分享程序员开发的那些事...
更新时间:2023-02-14 22:53:14
您可以使用Microsoft Graph API或Azure AD Graph API自动创建(尽管在可能的情况下,您***使用MS Graph). 在这种情况下,由于您基本上掌握了批处理方案,因此我认为PowerShell可能是一个不错的选择.
You can automate creation with Microsoft Graph API or Azure AD Graph API (though you should prefer MS Graph when possible). In this case since you have what is basically a batch scenario in your hands, I feel PowerShell might be a good option.
有一个用于管理Azure AD的PowerShell模块:
There is a PowerShell module for administering Azure AD:
首先使用
Connect-AzureAD
然后我们可以创建一个应用程序:
Then we can create an Application:
$app = New-AzureADApplication -DisplayName 'Created from PS' -IdentifierUris @('https://mytenant.onmicrosoft.com/PSTest1')
然后我们需要创建服务主体,这通常是由门户网站完成的:
Then we need to create the service principal, this is normally done by the portal:
$sp = New-AzureADServicePrincipal -AppId $app.AppId -AppRoleAssignmentRequired $true
请注意AppRoleAssignmentRequired参数.
将其设置为true要求将用户分配给该应用,然后他们才能登录.
Note the AppRoleAssignmentRequired parameter.
Setting it to true will require users to be assigned to the app before they can login.
如果您不想这么做,那就把它排除在外吧.
If you don't want that, just leave it out.
现在我们可以分配用户.
您将需要一个用户的ObjectId来将他们分配给应用程序.
您可以通过多种方式使用Get-AzureADUser来获取要分配的用户.
Now we can assign users.
You will need a user's ObjectId to assign them to the app.
You can use Get-AzureADUser in various ways to get the users you want to assign.
但是分配可以这样完成:
But the assignment can then be done like this:
New-AzureADUserAppRoleAssignment -Id '00000000-0000-0000-0000-000000000000' -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -ObjectId $user.ObjectId
如果您在应用中为用户指定了角色,则可以使用角色的ID而不是全零. 在门户中,全零将转换为默认访问权限".
If you had specified roles in your app for users, you could use the role's id instead of all zeros. All zeros translates to "Default access" in the portal.