Gerir aplicações Microsoft Entra com o Microsoft Graph

Microsoft Entra aplicações permitem o acesso seguro aos recursos na cloud da Microsoft. O Microsoft Graph fornece um ponto final de API unificado que lhe permite criar, configurar e gerir programaticamente estas aplicações e os respetivos principais de serviço associados. Este artigo mostra-lhe como automatizar tarefas comuns de gestão de aplicações com o Microsoft Graph, incluindo registar aplicações, atualizar propriedades, atribuir permissões e gerir credenciais.

Pré-requisitos

Para testar as operações da API, inicie sessão no Graph Explorer com uma conta que lhe permite criar e gerir aplicações no seu inquilino.

Registar uma aplicação no Microsoft Entra ID

Crie uma aplicação ao especificar a propriedade displayName necessária. O pedido utiliza valores predefinidos para outras propriedades.

Permissão delegada com menos privilégios: Application.ReadWrite.All.

POST https://graph.microsoft.com/v1.0/applications
Content-type: application/json

{
  "displayName": "My application"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new Application
{
	DisplayName = "My application",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications.PostAsync(requestBody);



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()
displayName := "My application"
requestBody.SetDisplayName(&displayName) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
application.setDisplayName("My application");
Application result = graphClient.applications().post(application);


const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
  displayName: 'My application'
};

await client.api('/applications')
	.post(application);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$requestBody->setDisplayName('My application');

$result = $graphServiceClient->applications()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	displayName = "My application"
}

New-MgApplication -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
	display_name = "My application",
)

result = await graph_client.applications.post(request_body)

O pedido devolve uma 201 Created resposta com o objeto da aplicação no corpo da resposta. A aplicação obtém um ID exclusivo para aplicações no inquilino e um appId globalmente exclusivo no ecossistema Microsoft Entra ID.

Criar um principal de serviço para uma aplicação

Permissão delegada com menos privilégios: Application.ReadWrite.All.

POST https://graph.microsoft.com/v1.0/servicePrincipals
Content-type: application/json

{
  "appId": "fc876dd1-6bcb-4304-b9b6-18ddf1526b62"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ServicePrincipal
{
	AppId = "fc876dd1-6bcb-4304-b9b6-18ddf1526b62",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals.PostAsync(requestBody);



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewServicePrincipal()
appId := "fc876dd1-6bcb-4304-b9b6-18ddf1526b62"
requestBody.SetAppId(&appId) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ServicePrincipal servicePrincipal = new ServicePrincipal();
servicePrincipal.setAppId("fc876dd1-6bcb-4304-b9b6-18ddf1526b62");
ServicePrincipal result = graphClient.servicePrincipals().post(servicePrincipal);


const options = {
	authProvider,
};

const client = Client.init(options);

const servicePrincipal = {
  appId: 'fc876dd1-6bcb-4304-b9b6-18ddf1526b62'
};

await client.api('/servicePrincipals')
	.post(servicePrincipal);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ServicePrincipal();
$requestBody->setAppId('fc876dd1-6bcb-4304-b9b6-18ddf1526b62');

$result = $graphServiceClient->servicePrincipals()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	appId = "fc876dd1-6bcb-4304-b9b6-18ddf1526b62"
}

New-MgServicePrincipal -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ServicePrincipal(
	app_id = "fc876dd1-6bcb-4304-b9b6-18ddf1526b62",
)

result = await graph_client.service_principals.post(request_body)

O pedido devolve uma 201 Created resposta que inclui o objeto do principal de serviço no corpo da resposta.

Endereçar uma aplicação ou um objeto de principal de serviço

Referenciar uma aplicação ou um principal de serviço pelo respetivo ID. Esta sintaxe suporta os métodos GET, PATCH e DELETE HTTP.

https://graph.microsoft.com/v1.0/applications/{applicationObjectId}
https://graph.microsoft.com/v1.0/servicePrincipals/{servicePrincipalObjectId}

Referencie uma aplicação ou um principal de serviço pelo respetivo appId. Esta sintaxe suporta os métodos GET, PATCH e DELETE HTTP.

https://graph.microsoft.com/v1.0/applications(appId='appId')
https://graph.microsoft.com/v1.0/servicePrincipals(appId='appId')

Resolva um objeto de aplicação através do respetivo uniqueName com o método PATCH. Utilize esta propriedade para criar uma aplicação com o nome exclusivo, caso não exista, ou atualize-a se existir. Esta operação chama-se Upsert.

PATCH https://graph.microsoft.com/v1.0/applications(uniqueName='{uniqueName}')
Content-Type: application/json
Prefer: create-if-missing

{
  "displayName": "Display name"
}

Configurar outras propriedades básicas para a sua aplicação

Permissão delegada com menos privilégios: Application.ReadWrite.All.

Configure estas propriedades básicas para a sua aplicação:

Adicionar etiquetas para categorização (utilize HideApp para ocultar a aplicação do Meus Aplicativos e do Iniciador do Microsoft 365)
Adicionar um logótipo, termos de serviço e declaração de privacidade
Armazenar informações de contacto

PATCH https://graph.microsoft.com/v1.0/applications/0d0021e2-eaab-4b9f-a5ad-38c55337d63e/
Content-type: application/json

