问题
Our company is developing a system that is based on Azure components and a client desktop application that connects to Azure. The Azure components are being deployed automatically by our setup code via the Azure API and Azure deployment automation. One of these components being deployed is a Web App / API that we register in the Azure Active Directory. Our deployment code creates this app in Azure via the Azure API and sets the "Required permissions" for this app in Azure. The required permissions are:
Once the application is set up with Azure we then have our client desktop application. In our client desktop application the user can log into the Azure and then we want to access the created application. So our client desktop application basically displays the Azure login box to log into Azure and then it tries to access the Web application in Azure, and we got this:
OK, so I can manually solve it: if I log into Azure as Admin and I manually grant the permissions by clicking the "Grant Permissions" button, the message shown above will not be shown anymore and everything will work smoothly. The "Grant Permissions" button I click is this:
But unfortunately we cannot go this way of granting the permissions manually, we need to find a way to do it programmatically - by C# code. This is our business requirement. So the existing C# code creates the application in Azure AD, sets the required permissions for it, and the missing part is a C# snippet that will automatically grant the permissions - so that the users don't see the warning message above. I've been looking into various online resources and haven't found a way to do it by C# code as yet - unfortunately. Is there a way to grant the permissions automatically? Any C# snippet? Azure API call? Powershell? Anything?
Regarding details of permissions that our application requests: For the Microsoft Graph we required those permissions as Application Permissions:
And those as Delegated Permissions:
For Windows Azure Active Directory the required permissions are:
回答1:
The question has been answered above by @Saca and @Nan Yu. It can be closed now. The solution based on creating OAuth2PermissionGrant and AppRoleAssignment objects for the ServicePrincipal of an application being created is the right way to solve the problem, I have managed to solve the problem this way.
来源:https://stackoverflow.com/questions/46125894/granting-permissions-to-azure-active-directory-web-application-automatically