快速入门:授权创建无限数目的应用注册的权限Quickstart: Grant permission to create unlimited app registrations

在本快速入门指南中,你将创建一个有权创建无限次应用注册的自定义角色,然后将该角色分配给某个用户。In this quick start guide, you will create a custom role with permission to create an unlimited number of app registrations, and then assign that role to a user. 然后,分配的用户可以使用 Azure AD 门户、Azure AD PowerShell 或 Microsoft Graph API 创建应用程序注册。The assigned user can then use the Azure AD portal, Azure AD PowerShell, or Microsoft Graph API to create application registrations. 与内置的“应用程序开发人员”角色不同,使用此自定义角色可以创建无限次应用程序注册。Unlike the built-in Application Developer role, this custom role grants the ability to create an unlimited number of application registrations. “应用程序开发人员”角色授予该能力,但创建的对象总数限制为 250 个,目的是防止达到目录范围的对象配额The Application Developer role grants the ability, but the total number of created objects is limited to 250 to prevent hitting the directory-wide object quota. 创建和分配 Azure AD 自定义角色所需的最低特权角色是“特权角色管理员”。The least privileged role required to create and assign Azure AD custom roles is the Privileged Role administrator.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

使用 Azure AD 门户创建自定义角色Create a custom role using the Azure AD portal

  1. 使用 Azure AD 组织中的特权角色管理员或全局管理员权限登录到  Azure AD 管理中心 。Sign in to the Azure AD admin center with Privileged Role administrator or Global administrator permissions in the Azure AD organization.

  2. 依次选择“Azure Active Directory”、“角色和管理员”和“新建自定义角色” 。Select Azure Active Directory, select Roles and administrators, and then select New custom role.

    从“角色和管理员”页创建或编辑角色

  3. 在“基本信息”选项卡上输入“应用程序注册创建者”作为角色名称,输入“可以创建无限数目的应用程序注册”作为角色说明,然后选择“下一步”。 On the Basics tab, provide "Application Registration Creator" for the name of the role and "Can create an unlimited number of application registrations" for the role description, and then select Next.

    在“基本信息”选项卡中提供自定义角色的名称和说明

  4. 在“权限”选项卡上的搜索框中输入“microsoft.directory/applications/create”,选中所需权限旁边的复选框,然后选择“下一步”。 On the Permissions tab, enter "microsoft.directory/applications/create" in the search box, and then select the checkboxes next to the desired permissions, and then select Next.

    在“权限”选项卡上选择自定义角色的权限

  5. 在“查看 + 创建”选项卡上查看权限,然后选择“创建” 。On the Review + create tab, review the permissions and select Create.

在 Azure AD 门户中分配角色Assign the role in the Azure AD portal

  1. 使用 Azure AD 组织中的特权角色管理员或全局管理员权限登录到  Azure AD 管理中心 。Sign in to the Azure AD admin center with Privileged role administrator or Global administrator permissions in your Azure AD organization.
  2. 依次选择“Azure Active Directory”、“角色和管理员” 。Select Azure Active Directory and then select Roles and administrators.
  3. 选择“应用程序注册创建者”角色,然后选择“添加分配”。Select the Application Registration Creator role and select Add assignment.
  4. 选择所需的用户,然后单击“选择”将该用户添加到该角色。Select the desired user and click Select to add the user to the role.

完成!Done! 在本快速入门中,你已成功创建一个有权创建无限数目的应用注册的自定义角色,然后将该角色分配给了某个用户。In this quickstart, you successfully created a custom role with permission to create an unlimited number of app registrations, and then assign that role to a user.

提示

若要使用 Azure AD 门户将角色分配到某个应用程序,请在分配页上的搜索框中输入该应用程序的名称。To assign the role to an application using the Azure AD portal, enter the name of the application into the search box of the assignment page. 应用程序默认不会显示在列表中,但会在搜索结果中返回。Applications are not shown in the list by default, but are returned in search results.

应用注册权限App registration permissions

可以使用两个权限来授予创建应用程序注册的能力,这两个权限各自有不同的行为:There are two permissions available for granting the ability to create application registrations, each with different behavior.