{
  "tags": [
      "HR",
      "Payroll",
      "HideApp"
  ],
  "info": {
      "logoUrl": "https://cdn.contoso.com/photo/2016/03/21/23/25/link-1271843_1280.png",
      "marketingUrl": "https://www.contoso.com/app/marketing",
      "privacyStatementUrl": "https://www.contoso.com/app/privacy",
      "supportUrl": "https://www.contoso.com/app/support",
      "termsOfServiceUrl": "https://www.contoso.com/app/termsofservice"
  },
  "web": {
      "homePageUrl": "https://www.contoso.com/",
      "logoutUrl": "https://www.contoso.com/frontchannel_logout",
      "redirectUris": [
          "https://localhost"
      ]
  },
  "serviceManagementReference": "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new Application
{
	Tags = new List<string>
	{
		"HR",
		"Payroll",
		"HideApp",
	},
	Info = new InformationalUrl
	{
		LogoUrl = "https://cdn.contoso.com/photo/2016/03/21/23/25/link-1271843_1280.png",
		MarketingUrl = "https://www.contoso.com/app/marketing",
		PrivacyStatementUrl = "https://www.contoso.com/app/privacy",
		SupportUrl = "https://www.contoso.com/app/support",
		TermsOfServiceUrl = "https://www.contoso.com/app/termsofservice",
	},
	Web = new WebApplication
	{
		HomePageUrl = "https://www.contoso.com/",
		LogoutUrl = "https://www.contoso.com/frontchannel_logout",
		RedirectUris = new List<string>
		{
			"https://localhost",
		},
	},
	ServiceManagementReference = "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()
tags := []string {
	"HR",
	"Payroll",
	"HideApp",
}
requestBody.SetTags(tags)
info := graphmodels.NewInformationalUrl()
logoUrl := "https://cdn.contoso.com/photo/2016/03/21/23/25/link-1271843_1280.png"
info.SetLogoUrl(&logoUrl) 
marketingUrl := "https://www.contoso.com/app/marketing"
info.SetMarketingUrl(&marketingUrl) 
privacyStatementUrl := "https://www.contoso.com/app/privacy"
info.SetPrivacyStatementUrl(&privacyStatementUrl) 
supportUrl := "https://www.contoso.com/app/support"
info.SetSupportUrl(&supportUrl) 
termsOfServiceUrl := "https://www.contoso.com/app/termsofservice"
info.SetTermsOfServiceUrl(&termsOfServiceUrl) 
requestBody.SetInfo(info)
web := graphmodels.NewWebApplication()
homePageUrl := "https://www.contoso.com/"
web.SetHomePageUrl(&homePageUrl) 
logoutUrl := "https://www.contoso.com/frontchannel_logout"
web.SetLogoutUrl(&logoutUrl) 
redirectUris := []string {
	"https://localhost",
}
web.SetRedirectUris(redirectUris)
requestBody.SetWeb(web)
serviceManagementReference := "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;"
requestBody.SetServiceManagementReference(&serviceManagementReference) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
LinkedList<String> tags = new LinkedList<String>();
tags.add("HR");
tags.add("Payroll");
tags.add("HideApp");
application.setTags(tags);
InformationalUrl info = new InformationalUrl();
info.setLogoUrl("https://cdn.contoso.com/photo/2016/03/21/23/25/link-1271843_1280.png");
info.setMarketingUrl("https://www.contoso.com/app/marketing");
info.setPrivacyStatementUrl("https://www.contoso.com/app/privacy");
info.setSupportUrl("https://www.contoso.com/app/support");
info.setTermsOfServiceUrl("https://www.contoso.com/app/termsofservice");
application.setInfo(info);
WebApplication web = new WebApplication();
web.setHomePageUrl("https://www.contoso.com/");
web.setLogoutUrl("https://www.contoso.com/frontchannel_logout");
LinkedList<String> redirectUris = new LinkedList<String>();
redirectUris.add("https://localhost");
web.setRedirectUris(redirectUris);
application.setWeb(web);
application.setServiceManagementReference("Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;");
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);


const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
  tags: [
      'HR',
      'Payroll',
      'HideApp'
  ],
  info: {
      logoUrl: 'https://cdn.contoso.com/photo/2016/03/21/23/25/link-1271843_1280.png',
      marketingUrl: 'https://www.contoso.com/app/marketing',
      privacyStatementUrl: 'https://www.contoso.com/app/privacy',
      supportUrl: 'https://www.contoso.com/app/support',
      termsOfServiceUrl: 'https://www.contoso.com/app/termsofservice'
  },
  web: {
      homePageUrl: 'https://www.contoso.com/',
      logoutUrl: 'https://www.contoso.com/frontchannel_logout',
      redirectUris: [
          'https://localhost'
      ]
  },
  serviceManagementReference: 'Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;'
};

await client.api('/applications/0d0021e2-eaab-4b9f-a5ad-38c55337d63e/')
	.update(application);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\InformationalUrl;
use Microsoft\Graph\Generated\Models\WebApplication;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$requestBody->setTags(['HR', 'Payroll', 'HideApp', 	]);
$info = new InformationalUrl();
$info->setLogoUrl('https://cdn.contoso.com/photo/2016/03/21/23/25/link-1271843_1280.png');
$info->setMarketingUrl('https://www.contoso.com/app/marketing');
$info->setPrivacyStatementUrl('https://www.contoso.com/app/privacy');
$info->setSupportUrl('https://www.contoso.com/app/support');
$info->setTermsOfServiceUrl('https://www.contoso.com/app/termsofservice');
$requestBody->setInfo($info);
$web = new WebApplication();
$web->setHomePageUrl('https://www.contoso.com/');
$web->setLogoutUrl('https://www.contoso.com/frontchannel_logout');
$web->setRedirectUris(['https://localhost', 	]);
$requestBody->setWeb($web);
$requestBody->setServiceManagementReference('Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;');

$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	tags = @(
	"HR"
"Payroll"
"HideApp"
)
info = @{
logoUrl = "https://cdn.contoso.com/photo/2016/03/21/23/25/link-1271843_1280.png"
marketingUrl = "https://www.contoso.com/app/marketing"
privacyStatementUrl = "https://www.contoso.com/app/privacy"
supportUrl = "https://www.contoso.com/app/support"
termsOfServiceUrl = "https://www.contoso.com/app/termsofservice"
}
web = @{
homePageUrl = "https://www.contoso.com/"
logoutUrl = "https://www.contoso.com/frontchannel_logout"
redirectUris = @(
"https://localhost"
)
}
serviceManagementReference = "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;"
}

Update-MgApplication -ApplicationId $applicationId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.informational_url import InformationalUrl
from msgraph.generated.models.web_application import WebApplication
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
	tags = [
		"HR",
		"Payroll",
		"HideApp",
	],
	info = InformationalUrl(
		logo_url = "https://cdn.contoso.com/photo/2016/03/21/23/25/link-1271843_1280.png",
		marketing_url = "https://www.contoso.com/app/marketing",
		privacy_statement_url = "https://www.contoso.com/app/privacy",
		support_url = "https://www.contoso.com/app/support",
		terms_of_service_url = "https://www.contoso.com/app/termsofservice",
	),
	web = WebApplication(
		home_page_url = "https://www.contoso.com/",
		logout_url = "https://www.contoso.com/frontchannel_logout",
		redirect_uris = [
			"https://localhost",
		],
	),
	service_management_reference = "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;",
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

Permissão delegada com menos privilégios: Application.ReadWrite.All.

PATCH https://graph.microsoft.com/v1.0/servicePrincipals/89473e09-0737-41a1-a0c3-1418d6908bcd

{
    "appRoleAssignmentRequired": true
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ServicePrincipal
{
	AppRoleAssignmentRequired = true,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewServicePrincipal()
appRoleAssignmentRequired := true
requestBody.SetAppRoleAssignmentRequired(&appRoleAssignmentRequired) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ServicePrincipal servicePrincipal = new ServicePrincipal();
servicePrincipal.setAppRoleAssignmentRequired(true);
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").patch(servicePrincipal);


const options = {
	authProvider,
};

const client = Client.init(options);

const servicePrincipal = {
    appRoleAssignmentRequired: true
};

await client.api('/servicePrincipals/89473e09-0737-41a1-a0c3-1418d6908bcd')
	.update(servicePrincipal);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ServicePrincipal();
$requestBody->setAppRoleAssignmentRequired(true);

$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	appRoleAssignmentRequired = $true
}

Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ServicePrincipal(
	app_role_assignment_required = True,
)

result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body)

Atribuir permissões a uma aplicação

Atribua permissões através do Microsoft Graph ao atualizar a propriedade requiredResourceAccess do objeto da aplicação. Este método é uma alternativa programática à utilização do centro de administração do Microsoft Entra. Inclua as permissões existentes e novas para evitar a remoção de permissões atribuídas, mas não concedidas.

