如何通過Graph API爲Azure AD創建新的本機應用程序

Question

是否有任何方式（使用PowerShell cmdlet或Graph API）爲Azure Active Directory創建本機應用程序？我正在尋找一種方法來爲我的應用程序自動創建環境

Answer 1

您可以使用Graph API在您的目錄中創建應用程序。這是PowerShell腳本。

# Adding the AD library to your PowerShell Session. 
Add-Type -Path 'C:\Program Files\Microsoft Azure Active Directory Connect\Microsoft.IdentityModel.Clients.ActiveDirectory.dll' 

# This is the tenant id of you Azure AD. You can use tenant name instead if you want. 
$tenantID = "<your tenant id>" 
$authString = "https://login.microsoftonline.com/$tenantID" 

# Here, the username must be a user in your organization and with MFA disabled. 
# And, it must have permission to create an AD application. 
$username = "<your username>" 
$password = "<the password of your username>" 

# The resource URI for your token. 
$resource = "https://graph.windows.net" 

# This is the common client id. 
$client_id = "1950a258-227b-4e31-a9cf-717495945fc2" 

# Create a client credential with the above common client id, username and password. 
$creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" ` 
     -ArgumentList $username,$password 

# Create a authentication context with the above authentication string. 
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" ` 
     -ArgumentList $authString 

# Acquire access token from server. 
$authenticationResult = $authContext.AcquireToken($resource,$client_id,$creds) 

# Use the access token to setup headers for your http request. 
$authHeader = $authenticationResult.AccessTokenType + " " + $authenticationResult.AccessToken 
$headers = @{"Authorization"=$authHeader; "Content-Type"="application/json"} 

# Send a request to create a new AD application. 
Invoke-RestMethod -Method POST ` 
    -Uri "https://graph.chinacloudapi.cn/$tenantID/applications?api-version=1.6-internal" ` 
    -Headers $headers -InFile ./application.json 

如果「Microsoft.IdentityModel.Clients.ActiveDirectory.dll」是在不同的位置，你應該修改的Add-Type路徑。

在「application.json」中，應該爲應用程序指定參數。這是一個簡單的例子。

{ 
    "odata.type": "Microsoft.DirectoryServices.Application", 
    "objectType": "Application", 
    "deletionTimestamp": null, 
    "allowActAsForAllClients": null, 
    "appBranding": null, 
    "appCategory": null, 
    "appData": null, 
    "appMetadata": { 
    "version": 0, 
    "data": [] 
    }, 
    "appRoles": [], 
    "availableToOtherTenants": false, 
    "displayName": "nativeClient", 
    "encryptedMsiApplicationSecret": null, 
    "errorUrl": null, 
    "groupMembershipClaims": null, 
    "homepage": null, 
    "identifierUris": [], 
    "keyCredentials": [], 
    "knownClientApplications": [], 
    "logoUrl": null, 
    "logoutUrl": null, 
    "oauth2AllowImplicitFlow": false, 
    "oauth2AllowUrlPathMatching": false, 
    "oauth2Permissions": [], 
    "oauth2RequirePostResponse": false, 
    "passwordCredentials": [], 
    "publicClient": true, 
    "recordConsentConditions": null, 
    "replyUrls": [ 
    "http://www.microsoft.com" 
    ], 
    "requiredResourceAccess": [ 
    { 
     "resourceAppId": "00000002-0000-0000-c000-000000000000", 
     "resourceAccess": [ 
     { 
      "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6", 
      "type": "Scope" 
     } 
     ] 
    } 
    ], 
    "samlMetadataUrl": null, 
    "supportsConvergence": false 
} 

的「requiredResourceAccess」必須設置酷似上面，否則你的應用程序將無法通過Azure的經典門戶管理。如果您深入瞭解Json文件，您會發現Native Application和Web App Application共享相同的API和屬性。只要您保留大部分字段與上述示例相同，Azure就會爲您創建本機應用程序。但是，當然，您可以修改displayName和replyUrls。