: 'https://www.contoso.com/app/privacy',
        supportUrl: 'https://www.contoso.com/app/support',
        termsOfServiceUrl: 'https://www.contoso.com/app/termsofservice'
    },
    web: {
        homePageUrl: 'https://www.contoso.com/',
        logoutUrl: 'https://www.contoso.com/frontchannel_logout',
        redirectUris: [
            'https://localhost'
        ]
    },
    serviceManagementReference: 'Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;'
};

await client.api('/applications/0d0021e2-eaab-4b9f-a5ad-38c55337d63e/')
	.update(application);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PHP

<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\InformationalUrl;
use Microsoft\Graph\Generated\Models\WebApplication;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$requestBody->setTags(['HR', 'Payroll', 'HideApp', 	]);
$info = new InformationalUrl();
$info->setLogoUrl('https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png');
$info->setMarketingUrl('https://www.contoso.com/app/marketing');
$info->setPrivacyStatementUrl('https://www.contoso.com/app/privacy');
$info->setSupportUrl('https://www.contoso.com/app/support');
$info->setTermsOfServiceUrl('https://www.contoso.com/app/termsofservice');
$requestBody->setInfo($info);
$web = new WebApplication();
$web->setHomePageUrl('https://www.contoso.com/');
$web->setLogoutUrl('https://www.contoso.com/frontchannel_logout');
$web->setRedirectUris(['https://localhost', 	]);
$requestBody->setWeb($web);
$requestBody->setServiceManagementReference('Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;');

$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PowerShell

Import-Module Microsoft.Graph.Applications

$params = @{
	tags = @(
	"HR"
"Payroll"
"HideApp"
)
info = @{
logoUrl = "https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png"
marketingUrl = "https://www.contoso.com/app/marketing"
privacyStatementUrl = "https://www.contoso.com/app/privacy"
supportUrl = "https://www.contoso.com/app/support"
termsOfServiceUrl = "https://www.contoso.com/app/termsofservice"
}
web = @{
homePageUrl = "https://www.contoso.com/"
logoutUrl = "https://www.contoso.com/frontchannel_logout"
redirectUris = @(
"https://localhost"
)
}
serviceManagementReference = "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;"
}

Update-MgApplication -ApplicationId $applicationId -BodyParameter $params

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Python

from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.informational_url import InformationalUrl
from msgraph.generated.models.web_application import WebApplication

graph_client = GraphServiceClient(credentials, scopes)

request_body = Application(
	tags = [
		"HR",
		"Payroll",
		"HideApp",
	],
	info = InformationalUrl(
		logo_url = "https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png",
		marketing_url = "https://www.contoso.com/app/marketing",
		privacy_statement_url = "https://www.contoso.com/app/privacy",
		support_url = "https://www.contoso.com/app/support",
		terms_of_service_url = "https://www.contoso.com/app/termsofservice",
	),
	web = WebApplication(
		home_page_url = "https://www.contoso.com/",
		logout_url = "https://www.contoso.com/frontchannel_logout",
		redirect_uris = [
			"https://localhost",
		],
	),
	service_management_reference = "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;",
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

将应用登录限制为仅分配的标识

最低特权委托权限： Application.ReadWrite.All。

HTTP

PATCH https://graph.microsoft.com/v1.0/servicePrincipals/89473e09-0737-41a1-a0c3-1418d6908bcd

{
    "appRoleAssignmentRequired": true
}

C#

// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ServicePrincipal
{
	AppRoleAssignmentRequired = true,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

CLI

mgc service-principals patch --service-principal-id {servicePrincipal-id}

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Go

// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewServicePrincipal()
appRoleAssignmentRequired := true
requestBody.SetAppRoleAssignmentRequired(&appRoleAssignmentRequired) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").Patch(context.Background(), requestBody, nil)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Java

// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ServicePrincipal servicePrincipal = new ServicePrincipal();
servicePrincipal.setAppRoleAssignmentRequired(true);
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").patch(servicePrincipal);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

JavaScript

const options = {
	authProvider,
};

const client = Client.init(options);

const servicePrincipal = {
    appRoleAssignmentRequired: true
};

await client.api('/servicePrincipals/89473e09-0737-41a1-a0c3-1418d6908bcd')
	.update(servicePrincipal);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PHP