A atribuição de permissões não as concede . Conceda consentimento do administrador no centro de administração do Microsoft Entra ou através de programação com as APIs do Microsoft Graph.

Permissão delegada com menos privilégios: Application.ReadWrite.All.

PATCH https://graph.microsoft.com/v1.0/applications/581088ba-83c5-4975-b8af-11d2d7a76e98
Content-Type: application/json

{
  "requiredResourceAccess": [
    {
      "resourceAppId": "00000002-0000-0000-c000-000000000000",
      "resourceAccess": [
        {
          "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
          "type": "Scope"
        },
        {
          "id": "3afa6a7d-9b1a-42eb-948e-1650a849e176",
          "type": "Role"
        }
      ]
    }
  ]
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new Application
{
	RequiredResourceAccess = new List<RequiredResourceAccess>
	{
		new RequiredResourceAccess
		{
			ResourceAppId = "00000002-0000-0000-c000-000000000000",
			ResourceAccess = new List<ResourceAccess>
			{
				new ResourceAccess
				{
					Id = Guid.Parse("311a71cc-e848-46a1-bdf8-97ff7156d8e6"),
					Type = "Scope",
				},
				new ResourceAccess
				{
					Id = Guid.Parse("3afa6a7d-9b1a-42eb-948e-1650a849e176"),
					Type = "Role",
				},
			},
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()


requiredResourceAccess := graphmodels.NewRequiredResourceAccess()
resourceAppId := "00000002-0000-0000-c000-000000000000"
requiredResourceAccess.SetResourceAppId(&resourceAppId) 


resourceAccess := graphmodels.NewResourceAccess()
id := uuid.MustParse("311a71cc-e848-46a1-bdf8-97ff7156d8e6")
resourceAccess.SetId(&id) 
type := "Scope"
resourceAccess.SetType(&type) 
resourceAccess1 := graphmodels.NewResourceAccess()
id := uuid.MustParse("3afa6a7d-9b1a-42eb-948e-1650a849e176")
resourceAccess1.SetId(&id) 
type := "Role"
resourceAccess1.SetType(&type) 

resourceAccess := []graphmodels.ResourceAccessable {
	resourceAccess,
	resourceAccess1,
}
requiredResourceAccess.SetResourceAccess(resourceAccess)

requiredResourceAccess := []graphmodels.RequiredResourceAccessable {
	requiredResourceAccess,
}
requestBody.SetRequiredResourceAccess(requiredResourceAccess)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
LinkedList<RequiredResourceAccess> requiredResourceAccess = new LinkedList<RequiredResourceAccess>();
RequiredResourceAccess requiredResourceAccess1 = new RequiredResourceAccess();
requiredResourceAccess1.setResourceAppId("00000002-0000-0000-c000-000000000000");
LinkedList<ResourceAccess> resourceAccess = new LinkedList<ResourceAccess>();
ResourceAccess resourceAccess1 = new ResourceAccess();
resourceAccess1.setId(UUID.fromString("311a71cc-e848-46a1-bdf8-97ff7156d8e6"));
resourceAccess1.setType("Scope");
resourceAccess.add(resourceAccess1);
ResourceAccess resourceAccess2 = new ResourceAccess();
resourceAccess2.setId(UUID.fromString("3afa6a7d-9b1a-42eb-948e-1650a849e176"));
resourceAccess2.setType("Role");
resourceAccess.add(resourceAccess2);
requiredResourceAccess1.setResourceAccess(resourceAccess);
requiredResourceAccess.add(requiredResourceAccess1);
application.setRequiredResourceAccess(requiredResourceAccess);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);


const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
  requiredResourceAccess: [
    {
      resourceAppId: '00000002-0000-0000-c000-000000000000',
      resourceAccess: [
        {
          id: '311a71cc-e848-46a1-bdf8-97ff7156d8e6',
          type: 'Scope'
        },
        {
          id: '3afa6a7d-9b1a-42eb-948e-1650a849e176',
          type: 'Role'
        }
      ]
    }
  ]
};

await client.api('/applications/581088ba-83c5-4975-b8af-11d2d7a76e98')
	.update(application);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\RequiredResourceAccess;
use Microsoft\Graph\Generated\Models\ResourceAccess;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$requiredResourceAccessRequiredResourceAccess1 = new RequiredResourceAccess();
$requiredResourceAccessRequiredResourceAccess1->setResourceAppId('00000002-0000-0000-c000-000000000000');
$resourceAccessResourceAccess1 = new ResourceAccess();
$resourceAccessResourceAccess1->setId('311a71cc-e848-46a1-bdf8-97ff7156d8e6');
$resourceAccessResourceAccess1->setType('Scope');
$resourceAccessArray []= $resourceAccessResourceAccess1;
$resourceAccessResourceAccess2 = new ResourceAccess();
$resourceAccessResourceAccess2->setId('3afa6a7d-9b1a-42eb-948e-1650a849e176');
$resourceAccessResourceAccess2->setType('Role');
$resourceAccessArray []= $resourceAccessResourceAccess2;
$requiredResourceAccessRequiredResourceAccess1->setResourceAccess($resourceAccessArray);

$requiredResourceAccessArray []= $requiredResourceAccessRequiredResourceAccess1;
$requestBody->setRequiredResourceAccess($requiredResourceAccessArray);


$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	requiredResourceAccess = @(
		@{
			resourceAppId = "00000002-0000-0000-c000-000000000000"
			resourceAccess = @(
				@{
					id = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"
					type = "Scope"
				}
				@{
					id = "3afa6a7d-9b1a-42eb-948e-1650a849e176"
					type = "Role"
				}
			)
		}
	)
}

Update-MgApplication -ApplicationId $applicationId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.required_resource_access import RequiredResourceAccess
from msgraph.generated.models.resource_access import ResourceAccess
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
	required_resource_access = [
		RequiredResourceAccess(
			resource_app_id = "00000002-0000-0000-c000-000000000000",
			resource_access = [
				ResourceAccess(
					id = UUID("311a71cc-e848-46a1-bdf8-97ff7156d8e6"),
					type = "Scope",
				),
				ResourceAccess(
					id = UUID("3afa6a7d-9b1a-42eb-948e-1650a849e176"),
					type = "Role",
				),
			],
		),
	],
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

Criar funções de aplicação

Criar funções de aplicação num objeto de aplicação

Para adicionar ou atualizar funções de aplicações, inclua todas as funções existentes no seu pedido. Se omitir funções existentes, estas serão removidas.

