引子

這是一篇計劃外的文章。我們都知道要進行Microsoft Graph的開發的話，需要進行應用程序注冊。這個在此前我已經有專門的文章寫過了。但這里存在一個小的問題：國內版的Office 365在申請好之后，并沒有像國際版那樣，有一個對應的可以注冊和管理應用程序的Azure的界面。說起來有點繞，國際版的Office 365管理員可以直接登陸到portal.azure.com進行應用程序注冊和管理，但國內版卻不行。這個問題目前來說還是一個know issue。不過，在幫助一些客戶解決這個問題的過程中，我們也有一些變通的做法，例如我下面的這篇文章就是摘自于世紀互聯技術支持的標準做法。

國內版Office 365和Azure AAD綁定的問題及解決方案

上述方案中建議客戶要另外在購買一個Azure AD的訂閱，然后可以跟Office 365那個Tenant綁定起來。這個從一定程度上解決了問題，但不是那么完美。本文給大家分享的是我們另外研究出來的一些經驗做法。

理解Office 365與Azure AD的關系

從邏輯上說，Azure是微軟的智能云平臺，在這個平臺上，不光是運行了全球不計其數的客戶的應用程序，也承載著包括Office 365在內的規模龐大的一些SaaS平臺。而Office 365的用戶管理和應用管理，本質上就是用Azure AD來實現的。當然，國外的版本，Azure AD還可以做到更多，包括組織配置文件、設備管理、按條件的訪問控制等等。限于篇幅，本文不對這些高級功能進行展開，我們僅僅針對用戶管理和應用管理，尤其是應用管理這塊來一探究竟。

本文的例子，因為主要是要演示如何解決國內版的問題，所以截圖全部采用國內版Office 365或者Azure 請注意，登陸國內版本的Azure，有兩種方式，一種是傳統門戶(manage.windowsazure.cn)，一種是新門戶（portal.azure.cn)。新門戶毫無疑問帶來了一些新的功能，例如支持使用最新的Resource Management的方式創建和管理資源。但是，要進行Azure AD的操作的話，目前還只能在傳統門戶中進行

這就是我們喜聞樂見的Azure AD管理界面，用戶管理不用多說了，這里可以增加和刪除用戶，修改用戶的一些基本信息。我們重點關注的是應用管理的這個部分。

稍微簡單地回顧一下相關的概念，注冊應用程序（application）有兩種不同類型（本機或者Web），除了提供一些基本信息（對于Web應用程序而言，關鍵一點在于提供ReplyUrl）之外，最重要的就是定義該應用程序需要訪問的資源，以及申請的權限了。資源，在Azure AD內部的技術范疇來說，是較為ServicePrinciple的一個對象，而所謂的權限，又分為兩種，一種是delegated permission，一種是application permission。前者也稱為oauth權限，這是需要用戶授權，并且模擬用戶的身份去進行操作，適合于一些有用戶交互的應用程序，而后者（也稱為role權限）則適合于一些在后臺運行的服務或者自動運行的腳本。

必須承認，就算是有圖形化界面，要完全理解上面這些東西也多少需要一定的時間。與此同時，如果我們連圖形化界面都沒有的話，怎么來創建應用程序并且為其申請相關資源的權限呢，這有點挑戰，但是謝天謝地，我們還是找到了一些方法。

通過PowerShell來創建應用程序并且定義服務和權限聲明

我旗幟鮮明地喜歡PowerShell，尤其是用來管理Azure AD以及Office 365的時候，它總是能讓我們事半功倍。為了演示下面的功能，我需要提醒你準備如下的軟件環境。

請在Windows 10的機器上面，安裝如下的幾個組件

下載安裝官方提供的Microsoft Online Service Sign-in Assistant for IT Professionals?https://go.microsoft.com/fwlink/p/?LinkId=286152

下載安裝官方提供的Azure Active Directory Connection?http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185

