问题
Is there any way to change property oauth2AllowIdTokenImplicitFlow in azure AD application via Azure CLI or Azure PowerShell?
回答1:
The built-in Powershell or CLI does not support to set the oauth2AllowIdTokenImplicitFlow currently. Also, it seems the property just could be found in the manifest of the AD App, I could not find it in any doc(including the MS Graph or Azure AD Graph).
But per my test, you could set the oauth2AllowIdTokenImplicitFlow via Azure AD Graph API.
There are two ways for you to call the Azure AD Graph API, use Azure AD Graph Explorer or Powershell.
- Use Azure AD Graph Explorer
Use Azure AD Graph Explorer, just login your user account(make sure you have the permission to update the application), then call the API as below.
PATCH https://graph.windows.net/myorganization/applications/{object id of the application}?api-version=1.6
{
"oauth2AllowIdTokenImplicitFlow":true
}
Note: When you send the request, it seems the progress bar will never finish, I am not sure if it is a bug, but actually it works after a while, you just need to change the PATCH to GET to check the oauth2AllowIdTokenImplicitFlow of the application.
- Use PowerShell
If you want to use PowerShell, follow the steps below.
1.Create an Azure Active Directory application, then Create a new application secret and Get values for signing in.
2.Navigate to the Azure Active Directory in the portal -> App registrations -> find and click your app -> API permissions -> Add a permission -> select Azure Active Directory Graph -> click Application permissions -> select the Application.ReadWrite.All permission -> click Add permissions -> click Grant admin consent for xxx.
3.Then use the powershell script below, it works fine on my side(it will return nothing when succeed), you can check the result in the portal or use Azure AD Graph Explorer.
$ClientID = "a6ec906d-xxxxx00dd3" #ApplicationID
$ClientSecret = "XwaNxxxxx/44" #key from Application
$tennantid = "bb58xxxxxxd6c65"
$objectid = "ca8xxxef66db07c0" #object id of the application
$TokenEndpoint = {https://login.windows.net/{0}/oauth2/token} -f $tennantid
$ARMResource = "https://graph.windows.net/";
$Body = @{
'resource'= $ARMResource
'client_id' = $ClientID
'grant_type' = 'client_credentials'
'client_secret' = $ClientSecret
}
$params = @{
ContentType = 'application/x-www-form-urlencoded'
Headers = @{'accept'='application/json'}
Body = $Body
Method = 'Post'
URI = $TokenEndpoint
}
$token = Invoke-RestMethod @params
$accesstoken = $token.access_token
$url = {https://graph.windows.net/{0}/applications/{1}?api-version=1.6} -f $tennantid,$objectid
$header = @{
'Authorization' = 'Bearer ' + $accesstoken
'Content-Type' = 'application/json'
}
$json = @{
oauth2AllowIdTokenImplicitFlow = 'false' #or true
}
$body = $json | ConvertTo-Json
Invoke-RestMethod –Uri $url –Headers $header -Body $body –Method PATCH
回答2:
If you just need the IdToken checked, you might want to use the property -Oauth2RequirePostResponse
Update cmd:
Connect-AzureAD
Set-AzureADApplication -ObjectId {yourAppId} -Oauth2RequirePostResponse $true
Create cmd:
New-AzureADApplication -DisplayName "MyApp" `
-HomePage "https:www.myapp.com" `
-LogoutUrl "https:www.myapp.com/signout-oidc" `
-ReplyUrls "https:www.myapp.com/signin-oidc" `
-IdentifierUris "https://tenant.onmicrosoft.com/MyApp" `
-Oauth2AllowImplicitFlow $false `
-Oauth2RequirePostResponse $true
回答3:
You can with AzureAD Powershell module (https://www.powershellgallery.com/packages/AzureAD):
Connect-AzureAD
Set-AzureADApplication -ObjectId 82384e2a-aaaa-aaaa-aaaa-11488797ce1d -Oauth2AllowImplicitFlow $true
You'll need the objectId of your app registration.
来源:https://stackoverflow.com/questions/56757068/how-to-setup-oauth2allowidtokenimplicitflow-in-azure-ad-application-from-console