<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ServicePrincipal();
$requestBody->setAppRoleAssignmentRequired(true);

$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->patch($requestBody)->wait();

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PowerShell

Import-Module Microsoft.Graph.Applications

$params = @{
	appRoleAssignmentRequired = $true
}

Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -BodyParameter $params

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Python

from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal

graph_client = GraphServiceClient(credentials, scopes)

request_body = ServicePrincipal(
	app_role_assignment_required = True,
)

result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

为应用分配权限

虽然可以通过Microsoft Entra 管理中心向应用分配权限，但也可以通过 Microsoft Graph 通过更新应用对象的 requiredResourceAccess 属性来分配权限。 必须传入现有权限和新权限。 仅传入新权限会覆盖并删除尚未同意的现有权限。

分配权限不会自动向他们授予应用。 你仍必须使用 Microsoft Entra 管理中心 授予管理员同意。 若要在没有交互式许可的情况下授予权限，请参阅 以编程方式授予或撤销 API 权限。

最低特权委托权限： Application.ReadWrite.All。

HTTP

PATCH https://graph.microsoft.com/v1.0/applications/581088ba-83c5-4975-b8af-11d2d7a76e98
Content-Type: application/json

{
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000002-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
                    "type": "Scope"
                },
                {
                    "id": "3afa6a7d-9b1a-42eb-948e-1650a849e176",
                    "type": "Role"
                }
            ]
        }
    ]
}

C#

// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new Application
{
	RequiredResourceAccess = new List<RequiredResourceAccess>
	{
		new RequiredResourceAccess
		{
			ResourceAppId = "00000002-0000-0000-c000-000000000000",
			ResourceAccess = new List<ResourceAccess>
			{
				new ResourceAccess
				{
					Id = Guid.Parse("311a71cc-e848-46a1-bdf8-97ff7156d8e6"),
					Type = "Scope",
				},
				new ResourceAccess
				{
					Id = Guid.Parse("3afa6a7d-9b1a-42eb-948e-1650a849e176"),
					Type = "Role",
				},
			},
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

CLI

mgc applications patch --application-id {application-id} --body '{\
    "requiredResourceAccess": [\
        {\
            "resourceAppId": "00000002-0000-0000-c000-000000000000",\
            "resourceAccess": [\
                {\
                    "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",\
                    "type": "Scope"\
                },\
                {\
                    "id": "3afa6a7d-9b1a-42eb-948e-1650a849e176",\
                    "type": "Role"\
                }\
            ]\
        }\
    ]\
}\
'

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Go

// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()


requiredResourceAccess := graphmodels.NewRequiredResourceAccess()
resourceAppId := "00000002-0000-0000-c000-000000000000"
requiredResourceAccess.SetResourceAppId(&resourceAppId) 


resourceAccess := graphmodels.NewResourceAccess()
id := uuid.MustParse("311a71cc-e848-46a1-bdf8-97ff7156d8e6")
resourceAccess.SetId(&id) 
type := "Scope"
resourceAccess.SetType(&type) 
resourceAccess1 := graphmodels.NewResourceAccess()
id := uuid.MustParse("3afa6a7d-9b1a-42eb-948e-1650a849e176")
resourceAccess1.SetId(&id) 
type := "Role"
resourceAccess1.SetType(&type) 

resourceAccess := []graphmodels.ResourceAccessable {
	resourceAccess,
	resourceAccess1,
}
requiredResourceAccess.SetResourceAccess(resourceAccess)

requiredResourceAccess := []graphmodels.RequiredResourceAccessable {
	requiredResourceAccess,
}
requestBody.SetRequiredResourceAccess(requiredResourceAccess)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Java

// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
LinkedList<RequiredResourceAccess> requiredResourceAccess = new LinkedList<RequiredResourceAccess>();
RequiredResourceAccess requiredResourceAccess1 = new RequiredResourceAccess();
requiredResourceAccess1.setResourceAppId("00000002-0000-0000-c000-000000000000");
LinkedList<ResourceAccess> resourceAccess = new LinkedList<ResourceAccess>();
ResourceAccess resourceAccess1 = new ResourceAccess();
resourceAccess1.setId(UUID.fromString("311a71cc-e848-46a1-bdf8-97ff7156d8e6"));
resourceAccess1.setType("Scope");
resourceAccess.add(resourceAccess1);
ResourceAccess resourceAccess2 = new ResourceAccess();
resourceAccess2.setId(UUID.fromString("3afa6a7d-9b1a-42eb-948e-1650a849e176"));
resourceAccess2.setType("Role");
resourceAccess.add(resourceAccess2);
requiredResourceAccess1.setResourceAccess(resourceAccess);
requiredResourceAccess.add(requiredResourceAccess1);
application.setRequiredResourceAccess(requiredResourceAccess);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

JavaScript

const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
    requiredResourceAccess: [
        {
            resourceAppId: '00000002-0000-0000-c000-000000000000',
            resourceAccess: [
                {
                    id: '311a71cc-e848-46a1-bdf8-97ff7156d8e6',
                    type: 'Scope'
                },
                {
                    id: '3afa6a7d-9b1a-42eb-948e-1650a849e176',
                    type: 'Role'
                }
            ]
        }
    ]
};

await client.api('/applications/581088ba-83c5-4975-b8af-11d2d7a76e98')
	.update(application);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PHP

<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\RequiredResourceAccess;
use Microsoft\Graph\Generated\Models\ResourceAccess;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$requiredResourceAccessRequiredResourceAccess1 = new RequiredResourceAccess();
$requiredResourceAccessRequiredResourceAccess1->setResourceAppId('00000002-0000-0000-c000-000000000000');
$resourceAccessResourceAccess1 = new ResourceAccess();
$resourceAccessResourceAccess1->setId('311a71cc-e848-46a1-bdf8-97ff7156d8e6');
$resourceAccessResourceAccess1->setType('Scope');
$resourceAccessArray []= $resourceAccessResourceAccess1;
$resourceAccessResourceAccess2 = new ResourceAccess();
$resourceAccessResourceAccess2->setId('3afa6a7d-9b1a-42eb-948e-1650a849e176');
$resourceAccessResourceAccess2->setType('Role');
$resourceAccessArray []= $resourceAccessResourceAccess2;
$requiredResourceAccessRequiredResourceAccess1->setResourceAccess($resourceAccessArray);

$requiredResourceAccessArray []= $requiredResourceAccessRequiredResourceAccess1;
$requestBody->setRequiredResourceAccess($requiredResourceAccessArray);


$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PowerShell

Import-Module Microsoft.Graph.Applications

$params = @{
	requiredResourceAccess = @(
		@{
			resourceAppId = "00000002-0000-0000-c000-000000000000"
			resourceAccess = @(
				@{
					id = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"
					type = "Scope"
				}
				@{
					id = "3afa6a7d-9b1a-42eb-948e-1650a849e176"
					type = "Role"
				}
			)
		}
	)
}

Update-MgApplication -ApplicationId $applicationId -BodyParameter $params

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Python

from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.required_resource_access import RequiredResourceAccess
from msgraph.generated.models.resource_access import ResourceAccess

graph_client = GraphServiceClient(credentials, scopes)

request_body = Application(
	required_resource_access = [
		RequiredResourceAccess(
			resource_app_id = "00000002-0000-0000-c000-000000000000",
			resource_access = [
				ResourceAccess(
					id = UUID("311a71cc-e848-46a1-bdf8-97ff7156d8e6"),
					type = "Scope",
				),
				ResourceAccess(
					id = UUID("3afa6a7d-9b1a-42eb-948e-1650a849e176"),
					type = "Role",
				),
			],
		),
	],
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Create应用角色

在应用程序对象上Create应用角色

若要保留任何现有应用角色，请将其包含在请求中。 否则，它们将替换为新 对象。

HTTP

PATCH https://graph.microsoft.com/v1.0/applications/bbd46130-e957-4c38-a116-d4d02afd1057
Content-Type: application/json

{
    "appRoles": [
        {
            "allowedMemberTypes": [
                "User",
                "Application"
            ],
            "description": "Survey.Read",
            "displayName": "Survey.Read",
            "id": "7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0",
            "isEnabled": false,
            "origin": "Application",
            "value": "Survey.Read"
        }
    ]
}

