Azure AD PowerShell:授予同意失败,错误:申请要求无效或已过时的权限
我正在尝试创建一个具有应用程序和为O365 API设置的Application和委派权限的Azure Ad应用程序。该脚本运行良好,但是当我尝试从Azure Portal授予同意时。它显示以下错误:
授予同意失败,错误:应用程序'5A61FF93-7076-44A7-980F-D40DEF08EEE9B'请求无效或过时的权限。 [WYVZL7HZM8VOZFL0SV4KCF]
权限指南是正确的。实际上,问题是设置应用程序类型权限。可以授予委托/OAuth2权限,而无需任何错误。
如您所见,设置了权限(应用程序和委派:
但是,在授予同意后,我会看到以下错误:
# This script creates a new Azure AD application
and sets the Application and Delegated permissions for specific API (O365)
$Connection = Connect-AzureAD
$CurrentDateTime = Get-Date -UFormat "%Y-%m-%d_%H-%m-%S"
$ApplicationDisplayName = "Splunk Office 365 App_" +$CurrentDateTime
# Get the service principal for O365 and Microsoft Graph
$ServicePrincipalO365API = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Office 365 Management APIs" }
# Get all application permissions for O365 API
$ServicePrincipalO365APIAppRoles = $ServicePrincipalO365API.AppRoles | Where-Object {$_.Value -match "\bActivityReports.Read\b|\bActivityFeed.ReadDlp\b|\bServiceHealth.Read\b"}
# Get all delegated permissions for O365 API
$ServicePrincipalO365APIDelegatedRoles = $ServicePrincipalO365API.Oauth2Permissions | Where-Object {$_.Value -match "\bActivityReports.Read\b|\bActivityFeed.ReadDlp\b|\bServiceHealth.Read\b"}
# Create a Required Resource Access object for Office 365
$RequiredResourceAccessO365API = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$RequiredResourceAccessO365API.ResourceAppId = $ServicePrincipalO365API.AppId
$ServicePrincipalO365APIAppRolesSelectedPermissions = @()
# Get all the Resource Access objects for the Application permissions
foreach ($ServicePrincipalO365APIAppRole in $ServicePrincipalO365APIAppRoles)
{
$Permission = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList $ServicePrincipalO365APIAppRole.Id,"Role"
$ServicePrincipalO365APIAppRolesSelectedPermissions += $Permission
}
# Get all the Resource Access objects for the Delegated permissions
foreach ($ServicePrincipalO365APIDelegatedRole in $ServicePrincipalO365APIDelegatedRoles)
{
$Permission = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList $ServicePrincipalO365APIDelegatedRole.Id,"Scope"
$ServicePrincipalO365APIAppRolesSelectedPermissions += $Permission
}
# Assign all the permissions to the required Resource access for the O365 API
$RequiredResourceAccessO365API.ResourceAccess = $ServicePrincipalO365APIAppRolesSelectedPermissions
# Create the Password credential for the new app
Add-Type -AssemblyName System.Web
$ApplicationPassword =[System.Web.Security.Membership]::GeneratePassword(32,2)
$ApplicationPassword = $ApplicationPassword.Replace("+","_")
$ApplicationPassword = $ApplicationPassword.Replace("-","_")
$keyId = (New-Guid).ToString();
$fromDate = [System.DateTime]::Now
$durationInYears = 5
$endDate = $fromDate.AddYears($durationInYears)
$Applicationkey = New-Object Microsoft.Open.AzureAD.Model.PasswordCredential($null, $endDate, $keyId, $fromDate, $ApplicationPassword)
# Create the new app with the password cred
$aadApplication = New-AzureADApplication -DisplayName $ApplicationDisplayName -PasswordCredentials $Applicationkey
write-output("Application created")
# Set the permissions
Set-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $RequiredResourceAccessO365API
write-output("Application permissions set")
我将应用程序权限添加到列表中,并分配给类型“ microsoft.open.open 。
那么,如何将应用程序允许添加到它?这是为什么我不能同意申请权限吗? 还有其他选择吗?
I'm trying to create an Azure AD app with Application and Delegated permissions set for O365 API. The script works fine but when I try to grant consent from Azure portal. It shows below error :
Grant consent failed with error: Application '5a61ff93-7076-44a7-980f-d40def08ee9b' is requesting permissions that are either invalid or out of date. [wyvzL7hZM8VOZFL0Sv4kCF]
The permissions guids are correct. Actually the issue is setting the Application type permissions. The delegated/OAuth2 permissions can be granted consent without any error.