PATCH https://graph.microsoft.com/v1.0/applications/bbd46130-e957-4c38-a116-d4d02afd1057
Content-Type: application/json

{
  "appRoles": [
    {
      "allowedMemberTypes": [
          "User",
          "Application"
      ],
      "description": "Survey.Read",
      "displayName": "Survey.Read",
      "id": "7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0",
      "isEnabled": false,
      "origin": "Application",
      "value": "Survey.Read"
    }
  ]
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new Application
{
	AppRoles = new List<AppRole>
	{
		new AppRole
		{
			AllowedMemberTypes = new List<string>
			{
				"User",
				"Application",
			},
			Description = "Survey.Read",
			DisplayName = "Survey.Read",
			Id = Guid.Parse("7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0"),
			IsEnabled = false,
			Origin = "Application",
			Value = "Survey.Read",
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()


appRole := graphmodels.NewAppRole()
allowedMemberTypes := []string {
	"User",
	"Application",
}
appRole.SetAllowedMemberTypes(allowedMemberTypes)
description := "Survey.Read"
appRole.SetDescription(&description) 
displayName := "Survey.Read"
appRole.SetDisplayName(&displayName) 
id := uuid.MustParse("7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0")
appRole.SetId(&id) 
isEnabled := false
appRole.SetIsEnabled(&isEnabled) 
origin := "Application"
appRole.SetOrigin(&origin) 
value := "Survey.Read"
appRole.SetValue(&value) 

appRoles := []graphmodels.AppRoleable {
	appRole,
}
requestBody.SetAppRoles(appRoles)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
LinkedList<AppRole> appRoles = new LinkedList<AppRole>();
AppRole appRole = new AppRole();
LinkedList<String> allowedMemberTypes = new LinkedList<String>();
allowedMemberTypes.add("User");
allowedMemberTypes.add("Application");
appRole.setAllowedMemberTypes(allowedMemberTypes);
appRole.setDescription("Survey.Read");
appRole.setDisplayName("Survey.Read");
appRole.setId(UUID.fromString("7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0"));
appRole.setIsEnabled(false);
appRole.setOrigin("Application");
appRole.setValue("Survey.Read");
appRoles.add(appRole);
application.setAppRoles(appRoles);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);


const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
  appRoles: [
    {
      allowedMemberTypes: [
          'User',
          'Application'
      ],
      description: 'Survey.Read',
      displayName: 'Survey.Read',
      id: '7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0',
      isEnabled: false,
      origin: 'Application',
      value: 'Survey.Read'
    }
  ]
};

await client.api('/applications/bbd46130-e957-4c38-a116-d4d02afd1057')
	.update(application);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\AppRole;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$appRolesAppRole1 = new AppRole();
$appRolesAppRole1->setAllowedMemberTypes(['User', 'Application', 	]);
$appRolesAppRole1->setDescription('Survey.Read');
$appRolesAppRole1->setDisplayName('Survey.Read');
$appRolesAppRole1->setId('7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0');
$appRolesAppRole1->setIsEnabled(false);
$appRolesAppRole1->setOrigin('Application');
$appRolesAppRole1->setValue('Survey.Read');
$appRolesArray []= $appRolesAppRole1;
$requestBody->setAppRoles($appRolesArray);


$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	appRoles = @(
		@{
			allowedMemberTypes = @(
			"User"
		"Application"
	)
	description = "Survey.Read"
	displayName = "Survey.Read"
	id = "7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0"
	isEnabled = $false
	origin = "Application"
	value = "Survey.Read"
}
)
}

Update-MgApplication -ApplicationId $applicationId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.app_role import AppRole
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
	app_roles = [
		AppRole(
			allowed_member_types = [
				"User",
				"Application",
			],
			description = "Survey.Read",
			display_name = "Survey.Read",
			id = UUID("7a9ddfc4-cc8a-48ea-8275-8ecbffffd5a0"),
			is_enabled = False,
			origin = "Application",
			value = "Survey.Read",
		),
	],
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

Gerir proprietários

Identificar principais de serviço sem proprietário ou com apenas um proprietário

Permissão delegada com menos privilégios: Application.ReadWrite.All.

Esta solicitação exige o cabeçalho ConsistencyLevel definido como eventual porque $count está na solicitação. Para obter mais informações sobre a utilização de ConsistencyLevel e $count, veja Advanced query capabilities on directory objects (Capacidades de consulta avançadas em objetos de diretório).

Este pedido também devolve a contagem das aplicações que correspondem à condição de filtro.

GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=owners/$count eq 0 or owners/$count eq 1&$count=true
ConsistencyLevel: eventual


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals.GetAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Filter = "owners/$count eq 0 or owners/$count eq 1";
	requestConfiguration.QueryParameters.Count = true;
	requestConfiguration.Headers.Add("ConsistencyLevel", "eventual");
});



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  abstractions "github.com/microsoft/kiota-abstractions-go"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphserviceprincipals "github.com/microsoftgraph/msgraph-sdk-go/serviceprincipals"
	  //other-imports
)

headers := abstractions.NewRequestHeaders()
headers.Add("ConsistencyLevel", "eventual")


requestFilter := "owners/$count eq 0 or owners/$count eq 1"
requestCount := true

requestParameters := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetQueryParameters{
	Filter: &requestFilter,
	Count: &requestCount,
}
configuration := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetRequestConfiguration{
	Headers: headers,
	QueryParameters: requestParameters,
}

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().Get(context.Background(), configuration)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ServicePrincipalCollectionResponse result = graphClient.servicePrincipals().get(requestConfiguration -> {
	requestConfiguration.queryParameters.filter = "owners/$count eq 0 or owners/$count eq 1";
	requestConfiguration.queryParameters.count = true;
	requestConfiguration.headers.add("ConsistencyLevel", "eventual");
});


const options = {
	authProvider,
};

const client = Client.init(options);

let servicePrincipals = await client.api('/servicePrincipals')
	.header('ConsistencyLevel','eventual')
	.filter('owners/$count eq 0 or owners/$count eq 1')
	.get();


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\ServicePrincipals\ServicePrincipalsRequestBuilderGetRequestConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestConfiguration = new ServicePrincipalsRequestBuilderGetRequestConfiguration();
$headers = [
		'ConsistencyLevel' => 'eventual',
	];
$requestConfiguration->headers = $headers;

$queryParameters = ServicePrincipalsRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "owners/\$count eq 0 or owners/\$count eq 1";
$queryParameters->count = true;
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->servicePrincipals()->get($requestConfiguration)->wait();


Import-Module Microsoft.Graph.Applications

Get-MgServicePrincipal -Filter "owners/`$count eq 0 or owners/`$count eq 1" -CountVariable CountVar  -ConsistencyLevel eventual


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.service_principals.service_principals_request_builder import ServicePrincipalsRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = ServicePrincipalsRequestBuilder.ServicePrincipalsRequestBuilderGetQueryParameters(
		filter = "owners/$count eq 0 or owners/$count eq 1",
		count = True,
)

request_configuration = RequestConfiguration(
query_parameters = query_params,
)
request_configuration.headers.add("ConsistencyLevel", "eventual")


result = await graph_client.service_principals.get(request_configuration = request_configuration)

Atribuir um proprietário a uma aplicação

Permissão delegada com menos privilégios: Application.ReadWrite.All.

No pedido seguinte, 8afc02cb-4d62-4dba-b536-9f6d73e9be26 encontra-se o ID de objeto de um utilizador ou principal de serviço.