請在本地用管理員身份打開PowerShell，并運行命令 Install-Module -Name AzureAD

當然，你還得需要有一個Office 365 的管理員賬號信息

為了驗證你是否安裝成功如上的組件，請重新打開一個PowerShell窗口，運行下面的命令

$credential = Get-Credential # 此時會彈出一個登陸框，請輸入Office 365管理員和密碼信息，如果沒有錯誤請繼續Connect-AzureAD -Credential $credential -AzureEnvironmentName AzureChinaCloud # 如果沒有錯誤請繼續 Get-AzureADApplication

查詢所有的服務定義信息

我們需要通過腳本獲取到當前這個Azure AD中已經定義好的服務信息

Get-AzureADServicePrincipal

正常情況下將返回下面的結果

ObjectIdAppIdDisplayName

06d6e7e4-dcb4-4783-a617-78d89bb584f3	0000000f-0000-0000-c000-000000000000	Microsoft.Azure.GraphExplorer
0a80ca08-a6b5-42d9-91a3-1a93c6c25b05	43e38210-29b3-411d-b9f7-4a75b5fd2786	工作流
0f6b73aa-9a6d-4c25-b518-5aef795042d6	00000002-0000-0ff1-ce00-000000000000	Office 365 Exchange Online
13fc1a89-6a58-406a-9cb2-42e92c458fd3	aa9ecb1e-fd53-4aaa-a8fe-7a54de2c1334	Office 365 Configure
1a17c404-11db-442b-93ae-e0751e1563b7	00000007-0000-0ff1-ce00-000000000000	Microsoft.ExchangeOnlineProtection
224fdbf8-fbe8-4d54-b98e-f8b9ad15cac8	00000005-0000-0000-c000-000000000000	Microsoft.Azure.Workflow
26df55ee-6a90-4a17-879c-1a982094512c	00000009-0000-0000-c000-000000000000	Power BI Service
2ab85e47-1ba1-4948-9a95-f16eef6215aa	00000003-0000-0ff1-ce00-000000000000	Office 365 SharePoint Online
30236da4-3a49-4615-bb09-d665e5938602	181dc382-d034-45ad-b7d7-4f440986737b	sample
30ee19e0-47bd-4a3d-8e2b-3752f02d4ffc	2d4d3d8e-2be3-4bef-9f87-7875a61c29de	OneNote
3319d71d-8dfc-42ff-8fa0-0aa64f553350	00000003-0000-0000-c000-000000000000	Microsoft Graph
348ecf66-4f9c-4ec5-8db4-c86171859ea5	c5393580-f805-4401-95e8-94b7a6ef2fc2	Office 365 Management APIs
465b5392-ee37-4d69-be91-dad28b5fb77a	00000004-0000-0ff1-ce00-000000000000	Office 365 Lync Online
465eec3f-9bcd-4c27-b071-780b86f01083	0000000c-0000-0000-c000-000000000000	Microsoft.Azure.ActiveDirectoryUX
4ba6a93c-053e-4575-83aa-419fcc7cadb5	c84c5f13-394f-4807-9a35-317cffa11143	工作流
4fa14876-02c2-4089-a450-2b8b45d17ae0	00000002-0000-0000-c000-000000000000	Windows Azure Active Directory
524c2aaa-6ca4-4db5-9876-b758bbd4d6c7	8d3a7d3c-c034-4f19-a2ef-8412952a9671	MicrosoftOffice
6226889d-694d-4ee0-8717-0997c544b94e	ab27a73e-a3ba-4e43-8360-8bcc717114d8	Microsoft.OfficeModernCalendar
63246e22-5673-4665-9744-e33f18aceaf3	aa2cd2a1-5a04-4e64-b76a-0a0f21e9d1d9	webappsample123
67749e7c-7d67-4338-abdd-82f13ff22010	00000006-0000-0ff1-ce00-000000000000	Microsoft.Office365Portal
