# 身份验证并且获取其他资源权限
$token = Get-MsalToken `
-ClientId 14308ef0-3c9c-4100-96ba-5d2d805cac0f `
-Scopes "Mail.Read Files.Read"
# 获取个人邮件
curl -Uri "https://graph.microsoft.com/v1.0/me/messages" `
-Headers @{"Authorization"="Bearer $($token.AccessToken)"}
# 获取个人文件
curl -Uri "https://graph.microsoft.com/v1.0/me/drive/root" `
-Headers @{"Authorization"="Bearer $($token.AccessToken)"}
https://login.microsoftonline.com/ab7d3ddf-d9bf-465f-83dc-49833f69440f/v2.0/adminconsent?client_id=14308ef0-3c9c-4100-96ba-5d2d805cac0f&state=12345&redirect_uri=http://localhost&scope=Mail.Read Files.Read
# 关于使用PowerShell,请参考第五讲结尾部分
Install-Module MSAL.PS -Scope CurrentUser
$app = New-MsalClientApplication `
-ClientId 2b183a93-03a2-46a3-bc06-4711e57d2caa `
-AzureCloudInstance AzureChina `
-Authority https://login.partner.microsoftonline.cn/2dce9a6e-6fe1-4dc8-ac10-f571cdefc583
Get-MsalToken `
-PublicClientApplication $app `
-Scopes "https://microsoftgraph.chinacloudapi.cn/.default"
Install-Module AzureADPreview
Connect-AzureAD -Confirm
# 创建一个策略
$policy = New-AzureADPolicy `
-Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00"}}') `
-DisplayName "WebPolicyScenario" `
-IsOrganizationDefault $false -Type "TokenLifetimePolicy"
# 获取某个企业应用程序的引用
$sp = Get-AzureADServicePrincipal `
-Filter "DisplayName eq '<service principal display name>'"
# 为该应用程序指派该策略
Add-AzureADServicePrincipalPolicy `
-Id $sp.ObjectId `
-RefObjectId $policy.Id
你可以通过邮件 ares@xizhang.com 与我取得联系,也可以关注 code365xyz
这个微信公众号给我留言。
点击这里 或扫码可以访问配套视频教程。
陈希章 2022年2月 于上海
https://docs.microsoft.com/zh-cn/azure/active-directory/develop/publisher-verification-overview
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/UserSettings
https://docs.microsoft.com/zh-cn/azure/active-directory/develop/id-tokens
勾选上了组的话,groups是安全组编号(可以通过这里找到 https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/AllGroups), wids是系统角色编号,所有这些编号,在每个租户都是固定的,通过 Get-AzureADDirectoryRoleTemplate 可以获取到 自定义令牌,组属性中,注意有一个显示为role的选项 { "typ": "JWT", "alg": "RS256", "kid": "Mr5-AUibfBii7Nd1jBebaxboXW0" }.{ "aud": "1b87e032-fd57-4f67-b2f3-d9ff5e1c583f", "iss": "https://login.microsoftonline.com/3a6831ab-6304-4c72-8d08-3afe544555dd/v2.0", "iat": 1645428113, "nbf": 1645428113, "exp": 1645432013, "groups": [ "b956c237-7c9a-4ff5-bfff-79a832b0c4bf", "6b759766-2ecb-4299-b31f-965ef23f2931", "da86cab9-1cee-4456-b9e2-b18615b023ca", "c17dcde0-5dba-4cc8-b7df-5d2390069de4", "7467cf68-fa42-473d-9f2e-c3d72e9620ee" ], "name": "希章", "oid": "b238fd07-6513-46b0-b133-55c9ff8b09e9", "preferred_username": "ares@code365.xyz", "rh": "0.AXAAqzFoOgRjckyNCDr-VEVV3TLghxtX_WdPsvPZ_14cWD9wAAY.", "sub": "xE4rtpK7Ro2qbhjqCh6AX3w18ETIVGHYE0YG03TZqCY", "tid": "3a6831ab-6304-4c72-8d08-3afe544555dd", "uti": "R5k7foDhLEyokhm9eWklAQ", "ver": "2.0", "wids": [ "62e90394-69f5-4237-9190-012177145e10", "b79fbf4d-3ef9-4689-8143-76b194e85509" ] }.[Signature]