问题
I have created AAD application from gallery. There is one in app registrations section and one in enterprise applications. App registrations application points to the enterprise app (managed application in local directory).
I want to configure SAML SSO for the enterprise app. There are a few required properties which have to be set.
I am able to set Sign on URL (using graph api), but I cannot set Identifier (Entity ID) and Reply URL. I thought that this will do the job:
Set-AzureADApplication -ObjectId <id of app from App registrations>
-IdentifierUris $Identifiers -ReplyUrls $ReplyUrls
but the enterprise app is untouched. Also Set-AzureADServicePrincipal doesn't seem to work for me.
There are no errors. Nothing changed on the portal after refresh. I am connected to correct tenant and have fresh modules installed.
I tried also with RM: Update-AzureRmADApplication, Set-AzureRmADApplication, Set-AzureRmADServicePrincipal, Update-AzureRmADServicePrincipal.
I also couldn't find a working graph api.
Is there a way to do this from code? Maybe I am just doing something wrong and it's working for you? I would be grateful for some help. Thanks
回答1:
but enterprise app is untouched.
Actually, the enterprise has been affected, we could check it via Microsoft Graph after using Set-AzureADApplication, it just not appear in the portal, may be a bug, I am not sure.
$Identifiers = @(
"http://www.tableau.com/products/server",
"https://azure.idtest.link"
)
$ReplyUrls = @(
"https://azure.rptest.link/wg/saml/SSO/index.html"
)
Set-AzureADApplication -ObjectId <object-id of the AD App> -IdentifierUris $Identifiers -ReplyUrls $ReplyUrls
If we set them in the portal at first time, then run the commands again, you will find it works.
And it looks there is no way to set the Default Reply URL via powrshell or API, if we set the Reply URL which is different from the one set manually in the portal, it will have a prompt like below.
But if we look into it, actually the Default option is checked.
Update:
Eventually, I find the trick, it is not a bug, we just need to set the preferredSingleSignOnMode for the service principal first via Microsoft Graph, then we won't need to configure that in the portal manually.
Sample:
PATCH https://graph.microsoft.com/beta/servicePrincipals/<object-id of the service principal>
{
"preferredSingleSignOnMode":"saml",
"loginUrl": "https://azure.signtest.link"
}
来源:https://stackoverflow.com/questions/61179830/how-to-set-properties-of-azure-active-directory-service-principal-from-code