POST https://graph.microsoft.com/v1.0/applications/7b45cf6d-9083-4eb2-92c4-a7e090f1fc40/owners/$ref
Content-Type: application/json

{
    "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ReferenceCreate
{
	OdataId = "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Applications["{application-id}"].Owners.Ref.PostAsync(requestBody);



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewReferenceCreate()
odataId := "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26"
requestBody.SetOdataId(&odataId) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.Applications().ByApplicationId("application-id").Owners().Ref().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.models.ReferenceCreate referenceCreate = new com.microsoft.graph.models.ReferenceCreate();
referenceCreate.setOdataId("https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26");
graphClient.applications().byApplicationId("{application-id}").owners().ref().post(referenceCreate);


const options = {
	authProvider,
};

const client = Client.init(options);

const directoryObject = {
    '@odata.id': 'https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26'
};

await client.api('/applications/7b45cf6d-9083-4eb2-92c4-a7e090f1fc40/owners/$ref')
	.post(directoryObject);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ReferenceCreate;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ReferenceCreate();
$requestBody->setOdataId('https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26');

$graphServiceClient->applications()->byApplicationId('application-id')->owners()->ref()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	"@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26"
}

New-MgApplicationOwnerByRef -ApplicationId $applicationId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.reference_create import ReferenceCreate
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ReferenceCreate(
	odata_id = "https://graph.microsoft.com/v1.0/directoryObjects/8afc02cb-4d62-4dba-b536-9f6d73e9be26",
)

await graph_client.applications.by_application_id('application-id').owners.ref.post(request_body)

Atribuir um proprietário a um principal de serviço

Permissão delegada com menos privilégios: Application.ReadWrite.All.

O pedido seguinte referencia o principal de serviço com o respetivo appId. Em alternativa, pode referenciá-lo com o ID de objeto no padrão ../servicePrincipals/{object ID}/owners/$ref. dddddddd-9999-0000-1111-eeeeeeeeeeee é o ID de objeto de um utilizador ou principal de serviço.

POST https://graph.microsoft.com/v1.0/servicePrincipals(appId='00001111-aaaa-2222-bbbb-3333cccc4444')/owners/$ref
Content-Type: application/json

{
    "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/dddddddd-9999-0000-1111-eeeeeeeeeeee"
}

Bloquear propriedades confidenciais para principais de serviço

Utilize a funcionalidade de bloqueio de instância de aplicação para proteger as propriedades confidenciais dos principais de serviço contra alterações não autorizadas. O Yo pode bloquear as seguintes propriedades:

keyCredentials em que o tipo de utilização é Sign ou Verify.
passwordCredentials em que o tipo de utilização é Sign ou Verify.
propriedade tokenEncryptionKeyId .

Pode gerir a funcionalidade de bloqueio da instância da aplicação através da propriedade servicePrincipalLockConfiguration do objeto de aplicação da aplicação multi-inquilino.

Para bloquear todas as propriedades confidenciais de um principal de serviço

Quando isEnabled e allProperties está definido como true, mesmo que outras propriedades do objeto servicePrincipalLockConfiguration sejam null, todas as propriedades confidenciais do principal de serviço estão bloqueadas.

PATCH https://graph.microsoft.com/beta/applications/a0b7f39e-3139-48aa-9397-f46fb63102f7

{
    "servicePrincipalLockConfiguration": {
        "isEnabled": true,
        "allProperties": true
    }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new Application
{
	ServicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration
	{
		IsEnabled = true,
		AllProperties = true,
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()
servicePrincipalLockConfiguration := graphmodels.NewServicePrincipalLockConfiguration()
isEnabled := true
servicePrincipalLockConfiguration.SetIsEnabled(&isEnabled) 
allProperties := true
servicePrincipalLockConfiguration.SetAllProperties(&allProperties) 
requestBody.SetServicePrincipalLockConfiguration(servicePrincipalLockConfiguration)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
ServicePrincipalLockConfiguration servicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration();
servicePrincipalLockConfiguration.setIsEnabled(true);
servicePrincipalLockConfiguration.setAllProperties(true);
application.setServicePrincipalLockConfiguration(servicePrincipalLockConfiguration);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);


const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
    servicePrincipalLockConfiguration: {
        isEnabled: true,
        allProperties: true
    }
};

await client.api('/applications/a0b7f39e-3139-48aa-9397-f46fb63102f7')
	.version('beta')
	.update(application);


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Application;
use Microsoft\Graph\Beta\Generated\Models\ServicePrincipalLockConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$servicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration();
$servicePrincipalLockConfiguration->setIsEnabled(true);
$servicePrincipalLockConfiguration->setAllProperties(true);
$requestBody->setServicePrincipalLockConfiguration($servicePrincipalLockConfiguration);

$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Beta.Applications

$params = @{
	servicePrincipalLockConfiguration = @{
		isEnabled = $true
		allProperties = $true
	}
}

Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.application import Application
from msgraph_beta.generated.models.service_principal_lock_configuration import ServicePrincipalLockConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
	service_principal_lock_configuration = ServicePrincipalLockConfiguration(
		is_enabled = True,
		all_properties = True,
	),
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

Para bloquear propriedades confidenciais específicas de um principal de serviço

O exemplo seguinte bloqueia as propriedades keyCredentials e passwordCredentials do principal de serviço e ativa a funcionalidade de bloqueio da instância da aplicação.

PATCH https://graph.microsoft.com/beta/applications/a0b7f39e-3139-48aa-9397-f46fb63102f7

{
    "servicePrincipalLockConfiguration": {
        "isEnabled": true,
        "credentialsWithUsageSign": true,
        "credentialsWithUsageVerify": true
    }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new Application
{
	ServicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration
	{
		IsEnabled = true,
		CredentialsWithUsageSign = true,
		CredentialsWithUsageVerify = true,
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()
servicePrincipalLockConfiguration := graphmodels.NewServicePrincipalLockConfiguration()
isEnabled := true
servicePrincipalLockConfiguration.SetIsEnabled(&isEnabled) 
credentialsWithUsageSign := true
servicePrincipalLockConfiguration.SetCredentialsWithUsageSign(&credentialsWithUsageSign) 
credentialsWithUsageVerify := true
servicePrincipalLockConfiguration.SetCredentialsWithUsageVerify(&credentialsWithUsageVerify) 
requestBody.SetServicePrincipalLockConfiguration(servicePrincipalLockConfiguration)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
ServicePrincipalLockConfiguration servicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration();
servicePrincipalLockConfiguration.setIsEnabled(true);
servicePrincipalLockConfiguration.setCredentialsWithUsageSign(true);
servicePrincipalLockConfiguration.setCredentialsWithUsageVerify(true);
application.setServicePrincipalLockConfiguration(servicePrincipalLockConfiguration);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);


const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
    servicePrincipalLockConfiguration: {
        isEnabled: true,
        credentialsWithUsageSign: true,
        credentialsWithUsageVerify: true
    }
};

await client.api('/applications/a0b7f39e-3139-48aa-9397-f46fb63102f7')
	.version('beta')
	.update(application);


