Azure Active Directory 中自定义角色的应用同意权限App consent permissions for custom roles in Azure Active Directory

本文包含当前可用于 Azure Active Directory (Azure AD) 中的自定义角色定义的应用同意权限。This article contains the currently available app consent permissions for custom role definitions in Azure Active Directory (Azure AD). 本文介绍与应用同意和权限相关的一些常见方案所需的权限。In this article, you'll find the permissions required for some common scenarios related to app consent and permissions.

所需许可证计划Required license plan

使用此功能需要 Azure AD 组织的 Azure AD Premium P1 许可证。Using this feature requires an Azure AD Premium P1 license for your Azure AD organization. 若要根据需要查找合适的许可证,请参阅比较免费版、基本版和高级版的正式发布功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

使用本文中列出的权限来管理应用同意策略,并使用向应用授予同意的权限。Use the permissions listed in this article to manage app consent policies, as well as the permission to grant consent to apps.

备注

Azure AD 管理门户尚不支持将本文中列出的权限添加到自定义目录角色定义中。The Azure AD admin portal does not yet support adding the permissions listed in this article to a custom directory role definition. 你必须使用 Azure AD PowerShell 来创建具有本文所列权限的自定义目录角色You must use Azure AD PowerShell to create a custom directory role with the permissions listed in this article.

根据应用同意策略,允许用户代表自己(用户同意)向应用程序授予同意。To allow users to grant consent to applications on behalf of themselves (user consent), subject to an app consent policy.

  • microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.{id}microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.{id}

其中,{id} 替换为应用同意策略的 ID,该策略将设置激活此权限所需满足的条件。Where {id} is replaced by the ID of an app consent policy which will set the conditions which must be met for this permission to be active.

例如,若要根据 ID 为 microsoft-user-default-low 的内置应用同意策略,允许用户代表自己授予同意,应使用权限 ...managePermissionGrantsForSelf.microsoft-user-default-lowFor example, to allow users to grant consent on their own behalf, subject to the built-in app consent policy with ID microsoft-user-default-low, you would use the permission ...managePermissionGrantsForSelf.microsoft-user-default-low.

将租户范围内的管理员同意委托给应用,以同时获得委托的权限和应用程序权限(应用角色):To delegate tenant-wide admin consent to apps, for both delegated permissions and application permissions (app roles):

  • microsoft.directory/servicePrincipals/managePermissionGrantsForAll.{id}microsoft.directory/servicePrincipals/managePermissionGrantsForAll.{id}

其中,{id} 替换为应用同意策略的 ID,该策略将设置激活此权限所需满足的条件。Where {id} is replaced by the ID of an app consent policy which will set the conditions which must be met for this permission to be usable.

例如,若要根据 ID 为 low-risk-any-app 的自定义应用同意策略,允许角色被分派人向应用授予租户范围内的管理员同意,应使用权限 microsoft.directory/servicePrincipals/managePermissionGrantsForAll.low-risk-any-appFor example, to allow role assignees to grant tenant-wide admin consent to apps subject to a custom app consent policy with ID low-risk-any-app, you would use the permission microsoft.directory/servicePrincipals/managePermissionGrantsForAll.low-risk-any-app.

委托应用同意策略的创建、更新和删除。To delegate the creation, update and deletion of app consent policies.

  • microsoft.directory/permissionGrantPolicies/createmicrosoft.directory/permissionGrantPolicies/create
  • microsoft.directory/permissionGrantPolicies/standard/readmicrosoft.directory/permissionGrantPolicies/standard/read
  • microsoft.directory/permissionGrantPolicies/basic/updatemicrosoft.directory/permissionGrantPolicies/basic/update
  • microsoft.directory/permissionGrantPolicies/deletemicrosoft.directory/permissionGrantPolicies/delete

权限的完整列表Full list of permissions

权限Permission 说明Description
microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.{id}microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.{id} 根据应用同意策略 {id},授予代表自己同意(用户同意)应用的能力。Grants the ability to consent to apps on behalf of self (user consent), subject to app consent policy {id}.
microsoft.directory/servicePrincipals/managePermissionGrantsForAll.{id}microsoft.directory/servicePrincipals/managePermissionGrantsForAll.{id} 根据应用同意策略 {id},授予代表所有人同意(租户范围内的管理员同意)应用的权限。Grants the permission to consent to apps on behalf of all (tenant-wide admin consent), subject to app consent policy {id}.
microsoft.directory/permissionGrantPolicies/standard/readmicrosoft.directory/permissionGrantPolicies/standard/read 授予阅读应用同意策略的能力。Grants the ability to read app consent policies.
microsoft.directory/permissionGrantPolicies/basic/updatemicrosoft.directory/permissionGrantPolicies/basic/update 授予更新现有应用同意策略的基本属性的能力。Grants the ability to update basic properties on existing app consent policies.
microsoft.directory/permissionGrantPolicies/createmicrosoft.directory/permissionGrantPolicies/create 授予创建应用同意策略的能力。Grants the ability to create app consent policies.
microsoft.directory/permissionGrantPolicies/deletemicrosoft.directory/permissionGrantPolicies/delete 授予删除应用同意策略的能力。Grants the ability to delete app consent policies.

后续步骤Next steps