6de0d20c-2b7f-4aed-803c-f3157018b59b	00000013-0000-0000-c000-000000000000	Windows Azure Management Portal
72f64ca3-d200-423b-92da-4f3dd6621ef9	1142d051-c271-4044-b1ac-522c8029e3b7	websampletest
76c56681-2887-4cd4-a375-971669f0d471	8fca0a66-c008-4564-a876-ab3ae0fd5cff	Microsoft.SMIT
778437c2-766d-4853-8738-2f397efeae06	0f698dd4-f011-4d23-a33e-b36416dcb1e6	OfficeClientService
793601bf-1a81-400d-bb7d-68db352702c5	ae675dd6-076c-4036-9d0b-f5a4e9c10c71	nativeapplication
79a7fbfe-a0d5-4416-8c8f-6a523d45cd4c	803ee9ca-3f7f-4824-bd6e-0b99d720c35c	Azure Media Service
7f07985a-6657-41cb-b5f6-14c3554b027d	326128ad-f5f4-474c-bb19-c5e9b7780ba0	微軟 Office 365 移動辦公套件
866d1fbf-bf6d-4e30-a8ad-570317df9642	797f4846-ba00-4fd7-ba43-dac1f8f63013	Windows Azure Service Management API
8ac0becf-4180-43fd-883f-18bda7f45827	0f6edad5-48f2-4585-a609-d252b1c52770	AIGraphClient
8f5f81a0-7690-4bad-b097-bb22a9940041	168f7c69-e70d-4a14-ae22-c069b5d296bc	webapp
93a3c4d5-6451-4648-8195-b00eafe51b0e	f05ff7c9-f75a-4acd-a3b5-f4b6a870245d	SharePoint Android
94decd41-c70a-4255-b73a-0d52ead4dde9	2ab3d641-6164-4930-8f58-68d56787ab47	testapplication
9c4b5e57-6ec2-4218-be29-70d197664262	595d87a1-277b-4c0a-aa7f-44f8a068eafc	Microsoft.SupportTicketSubmission
a4c307c2-d229-4cea-a51c-c498b146fc3f	601d4e27-7bb3-4dee-8199-90d47d527e1c	Microsoft.Office365.ChangeManagement
a534ad32-c4a0-491e-810f-7499a8b9016a	c44b4083-3bb0-49c1-b47d-974e53cbdf3c	Ibiza Portal
a913c56c-7a86-479e-894e-9649f99f7841	8fad9a3d-ce06-4d85-8f9a-873164f0cafc	native
c259baa5-c050-420d-a4a9-3130dbeed2f9	6f82282e-0070-4e78-bc23-e6320c5fa7de	Microsoft.DiscoveryService
ce72c49b-a6df-45c6-9055-76d7eb684a9d	3f56a5d5-7882-4290-9fd8-3908d734b3fe	deamon
dc4e9fbc-9e1d-4900-9ea1-dfc9b8d414c5	0000000b-0000-0000-c000-000000000000	Microsoft.SellerDashboard
e1d2b488-d085-4af5-bd97-d2436f72fd7d	e3583ad2-c781-4224-9b91-ad15a8179ba0	Microsoft.ExtensibleRealUserMonitoring
ebf95d4c-7ccf-4ecf-ac48-793d2782f98d	67e3df25-268a-4324-a550-0de1c7f97287	Microsoft.OfficeWebAppsService
f0df0bc2-1c0a-446b-9eb6-7a4cf9749079	61a7b0d6-2bc9-48b6-8653-ef6b496815cb	GraphExplorer

雖然列了這么多，但其實我們一般最關注就是下面這個服務 ObjectId | AppId | DisplayName -------- | ----- | ----------- 3319d71d-8dfc-42ff-8fa0-0aa64f553350 | 00000003-0000-0000-c000-000000000000 | Microsoft Graph

