如何通过Graph API为Azure AD创建新的本机应用程序

Question

是否有任何方式（使用PowerShell cmdlet或Graph API）为Azure Active Directory创建本机应用程序？我正在寻找一种方法来为我的应用程序自动创建环境

Answer 1

您可以使用Graph API在您的目录中创建应用程序。这是PowerShell脚本。

# Adding the AD library to your PowerShell Session. 
Add-Type -Path 'C:\Program Files\Microsoft Azure Active Directory Connect\Microsoft.IdentityModel.Clients.ActiveDirectory.dll' 

# This is the tenant id of you Azure AD. You can use tenant name instead if you want. 
$tenantID = "<your tenant id>" 
$authString = "https://login.microsoftonline.com/$tenantID" 

# Here, the username must be a user in your organization and with MFA disabled. 
# And, it must have permission to create an AD application. 
$username = "<your username>" 
$password = "<the password of your username>" 

# The resource URI for your token. 
$resource = "https://graph.windows.net" 

# This is the common client id. 
$client_id = "1950a258-227b-4e31-a9cf-717495945fc2" 

# Create a client credential with the above common client id, username and password. 
$creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" ` 
     -ArgumentList $username,$password 

# Create a authentication context with the above authentication string. 
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" ` 
     -ArgumentList $authString 

# Acquire access token from server. 
$authenticationResult = $authContext.AcquireToken($resource,$client_id,$creds) 

# Use the access token to setup headers for your http request. 
$authHeader = $authenticationResult.AccessTokenType + " " + $authenticationResult.AccessToken 
$headers = @{"Authorization"=$authHeader; "Content-Type"="application/json"} 

# Send a request to create a new AD application. 
Invoke-RestMethod -Method POST ` 
    -Uri "https://graph.chinacloudapi.cn/$tenantID/applications?api-version=1.6-internal" ` 
    -Headers $headers -InFile ./application.json 

如果“Microsoft.IdentityModel.Clients.ActiveDirectory.dll”是在不同的位置，你应该修改的Add-Type路径。

在“application.json”中，应该为应用程序指定参数。这是一个简单的例子。

{ 
    "odata.type": "Microsoft.DirectoryServices.Application", 
    "objectType": "Application", 
    "deletionTimestamp": null, 
    "allowActAsForAllClients": null, 
    "appBranding": null, 
    "appCategory": null, 
    "appData": null, 
    "appMetadata": { 
    "version": 0, 
    "data": [] 
    }, 
    "appRoles": [], 
    "availableToOtherTenants": false, 
    "displayName": "nativeClient", 
    "encryptedMsiApplicationSecret": null, 
    "errorUrl": null, 
    "groupMembershipClaims": null, 
    "homepage": null, 
    "identifierUris": [], 
    "keyCredentials": [], 
    "knownClientApplications": [], 
    "logoUrl": null, 
    "logoutUrl": null, 
    "oauth2AllowImplicitFlow": false, 
    "oauth2AllowUrlPathMatching": false, 
    "oauth2Permissions": [], 
    "oauth2RequirePostResponse": false, 
    "passwordCredentials": [], 
    "publicClient": true, 
    "recordConsentConditions": null, 
    "replyUrls": [ 
    "http://www.microsoft.com" 
    ], 
    "requiredResourceAccess": [ 
    { 
     "resourceAppId": "00000002-0000-0000-c000-000000000000", 
     "resourceAccess": [ 
     { 
      "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6", 
      "type": "Scope" 
     } 
     ] 
    } 
    ], 
    "samlMetadataUrl": null, 
    "supportsConvergence": false 
} 

的“requiredResourceAccess”必须设置酷似上面，否则你的应用程序将无法通过Azure的经典门户管理。如果您深入了解Json文件，您会发现Native Application和Web App Application共享相同的API和属性。只要您保留大部分字段与上述示例相同，Azure就会为您创建本机应用程序。但是，当然，您可以修改displayName和replyUrls。