As you see, the permissions are set (both Application and Delegated :
But upon granting consent, I see the below error :
# This script creates a new Azure AD application
and sets the Application and Delegated permissions for specific API (O365)
$Connection = Connect-AzureAD
$CurrentDateTime = Get-Date -UFormat "%Y-%m-%d_%H-%m-%S"
$ApplicationDisplayName = "Splunk Office 365 App_" +$CurrentDateTime
# Get the service principal for O365 and Microsoft Graph
$ServicePrincipalO365API = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Office 365 Management APIs" }
# Get all application permissions for O365 API
$ServicePrincipalO365APIAppRoles = $ServicePrincipalO365API.AppRoles | Where-Object {$_.Value -match "\bActivityReports.Read\b|\bActivityFeed.ReadDlp\b|\bServiceHealth.Read\b"}
# Get all delegated permissions for O365 API
$ServicePrincipalO365APIDelegatedRoles = $ServicePrincipalO365API.Oauth2Permissions | Where-Object {$_.Value -match "\bActivityReports.Read\b|\bActivityFeed.ReadDlp\b|\bServiceHealth.Read\b"}
# Create a Required Resource Access object for Office 365
$RequiredResourceAccessO365API = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$RequiredResourceAccessO365API.ResourceAppId = $ServicePrincipalO365API.AppId
$ServicePrincipalO365APIAppRolesSelectedPermissions = @()
# Get all the Resource Access objects for the Application permissions
foreach ($ServicePrincipalO365APIAppRole in $ServicePrincipalO365APIAppRoles)
{
$Permission = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList $ServicePrincipalO365APIAppRole.Id,"Role"
$ServicePrincipalO365APIAppRolesSelectedPermissions += $Permission
}
# Get all the Resource Access objects for the Delegated permissions
foreach ($ServicePrincipalO365APIDelegatedRole in $ServicePrincipalO365APIDelegatedRoles)
{
$Permission = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList $ServicePrincipalO365APIDelegatedRole.Id,"Scope"
$ServicePrincipalO365APIAppRolesSelectedPermissions += $Permission
}
# Assign all the permissions to the required Resource access for the O365 API
$RequiredResourceAccessO365API.ResourceAccess = $ServicePrincipalO365APIAppRolesSelectedPermissions
# Create the Password credential for the new app
Add-Type -AssemblyName System.Web
$ApplicationPassword =[System.Web.Security.Membership]::GeneratePassword(32,2)
$ApplicationPassword = $ApplicationPassword.Replace("+","_")
$ApplicationPassword = $ApplicationPassword.Replace("-","_")
$keyId = (New-Guid).ToString();
$fromDate = [System.DateTime]::Now
$durationInYears = 5
$endDate = $fromDate.AddYears($durationInYears)
$Applicationkey = New-Object Microsoft.Open.AzureAD.Model.PasswordCredential($null, $endDate, $keyId, $fromDate, $ApplicationPassword)
# Create the new app with the password cred
$aadApplication = New-AzureADApplication -DisplayName $ApplicationDisplayName -PasswordCredentials $Applicationkey
write-output("Application created")
# Set the permissions
Set-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $RequiredResourceAccessO365API
write-output("Application permissions set")
EDIT
I add the application permissions to a list and assign to a type "Microsoft.Open.AzureAD.Model.RequiredResourceAccess":
$RequiredResourceAccessO365API.ResourceAccess = $ServicePrincipalO365APIAppRolesSelectedPermissions
But "Microsoft.Open.AzureAD.Model.RequiredResourceAccess", ResourceAccess Property takes only OAuth i.e. Delegated permissions.
So how one can add the application permissions to it? Is this why I'm not able to grant consent for application permissions?
Is there an alternative?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我试图在环境中复制相同的错误。我创建了一个Azure AD应用程序,并使用您的PowerShell脚本授予相同的权限。
我在尝试授予管理员同意时遇到了同样的错误:
在添加此权限之前,您需要启用Office365 中的审核日志。
检查该权限是否已启用下面的启用:
如果您尝试授予管理员同意而不启用此事,则会遇到该错误。
我尝试删除
activityReports.read许可(申请和授权),并成功地授予管理员同意:代码> activityReports.read 权限,打开Office365的审核日志后添加它。
知道如何详细启用该选项,使用以下链接:
打开或关闭审计-Microsoft Purview | Microsoft Docs
如何启用和配置Office 365记录,审核,审核和配置 - YouTube
I tried to reproduce the same error in my environment. I have created an Azure AD application and granted the same permissions using your PowerShell script.
I got same error while trying to grant admin consent as below:
Before adding this permission, you need to enable Audit Logs in Office365.
Check whether that permission is enabled or not like below:
If you try to grant admin consent without enabling this, you will get that error.
I tried removing
ActivityReports.Readpermission(both Application and Delegated) and granted admin consent successfully like below:If you need
ActivityReports.Readpermission, add it after turning on Audit Logs for Office365.To know how to enable that option in detail, make use of below links:
Turn auditing on or off - Microsoft Purview | Microsoft Docs
How to enable and configure Office 365 logging and auditing - YouTube