C#

// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new Application
{
	AppRoles = new List<AppRole>
	{
		new AppRole
		{
			AllowedMemberTypes = new List<string>
			{
				"User",
				"Application",
			},
			Description = "Survey.Read",
			DisplayName = "Survey.Read",
			Id = Guid.Parse("7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0"),
			IsEnabled = false,
			Origin = "Application",
			Value = "Survey.Read",
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

CLI

mgc applications patch --application-id {application-id} --body '{\
    "appRoles": [\
        {\
            "allowedMemberTypes": [\
                "User",\
                "Application"\
            ],\
            "description": "Survey.Read",\
            "displayName": "Survey.Read",\
            "id": "7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0",\
            "isEnabled": false,\
            "origin": "Application",\
            "value": "Survey.Read"\
        }\
    ]\
}\
'

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Go

// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()


appRole := graphmodels.NewAppRole()
allowedMemberTypes := []string {
	"User",
	"Application",
}
appRole.SetAllowedMemberTypes(allowedMemberTypes)
description := "Survey.Read"
appRole.SetDescription(&description) 
displayName := "Survey.Read"
appRole.SetDisplayName(&displayName) 
id := uuid.MustParse("7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0")
appRole.SetId(&id) 
isEnabled := false
appRole.SetIsEnabled(&isEnabled) 
origin := "Application"
appRole.SetOrigin(&origin) 
value := "Survey.Read"
appRole.SetValue(&value) 

appRoles := []graphmodels.AppRoleable {
	appRole,
}
requestBody.SetAppRoles(appRoles)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Java

// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
LinkedList<AppRole> appRoles = new LinkedList<AppRole>();
AppRole appRole = new AppRole();
LinkedList<String> allowedMemberTypes = new LinkedList<String>();
allowedMemberTypes.add("User");
allowedMemberTypes.add("Application");
appRole.setAllowedMemberTypes(allowedMemberTypes);
appRole.setDescription("Survey.Read");
appRole.setDisplayName("Survey.Read");
appRole.setId(UUID.fromString("7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0"));
appRole.setIsEnabled(false);
appRole.setOrigin("Application");
appRole.setValue("Survey.Read");
appRoles.add(appRole);
application.setAppRoles(appRoles);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

JavaScript

const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
    appRoles: [
        {
            allowedMemberTypes: [
                'User',
                'Application'
            ],
            description: 'Survey.Read',
            displayName: 'Survey.Read',
            id: '7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0',
            isEnabled: false,
            origin: 'Application',
            value: 'Survey.Read'
        }
    ]
};

await client.api('/applications/bbd46130-e957-4c38-a116-d4d02afd1057')
	.update(application);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PHP

<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\AppRole;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$appRolesAppRole1 = new AppRole();
$appRolesAppRole1->setAllowedMemberTypes(['User', 'Application', 	]);
$appRolesAppRole1->setDescription('Survey.Read');
$appRolesAppRole1->setDisplayName('Survey.Read');
$appRolesAppRole1->setId('7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0');
$appRolesAppRole1->setIsEnabled(false);
$appRolesAppRole1->setOrigin('Application');
$appRolesAppRole1->setValue('Survey.Read');
$appRolesArray []= $appRolesAppRole1;
$requestBody->setAppRoles($appRolesArray);


$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PowerShell

Import-Module Microsoft.Graph.Applications

$params = @{
	appRoles = @(
		@{
			allowedMemberTypes = @(
			"User"
		"Application"
	)
	description = "Survey.Read"
	displayName = "Survey.Read"
	id = "7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0"
	isEnabled = $false
	origin = "Application"
	value = "Survey.Read"
}
)
}

Update-MgApplication -ApplicationId $applicationId -BodyParameter $params

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Python

from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.app_role import AppRole

graph_client = GraphServiceClient(credentials, scopes)

request_body = Application(
	app_roles = [
		AppRole(
			allowed_member_types = [
				"User",
				"Application",
			],
			description = "Survey.Read",
			display_name = "Survey.Read",
			id = UUID("7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0"),
			is_enabled = False,
			origin = "Application",
			value = "Survey.Read",
		),
	],
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

