如何在没有 user_impersonation OAuth2Permission 的情况下创建新的 Azure 应用程序注册？

我想知道 Azure 专家中是否有人可以澄清New-AzureADApplication https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureadapplication?view=azureadps-2.0。当我在 PowerShell 中创建应用程序注册时，它似乎添加了一个user_impersonation under Expose and API > Scopes defined by this API在图形用户界面中。当我在 GUI 中创建应用程序注册时，我会为其提供一个名称，并在必要时提供一个重定向 URI，但这user_impersonation范围未创建。

我想这可能与AzureAD模块及其与 Azure AD 的特定连接，但使用时的行为是相同的New-AzADApplication https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azadapplication?view=azps-4.3.0，但此 cmdlet 需要的例外-IdentifierUris也需要指定 - 这对于我们注册的所有应用程序来说并不是必需的。

有什么办法可以避免OAuth2Permissions当我通过 PowerShell 创建应用程序注册时被添加？

我尝试过的其他事情：

• Setting -OAuth2Permissions作为类型的空列表[System.Collections.Generic.List`1[[Microsoft.Open.AzureAD.Model.OAuth2Permission、Microsoft.Open.AzureAD16.Graph.Client、版本=0.1.599.7、Culture=neutral、PublicKeyToken=null]]

• Using Get-AzureADOAuth2PermissionGrant https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadoauth2permissiongrant?view=azureadps-2.0尝试找到该权限并在之后将其删除。它不在那里。

如果我在创建时无法避免或删除它，那么请提供以下信息：

• 为什么默认需要此权限。
• 为什么 GUI 认为没有必要。

Example:

Connect-AzureAD
$GraphRead = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$RRA = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$RRA.ResourceAppId = $GraphRead.AppId
$ResAcc = New-Object -TypeName "microsoft.open.azuread.model.resourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "Scope"
$RRA.ResourceAccess = $ResAcc
$Test = New-AzureADApplication -DisplayName "PoshTest" -ReplyUrls "https://visualstudio/spn" -RequiredResourceAccess @($RRA)

Object:

$Test | FL *

DeletionTimestamp          : 
ObjectId                   : ************************************
ObjectType                 : Application
AddIns                     : {}
AppId                      : ************************************
AppRoles                   : {}
AvailableToOtherTenants    : False
DisplayName                : PoshTest
ErrorUrl                   : 
GroupMembershipClaims      : 
Homepage                   : 
IdentifierUris             : {}
KeyCredentials             : {}
KnownClientApplications    : {}
LogoutUrl                  : 
Oauth2AllowImplicitFlow    : False
Oauth2AllowUrlPathMatching : False
Oauth2Permissions          : {class OAuth2Permission {
                               AdminConsentDescription: Allow the application to access PoshTest on behalf of the 
                             signed-in user.
                               AdminConsentDisplayName: Access PoshTest
                               Id: ************************************
                               IsEnabled: True
                               Type: User
                               UserConsentDescription: Allow the application to access PoshTest on your behalf.
                               UserConsentDisplayName: Access PoshTest
                               Value: user_impersonation
                             }
                             }
Oauth2RequirePostResponse  : False
PasswordCredentials        : {}
PublicClient               : 
RecordConsentConditions    : 
ReplyUrls                  : {https://visualstudio/spn}
RequiredResourceAccess     : {class RequiredResourceAccess {
                               ResourceAppId: 00000003-0000-0000-c000-000000000000
                               ResourceAccess: 
                             System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ResourceAccess]
                             }
                             }
SamlMetadataUrl            : 

PowerShell 详细信息

$PSVersionTable | select PSVersion,PSEdition,OS,Platform | FL *

PSVersion : 7.0.2
PSEdition : Core
OS        : Darwin 18.7.0 Darwin Kernel Version 18.7.0: Mon Apr 27 20:09:39 PDT 2020; 
            root:xnu-4903.278.35~1/RELEASE_X86_64
Platform  : Unix

Get-Module -Name AzureAD.Standard.Preview

ModuleType Version    PreRelease Name
---------- -------    ---------- ----
Script     0.1.599.7             AzureAD.Standard.Preview

图形用户界面的差异

我已经设法解决了这个问题，因此想为其他可能也试图从其应用程序注册中删除此权限的人留下适当的答案细分。

我走在正确的道路上，但空空如也[Microsoft.Open.AzureAD.Model.OAuth2Permission]列出我上面探索过的内容。

如果您通过以下方式应用此功能New-AzureADApplication https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureadapplication?view=azureadps-2.0 when创建您的应用程序，它绝对不会有任何影响。

如果您直接通过Set-AzureADApplication https://learn.microsoft.com/en-us/powershell/module/azuread/set-azureadapplication?view=azureadps-2.0 after创建新的应用程序注册时，您将收到如下错误：

Set-AzureADApplication: Error occurred while executing SetApplication 
Code: Request_BadRequest
Message: Property  value cannot be deleted or updated unless it is disabled first.
RequestId: ********-****-****-*****************
DateTimeStamp: Thu, 02 Jul 2020 10:11:54 GMT
Details: PropertyName  - None, PropertyErrorCode  - CannotDeleteEnabledEntitlement
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed

所以解决方案是首先创建一个新列表，将旧范围添加到其中，同时设置值IsEnabled to $false.

# New Azure AD Application
Connect-AzureAD
$GraphRead = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$RRA = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$RRA.ResourceAppId = $GraphRead.AppId
$ResAcc = New-Object -TypeName "microsoft.open.azuread.model.resourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "Scope"
$RRA.ResourceAccess = $ResAcc
$Test = New-AzureADApplication -DisplayName "PoshTest" -ReplyUrls "https://visualstudio/spn" -RequiredResourceAccess @($RRA)

# Disable the App Registration scope.
$Scopes = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OAuth2Permission]
$Scope = $Test.Oauth2Permissions | Where-Object { $_.Value -eq "user_impersonation" }
$Scope.IsEnabled = $false
$Scopes.Add($Scope)
Set-AzureADApplication -ObjectId $Test.ObjectID -Oauth2Permissions $Scopes

你终于可以删除了OAuth2Permssion然后对其应用一个空列表即可完全完成。

$EmptyScopes = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OAuth2Permission]
Set-AzureADApplication -ObjectId $Test.ObjectID -Oauth2Permissions $EmptyScopes

Use Get-AzureADApplication https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadapplication?view=azureadps-2.0获取该对象的最新信息，您应该看到OAuth2Permissions列表现在为空。

$Test = Get-AzureADApplication -ObjectId $Test.ObjectID
$Test | FL *

DeletionTimestamp          : 
ObjectId                   : ********-****-****-*****************
ObjectType                 : Application
AddIns                     : {}
AppId                      : ********-****-****-*****************
AppRoles                   : {}
AvailableToOtherTenants    : False
DisplayName                : PoshTest
ErrorUrl                   : 
GroupMembershipClaims      : 
Homepage                   : 
IdentifierUris             : {}
KeyCredentials             : {}
KnownClientApplications    : {}
LogoutUrl                  : 
Oauth2AllowImplicitFlow    : False
Oauth2AllowUrlPathMatching : False
Oauth2Permissions          : {}
Oauth2RequirePostResponse  : False
PasswordCredentials        : {}
PublicClient               : 
RecordConsentConditions    : 
ReplyUrls                  : {https://visualstudio/spn}
RequiredResourceAccess     : {class RequiredResourceAccess {
                               ResourceAppId: 00000003-0000-0000-c000-000000000000
                               ResourceAccess: 
                             System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ResourceAccess]
                             }
                             }
SamlMetadataUrl            :