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Application;
use Microsoft\Graph\Beta\Generated\Models\ServicePrincipalLockConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$servicePrincipalLockConfiguration = new ServicePrincipalLockConfiguration();
$servicePrincipalLockConfiguration->setIsEnabled(true);
$servicePrincipalLockConfiguration->setCredentialsWithUsageSign(true);
$servicePrincipalLockConfiguration->setCredentialsWithUsageVerify(true);
$requestBody->setServicePrincipalLockConfiguration($servicePrincipalLockConfiguration);

$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Beta.Applications

$params = @{
	servicePrincipalLockConfiguration = @{
		isEnabled = $true
		credentialsWithUsageSign = $true
		credentialsWithUsageVerify = $true
	}
}

Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.application import Application
from msgraph_beta.generated.models.service_principal_lock_configuration import ServicePrincipalLockConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
	service_principal_lock_configuration = ServicePrincipalLockConfiguration(
		is_enabled = True,
		credentials_with_usage_sign = True,
		credentials_with_usage_verify = True,
	),
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

Configurar autoridades de certificação fidedignas para aplicações

Pode restringir a utilização de credenciais de certificado para aplicações no seu inquilino apenas para os certificados emitidos pelas autoridades de certificação fidedignas. Esta política é imposta quando adiciona um certificado a uma aplicação e não afeta os certificados existentes, a menos que sejam rodados. Quando uma aplicação tenta rodar as respetivas credenciais de certificado, passa pela avaliação da política para garantir que as credenciais adicionadas estão em conformidade com a restrição de autoridade de certificação fidedigna.

Passo 1: Criar uma cadeia de certificados de fidedignidade

Permissão delegada com menos privilégios: AppCertTrustConfiguration.Read.All função de Microsoft Entra com privilégios mínimos:Application Administrator

POST https://graph.microsoft.com/beta/certificateAuthorities/certificateBasedApplicationConfigurations

{
    "displayName": "Trusted Certificate Chain of Trust for Contoso",
    "description": "The Trusted Certificate Chain of Trust containing a certificate chain used by app policy, to only allow application certificates from selected issuer.",
    "trustedCertificateAuthorities": [
        {
            "isRootAuthority": true,
            "certificate": "MIIFVjCCAz6gAwIBAgIQJdrL...UyNDIyNTcwM1owPDE …="
        },
        {
            "isRootAuthority": false,
            "certificate": QAAAAAAWjABAQsFADA8M...UyNDIyNTcwM1o …="
        }
    ]
}

Snippet not available

Snippet not available

Snippet not available


const options = {
	authProvider,
};

const client = Client.init(options);

const certificateBasedApplicationConfiguration = {
    displayName: 'Trusted Certificate Chain of Trust for Contoso',
    description: 'The Trusted Certificate Chain of Trust containing a certificate chain used by app policy, to only allow application certificates from selected issuer.',
    trustedCertificateAuthorities: [
        {
            isRootAuthority: true,
            certificate: 'MIIFVjCCAz6gAwIBAgIQJdrL...UyNDIyNTcwM1owPDE …='
        },
        {
            isRootAuthority: false,
            certificate: QAAAAAAWjABAQsFADA8M...UyNDIyNTcwM1o …="
        }
    ]
};

await client.api('/certificateAuthorities/certificateBasedApplicationConfigurations')
	.version('beta')
	.post(certificateBasedApplicationConfiguration);

Snippet not available

Snippet not available

Snippet not available

A solicitação retorna uma resposta 200 OK. A resposta inclui o ID da cadeia de certificados do objeto de fidedignidade. Suponha que o ID é eec5ba11-2fc0-4113-83a2-ed986ed13743 utilizado no Passo 2.

Passo 2: atribuir a cadeia de certificados de confiança a uma política de gestão de aplicações

O exemplo seguinte configura uma política para garantir que apenas os certificados emitidos pela autoridade de certificação intermédia definida no passo anterior podem ser adicionados a aplicações no inquilino. O objeto applicationRestrictions>keyCredentials define um restrictionType com o valor trustedCertificateAuthority, que referencia o ID que foi criado. Uma vez que esta política é aplicada à política de gestão de aplicações ao nível do inquilino predefinida, é imposta para todas as aplicações criadas no inquilino e rejeita tentativas de adicionar certificados não conformes como parte das credenciais de certificado de uma aplicação.

Esta política garante que apenas os certificados da autoridade de certificação intermédia especificada podem ser adicionados às aplicações. O objeto applicationRestrictions>keyCredentials define um restrictionType como trustedCertificateAuthority, referenciando o ID criado. Esta política aplica-se a todas as aplicações no inquilino, rejeitando quaisquer certificados não conformes.

Permissão delegada com menos privilégios: Policy.Read.ApplicationConfiguration função de Microsoft Entra com privilégios mínimos:Security Administrator

PATCH https://graph.microsoft.com/v1.0/policies/defaultAppManagementPolicy

{
  "id": "d015220e-9789-4e8e-bbcc-270fe419229d",
  "description": "Lorem ipsum",
  "displayName": "Credential management policy",
  "isEnabled": true,
  "applicationRestrictions": {
    "passwordCredentials": [
      {
        "restrictionType": "passwordLifetime",
        "maxLifetime": "P14D",
        "restrictForAppsCreatedAfterDateTime": "2020-01-01T07:00:00Z"
      }
    ],
    "keyCredentials": [
      {
        "restrictionType": "certificateLifetime",
        "restrictForAppsCreatedAfterDateTime": "2020-01-01T10:37:00Z",
        "maxLifetime": "P90D"
      },
      {
        "restrictionType": "trustedCertificateAuthority",
        "certificateBasedApplicationConfigurationIds": [
          "eec5ba11-2fc0-4113-83a2-ed986ed13743"
        ],
        "restrictForAppsCreatedAfterDateTime": "2019-10-19T10:37:00Z"
      }
    ]
  }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new TenantAppManagementPolicy
{
	Id = "d015220e-9789-4e8e-bbcc-270fe419229d",
	Description = "Lorem ipsum",
	DisplayName = "Credential management policy",
	IsEnabled = true,
	ApplicationRestrictions = new AppManagementApplicationConfiguration
	{
		PasswordCredentials = new List<PasswordCredentialConfiguration>
		{
			new PasswordCredentialConfiguration
			{
				RestrictionType = AppCredentialRestrictionType.PasswordLifetime,
				MaxLifetime = TimeSpan.Parse("P14D"),
				RestrictForAppsCreatedAfterDateTime = DateTimeOffset.Parse("2020-01-01T07:00:00Z"),
			},
		},
		KeyCredentials = new List<KeyCredentialConfiguration>
		{
			new KeyCredentialConfiguration
			{
				RestrictionType = AppKeyCredentialRestrictionType.AsymmetricKeyLifetime,
				RestrictForAppsCreatedAfterDateTime = DateTimeOffset.Parse("2020-01-01T10:37:00Z"),
				MaxLifetime = TimeSpan.Parse("P90D"),
			},
			new KeyCredentialConfiguration
			{
				RestrictionType = AppKeyCredentialRestrictionType.AsymmetricKeyLifetime,
				RestrictForAppsCreatedAfterDateTime = DateTimeOffset.Parse("2019-10-19T10:37:00Z"),
				AdditionalData = new Dictionary<string, object>
				{
					{
						"certificateBasedApplicationConfigurationIds" , new List<string>
						{
							"eec5ba11-2fc0-4113-83a2-ed986ed13743",
						}
					},
				},
			},
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.DefaultAppManagementPolicy.PatchAsync(requestBody);