查詢服務的權限信息

有了服務的基本信息，我們就可以查詢它的詳細信息，尤其是我們關注的權限定義這部分信息了

$graph = Get-AzureADServicePrincipal -ObjectId 3319d71d-8dfc-42ff-8fa0-0aa64f553350 # 這個命令將Microsoft Graph這個服務定義保存為一個變量$graph | fl * # 這個命令將顯示詳細信息

下面我將演示一下如何將它的兩類權限分別列舉出來

$graph.Oauth2Permissions # 這個會列舉出來所有的用戶模擬權限 IdIsEnabledTypeUserConsentDescriptionUserConsentDisplayNameValue

58e15261-dfce-4dbd-b1a9-6a513ccf39cd	True	User	Allows the app to read, update, create, and delete contacts you have permissions to access, including your own and shared contacts.	Read and write to your and shared contacts	Contacts.ReadWrite.Shared
c8ee694a-ac5f-44eb-9487-f4fea3a6538d	True	User	Allows the app to read contacts you have permissions to access, including your own and shared contacts.	Read your and shared contacts	Contacts.Read.Shared
9e044dd2-b119-478e-8b0c-3143ff864625	True	User	Allows the app to read, update, create and delete events in all calendars in your organization you have permissions to access. This includes delegate and shared calendars.	Read and write to your and shared calendars	Calendars.ReadWrite.Shared
f1731364-f498-453c-a95f-c57fdbeff4f1	True	User	Allows the app to read events in all calendars that you can access, including delegate and shared calendars.	Read calendars?you can access	Calendars.Read.Shared
2bf44396-38c4-4826-813f-75074b46a125	True	User	Allows the app to send mail as you or on-behalf of someone else.	Send mail on behalf of others or yourself	Mail.Send.Shared
0772b0b8-18f9-4412-a1dc-cdbb000727fa	True	User	Allows the app to read, update, create, and delete mail you have permission to access, including your own and shared mail. Does not allow the app to send mail on your behalf.	Read and write mail?you can access	Mail.ReadWrite.Shared
07382180-f05b-4f94-8e51-02736bd78f14	True	User	Allows the app to read mail you can access, including shared mail.	Read mail you can access	Mail.Read.Shared
e1fe6dd8-ba31-4d61-89e7-88639da4683d	True	User	Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information.	Sign you in and read your profile	User.Read
b4e74841-8e56-480b-be8b-910348b18b4c	True	User	Allows the app to read your profile, and discover your group membership, reports and manager. It also allows the app to update your profile information on your behalf.	Read and update your profile	User.ReadWrite
b340eb25-3456-403f-be2f-af7a0d370277	True	User	Allows the app to read a basic set of profile properties of other users in your organization on your behalf. Includes display name, first and last name, email address and photo.	Read all users' basic profiles	User.ReadBasic.All
a154be20-db9c-4678-8ab7-66f6cc099a59	True	Admin	Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on your behalf.	Read all users' full profiles	User.Read.All
204e0828-b5ca-4ad8-b9f3-f32a958e7cc4	True	Admin	Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on your behalf.	Read and write all users' full profiles	User.ReadWrite.All
5f8c59db-677d-491f-a6b8-5f174b11ec1d	True	Admin	Allows the app to list groups, and to read their properties and all group memberships on your behalf. Also allows the app to read calendar, conversations, files, and other group content for all groups you can access.	Read all groups	Group.Read.All
4e46008b-f24c-477d-8fff-7bb4ec7aafe0	True	Admin	Allows the app to create groups and read all group properties and memberships on your behalf. Additionally allows the app to manage your groups and to update group content for groups you are a member of.	Read and write all groups	Group.ReadWrite.All
06da0dbc-49e2-44d2-8312-53f166ab848a	True	Admin	Allows the app to read data in your organization's directory.	Read directory data	Directory.Read.All
c5366453-9fb0-48a5-a156-24f0c49a4b84	True	Admin	Allows the app to read and write data in your organization's directory, such as other users, groups. It does not allow the app to delete users or groups, or reset user passwords.	Read and write directory data	Directory.ReadWrite.All
0e263e50-5827-48a4-b97c-d940288653c7	True	Admin	Allows the app to have the same access to information in your work or school directory as you do.	Access the directory as you	Directory.AccessAsUser.All
570282fd-fa5c-430d-a7fd-fc8dc98a9dca	True	User	Allows the app to read email in your mailbox.	Read your mail	Mail.Read
024d486e-b451-40bb-833d-3e66d98c5c73	True	User	Allows the app to read, update, create and delete email in your mailbox. Does not include permission to send mail.	Read and write access to your mail	Mail.ReadWrite
e383f46e-2787-4529-855e-0e479a3ffac0	True	User	Allows the app to send mail as you.	Send mail as you	Mail.Send
465a38f9-76ea-45b9-9f34-9e8b0d4b0b42	True	User	Allows the app to read events in your calendars.	Read your calendars	Calendars.Read
1ec239c2-d7c9-4623-a91a-a9775856bb36	True	User	Allows the app to read, update, create and delete events in your calendars.	Have full access to your calendars	Calendars.ReadWrite
ff74d97f-43af-4b68-9f2a-b77ee6968c5d	True	User	Allows the app to read contacts in your contact folders.	Read your contacts	Contacts.Read
d56682ec-c09e-4743-aaf4-1a3aac4caa21	True	User	Allows the app to read, update, create and delete contacts in your contact folders.	Have full access of your contacts	Contacts.ReadWrite
10465720-29dd-4523-a11a-6a75c743c9d9	True	User	Allows the app to read your files and files shared with you.	Read your files and files shared with you	Files.Read
5c28f0bf-8a70-41f1-8ab2-9032436ddb65	True	User	Allows the app to read, create, update, and delete your files and files shared with you.	Have full access to your files and files shared with you	Files.ReadWrite
8019c312-3263-48e6-825e-2b833497195b	True	User	Allows the app to read, create, update and delete files in the application's folder.	Have full access to the application's folder	Files.ReadWrite.AppFolder
17dde5bd-8c17-420f-a486-969730c1b827	True	User	Allows the app to read and write files that you select. After you select a file, the app has access to the file for several hours.	Read and write selected files	Files.ReadWrite.Selected
5447fe39-cb82-4c1a-b977-520e67e724eb	True	User	Allows the app to read files that you select. After you select a file, the app has access to the file for several hours.	Read selected files	Files.Read.Selected
205e70e5-aba6-4c52-a976-6d2d46c48043	True	User	Allow the application to read documents and list items in all site collections on your behalf	Read items in all site collections	Sites.Read.All