  • microsoft.directory/applications/createAsOwner:分配此权限会导致将创建者添加为所创建应用注册的第一个所有者,创建的应用注册将计入到创建者的“创建 250 个对象”配额中。microsoft.directory/applications/createAsOwner: Assigning this permission results in the creator being added as the first owner of the created app registration, and the created app registration will count against the creator's 250 created objects quota.
  • microsoft.directory/applicationPolicies/create:分配此权限会导致不将创建者添加为所创建应用注册的第一个所有者,创建的应用注册不会计入到创建者的“创建 250 个对象”配额中。microsoft.directory/applicationPolicies/create: Assigning this permission results in the creator not being added as the first owner of the created app registration, and the created app registration will not count against the creator's 250 created objects quota. 请慎用此权限,因为在达到目录级配额之前,没有任何办法可阻止被分配者创建应用注册。Use this permission carefully, because there is nothing preventing the assignee from creating app registrations until the directory-level quota is hit. 如果同时分配上述两个权限,此权限优先。If both permissions are assigned, this permission takes precedence.

在 Azure AD PowerShell 中创建自定义角色Create a custom role in Azure AD PowerShell

准备 PowerShellPrepare PowerShell

首先,安装 PowerShell 库中的 Azure AD PowerShell 模块。First, install the Azure AD PowerShell module from the PowerShell Gallery. 然后使用以下命令导入 Azure AD PowerShell 预览版模块:Then import the Azure AD PowerShell preview module, using the following command:

import-module azureadpreview

若要验证该模块是否可供使用,请将以下命令返回的版本与此处列出的版本之一进行匹配:To verify that the module is ready to use, match the version returned by the following command to the one listed here:

get-module azureadpreview
  ModuleType Version      Name                         ExportedCommands
  ---------- ---------    ----                         ----------------
  Binary     2.0.0.115    azureadpreview               {Add-AzureADAdministrati...}

在 Azure AD PowerShell 中创建自定义角色Create the custom role in Azure AD PowerShell

使用以下 PowerShell 脚本创建新角色:Create a new role using the following PowerShell script:


# Basic role information
$displayName = "Application Registration Creator"
$description = "Can create an unlimited number of application registrations."
$templateId = (New-Guid).Guid

# Set of permissions to grant
$allowedResourceAction =
@(
    "microsoft.directory/applications/create"
    "microsoft.directory/applications/createAsOwner"
)
$rolePermissions = @{'allowedResourceActions'= $allowedResourceAction}

# Create new custom admin role
$customRole = New-AzureAdMSRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled $true

在 Azure AD PowerShell 中分配角色Assign the role in Azure AD PowerShell

使用以下 PowerShell 脚本分配角色:Assign the role using the following PowerShell script:

# Get the user and role definition you want to link
$user = Get-AzureADUser -Filter "userPrincipalName eq 'Adam@contoso.com'"
$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Application Registration Creator'"

# Get resource scope for assignment
$resourceScope = '/'

# Create a scoped role assignment
$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId

在 Microsoft Graph API 中创建自定义角色Create a custom role in the Microsoft Graph API

用于创建自定义角色的 HTTP 请求。HTTP request to create the custom role.

POSTPOST

https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/roleDefinitions

BodyBody

{
    "description":"Can create an unlimited number of application registrations.",
    "displayName":"Application Registration Creator",
    "isEnabled":true,
    "rolePermissions":
    [
        {
            "resourceActions":
            {
                "allowedResourceActions":
                [
                    "microsoft.directory/applications/create"
                    "microsoft.directory/applications/createAsOwner"
                ]
            },
            "condition":null
        }
    ],
    "templateId":"<PROVIDE NEW GUID HERE>",
    "version":"1"
}

在 Microsoft Graph API 中分配角色Assign the role in the Microsoft Graph API

角色分配会将安全主体 ID(可以是用户或服务主体)、角色定义(角色)ID 和 Azure AD 资源范围合并。The role assignment combines a security principal ID (which can be a user or service principal), a role definition (role) ID, and an Azure AD resource scope.

用于分配自定义角色的 HTTP 请求。HTTP request to assign a custom role.

POSTPOST

https://microsoftgraph.chinacloudapi.cn/beta/roleManagement/directory/roleAssignments

BodyBody

{
    "principalId":"<PROVIDE OBJECTID OF USER TO ASSIGN HERE>",
    "roleDefinitionId":"<PROVIDE OBJECTID OF ROLE DEFINITION HERE>",
    "resourceScopes":["/"]
}

后续步骤Next steps