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewTenantAppManagementPolicy()
id := "d015220e-9789-4e8e-bbcc-270fe419229d"
requestBody.SetId(&id) 
description := "Lorem ipsum"
requestBody.SetDescription(&description) 
displayName := "Credential management policy"
requestBody.SetDisplayName(&displayName) 
isEnabled := true
requestBody.SetIsEnabled(&isEnabled) 
applicationRestrictions := graphmodels.NewAppManagementApplicationConfiguration()


passwordCredentialConfiguration := graphmodels.NewPasswordCredentialConfiguration()
restrictionType := graphmodels.PASSWORDLIFETIME_APPCREDENTIALRESTRICTIONTYPE 
passwordCredentialConfiguration.SetRestrictionType(&restrictionType) 
maxLifetime , err := abstractions.ParseISODuration("P14D")
passwordCredentialConfiguration.SetMaxLifetime(&maxLifetime) 
restrictForAppsCreatedAfterDateTime , err := time.Parse(time.RFC3339, "2020-01-01T07:00:00Z")
passwordCredentialConfiguration.SetRestrictForAppsCreatedAfterDateTime(&restrictForAppsCreatedAfterDateTime) 

passwordCredentials := []graphmodels.PasswordCredentialConfigurationable {
	passwordCredentialConfiguration,
}
applicationRestrictions.SetPasswordCredentials(passwordCredentials)


keyCredentialConfiguration := graphmodels.NewKeyCredentialConfiguration()
restrictionType := graphmodels.CERTIFICATELIFETIME_APPKEYCREDENTIALRESTRICTIONTYPE 
keyCredentialConfiguration.SetRestrictionType(&restrictionType) 
restrictForAppsCreatedAfterDateTime , err := time.Parse(time.RFC3339, "2020-01-01T10:37:00Z")
keyCredentialConfiguration.SetRestrictForAppsCreatedAfterDateTime(&restrictForAppsCreatedAfterDateTime) 
maxLifetime , err := abstractions.ParseISODuration("P90D")
keyCredentialConfiguration.SetMaxLifetime(&maxLifetime) 
keyCredentialConfiguration1 := graphmodels.NewKeyCredentialConfiguration()
restrictionType := graphmodels.TRUSTEDCERTIFICATEAUTHORITY_APPKEYCREDENTIALRESTRICTIONTYPE 
keyCredentialConfiguration1.SetRestrictionType(&restrictionType) 
restrictForAppsCreatedAfterDateTime , err := time.Parse(time.RFC3339, "2019-10-19T10:37:00Z")
keyCredentialConfiguration1.SetRestrictForAppsCreatedAfterDateTime(&restrictForAppsCreatedAfterDateTime) 
additionalData := map[string]interface{}{
	certificateBasedApplicationConfigurationIds := []string {
		"eec5ba11-2fc0-4113-83a2-ed986ed13743",
	}
}
keyCredentialConfiguration1.SetAdditionalData(additionalData)

keyCredentials := []graphmodels.KeyCredentialConfigurationable {
	keyCredentialConfiguration,
	keyCredentialConfiguration1,
}
applicationRestrictions.SetKeyCredentials(keyCredentials)
requestBody.SetApplicationRestrictions(applicationRestrictions)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
defaultAppManagementPolicy, err := graphClient.Policies().DefaultAppManagementPolicy().Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

TenantAppManagementPolicy tenantAppManagementPolicy = new TenantAppManagementPolicy();
tenantAppManagementPolicy.setId("d015220e-9789-4e8e-bbcc-270fe419229d");
tenantAppManagementPolicy.setDescription("Lorem ipsum");
tenantAppManagementPolicy.setDisplayName("Credential management policy");
tenantAppManagementPolicy.setIsEnabled(true);
AppManagementApplicationConfiguration applicationRestrictions = new AppManagementApplicationConfiguration();
LinkedList<PasswordCredentialConfiguration> passwordCredentials = new LinkedList<PasswordCredentialConfiguration>();
PasswordCredentialConfiguration passwordCredentialConfiguration = new PasswordCredentialConfiguration();
passwordCredentialConfiguration.setRestrictionType(AppCredentialRestrictionType.PasswordLifetime);
PeriodAndDuration maxLifetime = PeriodAndDuration.ofDuration(Duration.parse("P14D"));
passwordCredentialConfiguration.setMaxLifetime(maxLifetime);
OffsetDateTime restrictForAppsCreatedAfterDateTime = OffsetDateTime.parse("2020-01-01T07:00:00Z");
passwordCredentialConfiguration.setRestrictForAppsCreatedAfterDateTime(restrictForAppsCreatedAfterDateTime);
passwordCredentials.add(passwordCredentialConfiguration);
applicationRestrictions.setPasswordCredentials(passwordCredentials);
LinkedList<KeyCredentialConfiguration> keyCredentials = new LinkedList<KeyCredentialConfiguration>();
KeyCredentialConfiguration keyCredentialConfiguration = new KeyCredentialConfiguration();
keyCredentialConfiguration.setRestrictionType(AppKeyCredentialRestrictionType.AsymmetricKeyLifetime);
OffsetDateTime restrictForAppsCreatedAfterDateTime1 = OffsetDateTime.parse("2020-01-01T10:37:00Z");
keyCredentialConfiguration.setRestrictForAppsCreatedAfterDateTime(restrictForAppsCreatedAfterDateTime1);
PeriodAndDuration maxLifetime1 = PeriodAndDuration.ofDuration(Duration.parse("P90D"));
keyCredentialConfiguration.setMaxLifetime(maxLifetime1);
keyCredentials.add(keyCredentialConfiguration);
KeyCredentialConfiguration keyCredentialConfiguration1 = new KeyCredentialConfiguration();
keyCredentialConfiguration1.setRestrictionType(AppKeyCredentialRestrictionType.AsymmetricKeyLifetime);
OffsetDateTime restrictForAppsCreatedAfterDateTime2 = OffsetDateTime.parse("2019-10-19T10:37:00Z");
keyCredentialConfiguration1.setRestrictForAppsCreatedAfterDateTime(restrictForAppsCreatedAfterDateTime2);
HashMap<String, Object> additionalData = new HashMap<String, Object>();
LinkedList<String> certificateBasedApplicationConfigurationIds = new LinkedList<String>();
certificateBasedApplicationConfigurationIds.add("eec5ba11-2fc0-4113-83a2-ed986ed13743");
additionalData.put("certificateBasedApplicationConfigurationIds", certificateBasedApplicationConfigurationIds);
keyCredentialConfiguration1.setAdditionalData(additionalData);
keyCredentials.add(keyCredentialConfiguration1);
applicationRestrictions.setKeyCredentials(keyCredentials);
tenantAppManagementPolicy.setApplicationRestrictions(applicationRestrictions);
TenantAppManagementPolicy result = graphClient.policies().defaultAppManagementPolicy().patch(tenantAppManagementPolicy);