$graph.AppRoles # 這個會列舉出來所有的應用權限 DescriptionDisplayNameIdIsEnabledValue

Allows the app to read mail in all mailboxes without a signed-in user.	Read mail in all mailboxes	810c84a8-4a9e-49e6-bf7d-12d183f40d01	True	Mail.Read
Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail.	Read and write mail in all mailboxes	e2a3a72e-5f79-4c64-b1b1-878b674786c9	True	Mail.ReadWrite
Allows the app to send mail as any user without a signed-in user.	Send mail as any user	b633e1c5-b582-4048-a93e-9f11b44c7e96	True	Mail.Send
Allows the app to read events of all calendars without a signed-in user.	Read calendars in all mailboxes	798ee544-9d2d-430c-a058-570e29e34338	True	Calendars.Read
Allows the app to create, read, update, and delete events of all calendars without a signed-in user.	Read and write calendars in all mailboxes	ef54d2bf-783f-4e0f-bca1-3210c0444d99	True	Calendars.ReadWrite
Allows the app to read all contacts in all mailboxes without a signed-in user.	Read contacts in all mailboxes	089fe4d0-434a-44c5-8827-41ba8a0b17f5	True	Contacts.Read
Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user.	Read and write contacts in all mailboxes	6918b873-d17a-4dc1-b314-35f528134491	True	Contacts.ReadWrite
Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.	Read all groups	5b567255-7703-4780-807c-7be8301ae99b	True	Group.Read.All
Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.	Read and write all groups	62a82d76-70ea-41e2-9197-370581804d09	True	Group.ReadWrite.All
Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.	Read directory data	7ab1d382-f21e-4acd-a863-ba3e13f7da61	True	Directory.Read.All
Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion.	Read and write directory data	19dbc75e-c2e2-444c-a770-ec69d8559fc7	True	Directory.ReadWrite.All
Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion or update of device alternative security identifiers.	Read and write devices	1138cb37-bd11-4084-a2b7-9f71582aeddb	True	Device.ReadWrite.All
Allows the app to read user profiles without a signed in user.	Read all users' full profiles	df021288-bdef-4463-88db-98f22de89214	True	User.Read.All
Allows the app to read and update user profiles without a signed in user.	Read and write all users' full profiles	741f803b-c850-494e-b5df-cde7c675a1ca	True	User.ReadWrite.All