管理所有者

使用一个所有者标识无所有者服务主体和服务主体

最低特权委托权限： Application.ReadWrite.All。

此请求要求将 ConsistencyLevel 标头设置为 eventual，因为在请求中有 $count。 有关使用 ConsistencyLevel 和 $count的详细信息，请参阅 目录对象的高级查询功能。

此请求还返回与筛选条件匹配的应用计数。

HTTP

GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=owners/$count eq 0 or owners/$count eq 1&$count=true
ConsistencyLevel: eventual

C#

// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals.GetAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Filter = "owners/$count eq 0 or owners/$count eq 1";
	requestConfiguration.QueryParameters.Count = true;
	requestConfiguration.Headers.Add("ConsistencyLevel", "eventual");
});

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

CLI

mgc service-principals list --filter "owners/$count eq 0 or owners/$count eq 1" --count "true" --consistency-level "eventual"

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Go

// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  abstractions "github.com/microsoft/kiota-abstractions-go"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphserviceprincipals "github.com/microsoftgraph/msgraph-sdk-go/serviceprincipals"
	  //other-imports
)

headers := abstractions.NewRequestHeaders()
headers.Add("ConsistencyLevel", "eventual")


requestFilter := "owners/$count eq 0 or owners/$count eq 1"
requestCount := true

requestParameters := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetQueryParameters{
	Filter: &requestFilter,
	Count: &requestCount,
}
configuration := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetRequestConfiguration{
	Headers: headers,
	QueryParameters: requestParameters,
}

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().Get(context.Background(), configuration)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Java

// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ServicePrincipalCollectionResponse result = graphClient.servicePrincipals().get(requestConfiguration -> {
	requestConfiguration.queryParameters.filter = "owners/$count eq 0 or owners/$count eq 1";
	requestConfiguration.queryParameters.count = true;
	requestConfiguration.headers.add("ConsistencyLevel", "eventual");
});

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

JavaScript

const options = {
	authProvider,
};

const client = Client.init(options);

let servicePrincipals = await client.api('/servicePrincipals')
	.header('ConsistencyLevel','eventual')
	.filter('owners/$count eq 0 or owners/$count eq 1')
	.get();

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PHP

<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\ServicePrincipals\ServicePrincipalsRequestBuilderGetRequestConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestConfiguration = new ServicePrincipalsRequestBuilderGetRequestConfiguration();
$headers = [
		'ConsistencyLevel' => 'eventual',
	];
$requestConfiguration->headers = $headers;

$queryParameters = ServicePrincipalsRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "owners/\$count eq 0 or owners/\$count eq 1";
$queryParameters->count = true;
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->servicePrincipals()->get($requestConfiguration)->wait();

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PowerShell

Import-Module Microsoft.Graph.Applications

Get-MgServicePrincipal -Filter "owners/`$count eq 0 or owners/`$count eq 1" -CountVariable CountVar  -ConsistencyLevel eventual 

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Python

from msgraph import GraphServiceClient
from msgraph.generated.service_principals.service_principals_request_builder import ServicePrincipalsRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration

graph_client = GraphServiceClient(credentials, scopes)

query_params = ServicePrincipalsRequestBuilder.ServicePrincipalsRequestBuilderGetQueryParameters(
		filter = "owners/$count eq 0 or owners/$count eq 1",
		count = True,
)

request_configuration = RequestConfiguration(
query_parameters = query_params,
)
request_configuration.headers.add("ConsistencyLevel", "eventual")


result = await graph_client.service_principals.get(request_configuration = request_configuration)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

将所有者分配到应用

最低特权委托权限： Application.ReadWrite.All。

在以下请求中， 8afc02cb-4d62-4dba-b536-9f6d73e9be26 是用户或服务主体的对象 ID。

HTTP

POST https://graph.microsoft.com/v1.0/applications/7b45cf6d-9083-4eb2-92c4-a7e090f1fc40/owners/$ref
Content-Type: application/json

{
    "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26"
}

C#

// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ReferenceCreate
{
	OdataId = "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Applications["{application-id}"].Owners.Ref.PostAsync(requestBody);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

CLI

mgc applications owners ref post --application-id {application-id} --body '{\
    "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26"\
}\
'

