使用图API在Azure Active Directory中创建应用程序失败
本文关键字:Directory 创建 应用程序 失败 Active Azure API | 更新日期: 2023-09-27 18:29:59
我正在尝试使用Azure Active Directory Graph API(带有Azure GraphClient nuget包)在Azure AD中创建新应用程序。
我已经使用现有的AAD应用程序进行了身份验证,因此我可以对目录进行写访问。
但是,当创建新的应用程序对象时,Azure Graph API返回此错误:
{"odata.error": {
"code":"Request_BadRequest",
"message": {
"lang":"en",
"value":"Property value cannot have duplicate id or claim values."
},
"values":
[{
"item":"PropertyName",
"value":"None"
},
{
"item":"PropertyErrorCode",
"value":"DuplicateValue"
}
]
}
}
它没有说明哪个属性有重复的id或声明值——错误消息中有两个空格,就好像名称丢失了一样。
创建应用程序对象的代码如下:
var appname = "Test Application create " + DateTime.Now.Ticks;
var application = new Application()
{
AvailableToOtherTenants = false,
DisplayName = appname,
ErrorUrl = null,
GroupMembershipClaims = null,
Homepage = "http://www.domain.com",
IdentifierUris = new List<string>() {{"https://domain.com/"+ appname } },
KeyCredentials = new List<KeyCredential>(),
KnownClientApplications = new List<Guid>(),
LogoutUrl = null,
Oauth2AllowImplicitFlow = false,
Oauth2AllowUrlPathMatching = false,
Oauth2Permissions = new List<OAuth2Permission>()
{
{
new OAuth2Permission()
{
AdminConsentDescription =
$"Allow the application to access {appname} on behalf of the signed-in user.",
AdminConsentDisplayName = $"Access {appname}",
Id = Guid.NewGuid(),
IsEnabled = true,
Type = "User",
UserConsentDescription =
$"Allow the application to access {appname} on your behalf.",
UserConsentDisplayName = $"Access {appname}",
Value = "user_impersonation"
}
}
},
Oauth2RequirePostResponse = false,
PasswordCredentials = new List<PasswordCredential>(),
PublicClient = false,
ReplyUrls = new List<string>(),
RequiredResourceAccess = new List<RequiredResourceAccess>(),
SamlMetadataUrl = null,
ExtensionProperties = new List<ExtensionProperty>(),
Manager = null,
ObjectType = "Application",
DeletionTimestamp = null,
CreatedOnBehalfOf = null,
CreatedObjects = new List<DirectoryObject>(),
DirectReports = new List<DirectoryObject>(),
Members = new List<DirectoryObject>(),
MemberOf = new List<DirectoryObject>(),
Owners = new List<DirectoryObject>(),
OwnedObjects = new List<DirectoryObject>()
};
await client.Applications.AddApplicationAsync(application);
我是不是错过了一处房产?似乎没有任何非唯一的属性,并且应用程序是用唯一的名称创建的。
错误消息确实非常令人困惑,但问题是您正试图定义一个已经定义的范围值(user_impersonation)。
如果您运行此代码,您会发现应用程序已在您的目录中成功创建:
var appname = "Test Application create " + DateTime.Now.Ticks;
var application = new Application()
{
AvailableToOtherTenants = false,
DisplayName = appname,
ErrorUrl = null,
GroupMembershipClaims = null,
Homepage = "http://www.domain.com",
IdentifierUris = new List<string>() {{"https://domain.com/"+ "Test" } },// CHANGED LINE
KeyCredentials = new List<KeyCredential>(),
KnownClientApplications = new List<Guid>(),
LogoutUrl = null,
Oauth2AllowImplicitFlow = false,
Oauth2AllowUrlPathMatching = false,
Oauth2Permissions = new List<OAuth2Permission>()
{
{
new OAuth2Permission()
{
AdminConsentDescription =
$"Allow the application to access {appname} on behalf of the signed-in user.",
AdminConsentDisplayName = $"Access {appname}",
Id = Guid.NewGuid(),
IsEnabled = true,
Type = "User",
UserConsentDescription =
$"Allow the application to access {appname} on your behalf.",
UserConsentDisplayName = $"Access {appname}",
Value = "custom_scope" // CHANGED LINE
}
}
},
Oauth2RequirePostResponse = false,
PasswordCredentials = new List<PasswordCredential>(),
PublicClient = false,
ReplyUrls = new List<string>(),
RequiredResourceAccess = new List<RequiredResourceAccess>(),
SamlMetadataUrl = null,
ExtensionProperties = new List<ExtensionProperty>(),
Manager = null,
ObjectType = "Application",
DeletionTimestamp = null,
CreatedOnBehalfOf = null,
CreatedObjects = new List<DirectoryObject>(),
DirectReports = new List<DirectoryObject>(),
Members = new List<DirectoryObject>(),
MemberOf = new List<DirectoryObject>(),
Owners = new List<DirectoryObject>(),
OwnedObjects = new List<DirectoryObject>()
};
await client.Applications.AddApplicationAsync(application);
另外,您的IdentifierUris不能包含空格,所以我将其更改为硬编码字符串。
HTH