我已经设法解决了这个问题,因此想为其他可能也试图从其应用程序注册中删除此权限的人留下适当的答案细分。
我走在正确的道路上,但空空如也[Microsoft.Open.AzureAD.Model.OAuth2Permission]
列出我上面探索过的内容。
如果您通过以下方式应用此功能New-AzureADApplication https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureadapplication?view=azureadps-2.0 when创建您的应用程序,它绝对不会有任何影响。
如果您直接通过Set-AzureADApplication https://learn.microsoft.com/en-us/powershell/module/azuread/set-azureadapplication?view=azureadps-2.0 after创建新的应用程序注册时,您将收到如下错误:
Set-AzureADApplication: Error occurred while executing SetApplication
Code: Request_BadRequest
Message: Property value cannot be deleted or updated unless it is disabled first.
RequestId: ********-****-****-*****************
DateTimeStamp: Thu, 02 Jul 2020 10:11:54 GMT
Details: PropertyName - None, PropertyErrorCode - CannotDeleteEnabledEntitlement
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
所以解决方案是首先创建一个新列表,将旧范围添加到其中,同时设置值IsEnabled
to $false
.
# New Azure AD Application
Connect-AzureAD
$GraphRead = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$RRA = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$RRA.ResourceAppId = $GraphRead.AppId
$ResAcc = New-Object -TypeName "microsoft.open.azuread.model.resourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "Scope"
$RRA.ResourceAccess = $ResAcc
$Test = New-AzureADApplication -DisplayName "PoshTest" -ReplyUrls "https://visualstudio/spn" -RequiredResourceAccess @($RRA)
# Disable the App Registration scope.
$Scopes = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OAuth2Permission]
$Scope = $Test.Oauth2Permissions | Where-Object { $_.Value -eq "user_impersonation" }
$Scope.IsEnabled = $false
$Scopes.Add($Scope)
Set-AzureADApplication -ObjectId $Test.ObjectID -Oauth2Permissions $Scopes
你终于可以删除了OAuth2Permssion
然后对其应用一个空列表即可完全完成。
$EmptyScopes = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OAuth2Permission]
Set-AzureADApplication -ObjectId $Test.ObjectID -Oauth2Permissions $EmptyScopes
Use Get-AzureADApplication https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadapplication?view=azureadps-2.0获取该对象的最新信息,您应该看到OAuth2Permissions
列表现在为空。
$Test = Get-AzureADApplication -ObjectId $Test.ObjectID
$Test | FL *
DeletionTimestamp :
ObjectId : ********-****-****-*****************
ObjectType : Application
AddIns : {}
AppId : ********-****-****-*****************
AppRoles : {}
AvailableToOtherTenants : False
DisplayName : PoshTest
ErrorUrl :
GroupMembershipClaims :
Homepage :
IdentifierUris : {}
KeyCredentials : {}
KnownClientApplications : {}
LogoutUrl :
Oauth2AllowImplicitFlow : False
Oauth2AllowUrlPathMatching : False
Oauth2Permissions : {}
Oauth2RequirePostResponse : False
PasswordCredentials : {}
PublicClient :
RecordConsentConditions :
ReplyUrls : {https://visualstudio/spn}
RequiredResourceAccess : {class RequiredResourceAccess {
ResourceAppId: 00000003-0000-0000-c000-000000000000
ResourceAccess:
System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ResourceAccess]
}
}
SamlMetadataUrl :