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Go

// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewReferenceCreate()
odataId := "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26"
requestBody.SetOdataId(&odataId) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.Applications().ByApplicationId("application-id").Owners().Ref().Post(context.Background(), requestBody, nil)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Java

// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.models.ReferenceCreate referenceCreate = new com.microsoft.graph.models.ReferenceCreate();
referenceCreate.setOdataId("https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26");
graphClient.applications().byApplicationId("{application-id}").owners().ref().post(referenceCreate);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

JavaScript

const options = {
	authProvider,
};

const client = Client.init(options);

const directoryObject = {
    '@odata.id': 'https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26'
};

await client.api('/applications/7b45cf6d-9083-4eb2-92c4-a7e090f1fc40/owners/$ref')
	.post(directoryObject);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PHP

<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ReferenceCreate;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ReferenceCreate();
$requestBody->setOdataId('https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26');

$graphServiceClient->applications()->byApplicationId('application-id')->owners()->ref()->post($requestBody)->wait();

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PowerShell

Import-Module Microsoft.Graph.Applications

$params = @{
	"@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26"
}

New-MgApplicationOwnerByRef -ApplicationId $applicationId -BodyParameter $params

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Python

from msgraph import GraphServiceClient
from msgraph.generated.models.reference_create import ReferenceCreate

graph_client = GraphServiceClient(credentials, scopes)

request_body = ReferenceCreate(
	odata_id = "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26",
)

await graph_client.applications.by_application_id('application-id').owners.ref.post(request_body)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

将所有者分配到服务主体

最低特权委托权限： Application.ReadWrite.All。

以下请求使用 其 appId 引用服务主体。 8afc02cb-4d62-4dba-b536-9f6d73e9be26 是用户或服务主体的对象 ID。

POST https://graph.microsoft.com/v1.0/servicePrincipals(appId='46e6adf4-a9cf-4b60-9390-0ba6fb00bf6b')/owners/$ref
Content-Type: application/json

{
    "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26"
}

锁定服务主体的敏感属性

使用应用实例锁定功能，可以保护多租户应用的敏感属性免受未经授权的篡改。 可以锁定服务主体对象的以下属性：

• keyCredentials ，其中使用类型为 Sign 或 Verify。
• passwordCredentials ，其中使用类型为 Sign 或 Verify。
• tokenEncryptionKeyId 属性。

可以通过多租户应用的应用程序对象的servicePrincipalLockConfiguration 属性管理应用实例锁定功能。

锁定服务主体的所有敏感属性

当 isEnabled 且 allProperties 设置为 true时，即使 servicePrincipalLockConfiguration 对象的其他属性为 null，也会锁定服务主体的所有敏感属性。

HTTP

PATCH https://graph.microsoft.com/beta/applications/a0b7f39e-3139-48aa-9397-f46fb63102f7

{
    "servicePrincipalLockConfiguration": {
        "isEnabled": true,
        "allProperties": true
    }
}

C#

// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new Application
{
	ServicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration
	{
		IsEnabled = true,
		AllProperties = true,
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

CLI

mgc-beta applications patch --application-id {application-id}

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Go

// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()
servicePrincipalLockConfiguration := graphmodels.NewServicePrincipalLockConfiguration()
isEnabled := true
servicePrincipalLockConfiguration.SetIsEnabled(&isEnabled) 
allProperties := true
servicePrincipalLockConfiguration.SetAllProperties(&allProperties) 
requestBody.SetServicePrincipalLockConfiguration(servicePrincipalLockConfiguration)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Java

// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
ServicePrincipalLockConfiguration servicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration();
servicePrincipalLockConfiguration.setIsEnabled(true);
servicePrincipalLockConfiguration.setAllProperties(true);
application.setServicePrincipalLockConfiguration(servicePrincipalLockConfiguration);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

JavaScript

const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
    servicePrincipalLockConfiguration: {
        isEnabled: true,
        allProperties: true
    }
};

await client.api('/applications/a0b7f39e-3139-48aa-9397-f46fb63102f7')
	.version('beta')
	.update(application);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PHP