創建應用程序

創建應用程序的PowerShell命令是New-AzureADApplication,它的詳細用法請參考這里?https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadapplication?view=azureadps-2.0

$app= New-AzureADApplication -DisplayName "yourapplicationname" -ReplyUrls "https://websample.com/replyurl" -Homepage "https://websample.com" -IdentifierUris "https://websample.com"# 這是用來創建Web應用程序的$app= New-AzureADApplication -DisplayName "yourapplicationname" -PublicClient $true# 這是用來創建本地應用程序的，設置PublicClient屬性為true即可$app#請保存app的具體信息，尤其是AppId

創建密鑰

如果上面創建的是Web 應用程序，還需要為應用程序創建密鑰。這里會用到的PowerShell命令是New-AzureADApplicationPasswordCredential，它的詳細用法請參考這里?https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadapplicationpasswordcredential?view=azureadps-2.0

New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId# 正常情況下，將返回一個為期一年的密鑰信息CustomKeyIdentifier : EndDate : 7/12/2018 10:25:28 AM KeyId : StartDate : 7/12/2017 10:25:28 AM Value : /TD0rbE5gwm/a6TGqUhqVY46LA16rir6Zwm7pK69prI=# 請保存這個Value信息

綁定服務和設定權限

我們已經創建了應用程序，也為他申請了一個密鑰，下面就是最后也是最關鍵的環節————為應用程序綁定服務并且設定權限了。下面這個代碼段是為上面創建好的應用程序，并且為其申請了四個delegated permission。（具體這四個權限對應的是什么，請參考上面的表格）

$graphrequest = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"$graphrequest.ResourceAccess = New-Object -TypeName "System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]"$ids =@("024d486e-b451-40bb-833d-3e66d98c5c73","e383f46e-2787-4529-855e-0e479a3ffac0","e1fe6dd8-ba31-4d61-89e7-88639da4683d","b340eb25-3456-403f-be2f-af7a0d370277")foreach($id in $ids){$obj = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList $id,"Scope"# 如果是AppRole權限，則第二個參數為Role$graphrequest.ResourceAccess.Add($obj) }$graphrequest.ResourceAppId = "00000003-0000-0000-c000-000000000000"Set-AzureADApplication -ObjectId $app.ObjectId -RequiredResourceAccess ($graphrequest) # 這句命令的RequiredResourceAccess 參數中可以有多個對象

結語

這篇文章的篇幅較長，我盡可能詳細地展示了很多Azure AD中注冊應用程序，綁定服務和設定權限的細節，尤其是對于國內的Office 365客戶以及合作伙伴來說應該有較高的實用價值。 當我們沒有圖形化界面可以使用的時候，你就會由衷地感慨，腳本（例如PowerShell）確實是很強大的，而且通過腳本的探索過程，你可以更加清晰地理解其背后的邏輯。

總結

以上是生活随笔為你收集整理的【转】掀起Azure AD的盖头来——深入理解Microsoft Graph应用程序和服务权限声明的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。