如何使用PowerShell将Api权限添加到Azure应用注册

当前只能使用Azure AD PowerShell来实现。请注意，Azure AD PowerShell和Azure PowerShell之间存在区别。在Azure的AD PowerShell的不是简单的旧Azure的PowerShell的模块。Azure AD PowerShell是一个单独的模块。Azure AD还没有“ AZ *”。只有两个最常用的命令具有Azure资源提供程序实现。Azure PowerShell具有一组与Azure AD一起使用的功能。如果需要更多功能（如您提到的功能），则必须使用Azure AD PowerShell。Azure AD PowerShell不是 描述，是用于Azure AD的官方支持的PowerShell模块。

您可以通过Set-AzureAdApplication cmdlet并传递适当的-RequiredResourceAccess对象来管理这些必需的权限。

为了构造该对象，您必须首先获得对“公开”权限的引用。因为权限是由其他服务主体公开的。

由于我无法上传整个文件，因此以下是一个PowerShell脚本，该脚本创建了一个示例应用程序，该应用程序具有对某些MS Graph和某些Power BI权限的必需权限。

Function GetToken
{
    param(
        [String] $authority = "https://login.microsoftonline.com/dayzure.com/oauth2/token",
        [String] $clientId,
        [String] $clientSecret,
        [String] $resourceId = "https://graph.windows.net"
    )
    $scope = [System.Web.HttpUtility]::UrlEncode($resourceId) 
    $encSecret = [System.Web.HttpUtility]::UrlEncode($clientSecret) 
    $body = "grant_type=client_credentials&resource=$($scope)&client_id=$($clientId)&client_secret=$($encSecret)"
    $res = Invoke-WebRequest -Uri $authority -Body $body -Method Post
    $authResult = $res.Content | ConvertFrom-Json
    return $authResult.access_token
}

#`
#            -RequiredResourceAccess @($requiredResourceAccess)
#

Function CreateChildApp
{
    param (
        [string] $displayName,
        [string] $tenantName
        )
    # create your new application
    Write-Output -InputObject ('Creating App Registration {0}' -f $displayName)
    if (!(Get-AzureADApplication -SearchString $displayName)) {
        $app = New-AzureADApplication -DisplayName $displayName `
            -Homepage "https://localhost" `
            -ReplyUrls "https://localhost" `
            -IdentifierUris ('https://{0}/{1}' -f $tenantName, $displayName) 

        # create SPN for App Registration
        Write-Output -InputObject ('Creating SPN for App Registration {0}' -f $displayName)

        # create a password (spn key)
        $appPwd = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId
        $appPwd

        # create a service principal for your application
        # you need this to be able to grant your application the required permission
        $spForApp = New-AzureADServicePrincipal -AppId $app.AppId -PasswordCredentials @($appPwd)
    }
    else {
        Write-Output -InputObject ('App Registration {0} already exists' -f $displayName)
        $app = Get-AzureADApplication -SearchString $displayName
    }
    #endregion

    return $app
}

Function GrantAllThePermissionsWeWant
{
    param
    (
        [string] $targetServicePrincipalName,
        $appPermissionsRequired,
        $childApp,
        $spForApp
    )

    $targetSp = Get-AzureADServicePrincipal -Filter "DisplayName eq '$($targetServicePrincipalName)'"

    # Iterate Permissions array
    Write-Output -InputObject ('Retrieve Role Assignments objects')
    $RoleAssignments = @()
    Foreach ($AppPermission in $appPermissionsRequired) {
        $RoleAssignment = $targetSp.AppRoles | Where-Object { $_.Value -eq $AppPermission}
        $RoleAssignments += $RoleAssignment
    }

    $ResourceAccessObjects = New-Object 'System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]'
    foreach ($RoleAssignment in $RoleAssignments) {
        $resourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess"
        $resourceAccess.Id = $RoleAssignment.Id
        $resourceAccess.Type = 'Role'
        $ResourceAccessObjects.Add($resourceAccess)
    }
    $requiredResourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
    $requiredResourceAccess.ResourceAppId = $targetSp.AppId
    $requiredResourceAccess.ResourceAccess = $ResourceAccessObjects

    # set the required resource access
    Set-AzureADApplication -ObjectId $childApp.ObjectId -RequiredResourceAccess $requiredResourceAccess
    Start-Sleep -s 1

    # grant the required resource access
    foreach ($RoleAssignment in $RoleAssignments) {
        Write-Output -InputObject ('Granting admin consent for App Role: {0}' -f $($RoleAssignment.Value))
        New-AzureADServiceAppRoleAssignment -ObjectId $spForApp.ObjectId -Id $RoleAssignment.Id -PrincipalId $spForApp.ObjectId -ResourceId $targetSp.ObjectId
        Start-Sleep -s 1
    }
}

cls

#globaladminapp
$clientID = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
$key = "****"


$tenantId = "aaaaaaaa-bbbb-xxxx-yyyy-aaaaaaaaaaaa";
$TenantName = "customdomain.com";
$AppRegName = "globaladminChild-0003";

$token = GetToken -clientId $clientID -clientSecret $key

Disconnect-AzureAD
Connect-AzureAD -AadAccessToken $token -AccountId $clientID -TenantId $tenantId

$appPermissionsRequired = @('Application.ReadWrite.OwnedBy', 'Device.ReadWrite.All', 'Domain.ReadWrite.All')
$targetServicePrincipalName = 'Windows Azure Active Directory'

#$appPermissionsRequired = @('Files.ReadWrite.All','Sites.FullControl.All','Notes.ReadWrite.All')
#$targetServicePrincipalName = 'Microsoft Graph'

$app = CreateChildApp -displayName $AppRegName -tenantName $TenantName
$spForApp = Get-AzureADServicePrincipal -Filter "DisplayName eq '$($AppRegName)'"


$appPermissionsRequired = @('Tenant.ReadWrite.All')
$targetServicePrincipalName = 'Power BI Service'
GrantAllThePermissionsWeWant -targetServicePrincipalName $targetServicePrincipalName -appPermissionsRequired $appPermissionsRequired -childApp $app -spForApp $spForApp

$appPermissionsRequired = @('Files.ReadWrite.All','Sites.FullControl.All','Notes.ReadWrite.All')
$targetServicePrincipalName = 'Microsoft Graph'
GrantAllThePermissionsWeWant -targetServicePrincipalName $targetServicePrincipalName -appPermissionsRequired $appPermissionsRequired -childApp $app -spForApp $spForApp

有趣的部分涉及“ apppermissionrequired”和“ targetserviceprincipalname”变量。