<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Application;
use Microsoft\Graph\Beta\Generated\Models\ServicePrincipalLockConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$servicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration();
$servicePrincipalLockConfiguration->setIsEnabled(true);
$servicePrincipalLockConfiguration->setAllProperties(true);
$requestBody->setServicePrincipalLockConfiguration($servicePrincipalLockConfiguration);

$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PowerShell

Import-Module Microsoft.Graph.Beta.Applications

$params = @{
	servicePrincipalLockConfiguration = @{
		isEnabled = $true
		allProperties = $true
	}
}

Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Python

from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.application import Application
from msgraph_beta.generated.models.service_principal_lock_configuration import ServicePrincipalLockConfiguration

graph_client = GraphServiceClient(credentials, scopes)

request_body = Application(
	service_principal_lock_configuration = ServicePrincipalLockConfiguration(
		is_enabled = True,
		all_properties = True,
	),
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

锁定服务主体的特定敏感属性

以下示例锁定服务主体的 keyCredentials 和 passwordCredentials 属性，并启用应用实例锁定功能。

HTTP

PATCH https://graph.microsoft.com/beta/applications/a0b7f39e-3139-48aa-9397-f46fb63102f7

{
    "servicePrincipalLockConfiguration": {
        "isEnabled": true,
        "credentialsWithUsageSign": true,
        "credentialsWithUsageVerify": true
    }
}

C#

// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new Application
{
	ServicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration
	{
		IsEnabled = true,
		CredentialsWithUsageSign = true,
		CredentialsWithUsageVerify = true,
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

CLI

mgc-beta applications patch --application-id {application-id}

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Go

// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()
servicePrincipalLockConfiguration := graphmodels.NewServicePrincipalLockConfiguration()
isEnabled := true
servicePrincipalLockConfiguration.SetIsEnabled(&isEnabled) 
credentialsWithUsageSign := true
servicePrincipalLockConfiguration.SetCredentialsWithUsageSign(&credentialsWithUsageSign) 
credentialsWithUsageVerify := true
servicePrincipalLockConfiguration.SetCredentialsWithUsageVerify(&credentialsWithUsageVerify) 
requestBody.SetServicePrincipalLockConfiguration(servicePrincipalLockConfiguration)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Java

// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
ServicePrincipalLockConfiguration servicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration();
servicePrincipalLockConfiguration.setIsEnabled(true);
servicePrincipalLockConfiguration.setCredentialsWithUsageSign(true);
servicePrincipalLockConfiguration.setCredentialsWithUsageVerify(true);
application.setServicePrincipalLockConfiguration(servicePrincipalLockConfiguration);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

JavaScript

const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
    servicePrincipalLockConfiguration: {
        isEnabled: true,
        credentialsWithUsageSign: true,
        credentialsWithUsageVerify: true
    }
};

await client.api('/applications/a0b7f39e-3139-48aa-9397-f46fb63102f7')
	.version('beta')
	.update(application);

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PHP

<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Application;
use Microsoft\Graph\Beta\Generated\Models\ServicePrincipalLockConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$servicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration();
$servicePrincipalLockConfiguration->setIsEnabled(true);
$servicePrincipalLockConfiguration->setCredentialsWithUsageSign(true);
$servicePrincipalLockConfiguration->setCredentialsWithUsageVerify(true);
$requestBody->setServicePrincipalLockConfiguration($servicePrincipalLockConfiguration);

$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

PowerShell

Import-Module Microsoft.Graph.Beta.Applications

$params = @{
	servicePrincipalLockConfiguration = @{
		isEnabled = $true
		credentialsWithUsageSign = $true
		credentialsWithUsageVerify = $true
	}
}

Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

Python

from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.application import Application
from msgraph_beta.generated.models.service_principal_lock_configuration import ServicePrincipalLockConfiguration

graph_client = GraphServiceClient(credentials, scopes)

request_body = Application(
	service_principal_lock_configuration = ServicePrincipalLockConfiguration(
		is_enabled = True,
		credentials_with_usage_sign = True,
		credentials_with_usage_verify = True,
	),
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

请阅读 SDK 文档，了解如何将 SDK 添加到项目并创建 authProvider 实例的详细信息。

相关内容

• Microsoft Entra应用清单
• 企业应用程序 (服务主体) 的属性
• 使用 Microsoft Graph 向应用添加证书