问题
Ive created an application in azure and Im now interested in adding specific roles to the application users in order to allow the roles data to be placed into the token as part of a SAML integration.
The issue is that I cannot run a PATCH and add a 3rd element to the appRoles object. Here is my object after running a GET here https://graph.microsoft.com/beta/servicePrincipals/{ID}
{
"appRoles": [{
"allowedMemberTypes": ["User"],
"description": "msiam_access",
"displayName": "msiam_access",
"id": "b9632174-c057-4f7e-951b-be3adc52bfe6",
"isEnabled": true,
"origin": "Application",
"value": null
}, {
"allowedMemberTypes": ["User"],
"description": "User",
"displayName": "User",
"id": "18d14569-c3bd-439b-9a66-3a2aee01d14f",
"isEnabled": true,
"origin": "Application",
"value": null
}
]
}
I simply am adding a third element to that collection, as
, {
"allowedMemberTypes": ["User"],
"description": "groupdescription1",
"displayName": "groupdisplayName1",
"id": "9ef0f137-69c7-4ae1-ad90-28363c1f58ba",
"isEnabled": true,
"origin": "Application",
"value": null
}
However, after running the PATCH update with the 3rd element, I receive
{
"error": {
"code": "Request_BadRequest",
"message": "One or more properties on the service principal does not match the application object.",
"innerError": {
"request-id": "819a5e01-3005-413a-9c36-a698dd90b88d",
"date": "2019-08-29T21:03:23"
}
}
}
I can run the PATCH update with just 2 elements. This is ok. But why doesnt it allow a 3rd element?
I read here https://docs.microsoft.com/en-us/graph/api/resources/approle?view=graph-rest-beta
This functionality is disabled in the current release.
Does this mean I cannot accomplish the goal I have of adding a 3rd role? What am I missing here? Any help is appreciated.
I see in places like here https://dailysysadmin.com/KB/Article/2970/configuring-azure-active-directory-as-an-identity-source-for-multiple-applications-sso-single-sign-on/ that it was at 1 point possible.
回答1:
You just need to keep the original two AppRoles and add a new AppRole to request body.
{
"appRoles": [{
"allowedMemberTypes": ["User"],
"description": "msiam_access",
"displayName": "msiam_access",
"id": "b9632174-c057-4f7e-951b-be3adc52bfe6",
"isEnabled": true,
"origin": "Application",
"value": null
}, {
"allowedMemberTypes": ["User"],
"description": "User",
"displayName": "User",
"id": "18d14569-c3bd-439b-9a66-3a2aee01d14f",
"isEnabled": true,
"origin": "Application",
"value": null
}, {
"allowedMemberTypes": ["User"],
"description": "groupdescription1",
"displayName": "groupdisplayName1",
"id": "9ef0f137-69c7-4ae1-ad90-28363c1f58ba",
"isEnabled": true,
"origin": "Application",
"value": {a meaningful value here}
}]
}
Please note that set a meaningful value for "value" of the new AppRole.
回答2:
Solution: remove property "origin" from new object.
This object is invalid
, {
"allowedMemberTypes": ["User"],
"description": "groupdescription1",
"displayName": "groupdisplayName1",
"id": "9ef0f137-69c7-4ae1-ad90-28363c1f58ba",
"isEnabled": true,
"origin": "Application",
"value": null
}
Once I removed the origin property, and retried the PATCH, it worked like a charm.
I suppose the error was pretty indicative,
One or more properties on the service principal does not match the application object
just without the field name that was invalid. I wrongly assumed I could copy the object from the GET, and paste into the PATCH body.
来源:https://stackoverflow.com/questions/57717751/why-cant-i-add-an-element-to-the-approles-object-within-graph-explorer