const options = {
	authProvider,
};

const client = Client.init(options);

const tenantAppManagementPolicy = {
  id: 'd015220e-9789-4e8e-bbcc-270fe419229d',
  description: 'Lorem ipsum',
  displayName: 'Credential management policy',
  isEnabled: true,
  applicationRestrictions: {
    passwordCredentials: [
      {
        restrictionType: 'passwordLifetime',
        maxLifetime: 'P14D',
        restrictForAppsCreatedAfterDateTime: '2020-01-01T07:00:00Z'
      }
    ],
    keyCredentials: [
      {
        restrictionType: 'certificateLifetime',
        restrictForAppsCreatedAfterDateTime: '2020-01-01T10:37:00Z',
        maxLifetime: 'P90D'
      },
      {
        restrictionType: 'trustedCertificateAuthority',
        certificateBasedApplicationConfigurationIds: [
          'eec5ba11-2fc0-4113-83a2-ed986ed13743'
        ],
        restrictForAppsCreatedAfterDateTime: '2019-10-19T10:37:00Z'
      }
    ]
  }
};

await client.api('/policies/defaultAppManagementPolicy')
	.update(tenantAppManagementPolicy);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\TenantAppManagementPolicy;
use Microsoft\Graph\Generated\Models\AppManagementApplicationConfiguration;
use Microsoft\Graph\Generated\Models\PasswordCredentialConfiguration;
use Microsoft\Graph\Generated\Models\AppCredentialRestrictionType;
use Microsoft\Graph\Generated\Models\KeyCredentialConfiguration;
use Microsoft\Graph\Generated\Models\AppKeyCredentialRestrictionType;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new TenantAppManagementPolicy();
$requestBody->setId('d015220e-9789-4e8e-bbcc-270fe419229d');
$requestBody->setDescription('Lorem ipsum');
$requestBody->setDisplayName('Credential management policy');
$requestBody->setIsEnabled(true);
$applicationRestrictions = new AppManagementApplicationConfiguration();
$passwordCredentialsPasswordCredentialConfiguration1 = new PasswordCredentialConfiguration();
$passwordCredentialsPasswordCredentialConfiguration1->setRestrictionType(new AppCredentialRestrictionType('passwordLifetime'));
$passwordCredentialsPasswordCredentialConfiguration1->setMaxLifetime(new \DateInterval('P14D'));
$passwordCredentialsPasswordCredentialConfiguration1->setRestrictForAppsCreatedAfterDateTime(new \DateTime('2020-01-01T07:00:00Z'));
$passwordCredentialsArray []= $passwordCredentialsPasswordCredentialConfiguration1;
$applicationRestrictions->setPasswordCredentials($passwordCredentialsArray);

$keyCredentialsKeyCredentialConfiguration1 = new KeyCredentialConfiguration();
$keyCredentialsKeyCredentialConfiguration1->setRestrictionType(new AppKeyCredentialRestrictionType('certificateLifetime'));
$keyCredentialsKeyCredentialConfiguration1->setRestrictForAppsCreatedAfterDateTime(new \DateTime('2020-01-01T10:37:00Z'));
$keyCredentialsKeyCredentialConfiguration1->setMaxLifetime(new \DateInterval('P90D'));
$keyCredentialsArray []= $keyCredentialsKeyCredentialConfiguration1;
$keyCredentialsKeyCredentialConfiguration2 = new KeyCredentialConfiguration();
$keyCredentialsKeyCredentialConfiguration2->setRestrictionType(new AppKeyCredentialRestrictionType('trustedCertificateAuthority'));
$keyCredentialsKeyCredentialConfiguration2->setRestrictForAppsCreatedAfterDateTime(new \DateTime('2019-10-19T10:37:00Z'));
$additionalData = [
'certificateBasedApplicationConfigurationIds' => [
'eec5ba11-2fc0-4113-83a2-ed986ed13743', ],
];
$keyCredentialsKeyCredentialConfiguration2->setAdditionalData($additionalData);
$keyCredentialsArray []= $keyCredentialsKeyCredentialConfiguration2;
$applicationRestrictions->setKeyCredentials($keyCredentialsArray);

$requestBody->setApplicationRestrictions($applicationRestrictions);

$result = $graphServiceClient->policies()->defaultAppManagementPolicy()->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	id = "d015220e-9789-4e8e-bbcc-270fe419229d"
	description = "Lorem ipsum"
	displayName = "Credential management policy"
	isEnabled = $true
	applicationRestrictions = @{
		passwordCredentials = @(
			@{
				restrictionType = "passwordLifetime"
				maxLifetime = "P14D"
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2020-01-01T07:00:00Z")
			}
		)
		keyCredentials = @(
			@{
				restrictionType = "certificateLifetime"
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2020-01-01T10:37:00Z")
				maxLifetime = "P90D"
			}
			@{
				restrictionType = "trustedCertificateAuthority"
				certificateBasedApplicationConfigurationIds = @(
				"eec5ba11-2fc0-4113-83a2-ed986ed13743"
			)
			restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2019-10-19T10:37:00Z")
		}
	)
}
}

Update-MgPolicyDefaultAppManagementPolicy -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.tenant_app_management_policy import TenantAppManagementPolicy
from msgraph.generated.models.app_management_application_configuration import AppManagementApplicationConfiguration
from msgraph.generated.models.password_credential_configuration import PasswordCredentialConfiguration
from msgraph.generated.models.app_credential_restriction_type import AppCredentialRestrictionType
from msgraph.generated.models.key_credential_configuration import KeyCredentialConfiguration
from msgraph.generated.models.app_key_credential_restriction_type import AppKeyCredentialRestrictionType
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = TenantAppManagementPolicy(
	id = "d015220e-9789-4e8e-bbcc-270fe419229d",
	description = "Lorem ipsum",
	display_name = "Credential management policy",
	is_enabled = True,
	application_restrictions = AppManagementApplicationConfiguration(
		password_credentials = [
			PasswordCredentialConfiguration(
				restriction_type = AppCredentialRestrictionType.PasswordLifetime,
				max_lifetime = "P14D",
				restrict_for_apps_created_after_date_time = "2020-01-01T07:00:00Z",
			),
		],
		key_credentials = [
			KeyCredentialConfiguration(
				restriction_type = AppKeyCredentialRestrictionType.AsymmetricKeyLifetime,
				restrict_for_apps_created_after_date_time = "2020-01-01T10:37:00Z",
				max_lifetime = "P90D",
			),
			KeyCredentialConfiguration(
				restriction_type = AppKeyCredentialRestrictionType.AsymmetricKeyLifetime,
				restrict_for_apps_created_after_date_time = "2019-10-19T10:37:00Z",
				additional_data = {
						"certificate_based_application_configuration_ids" : [
							"eec5ba11-2fc0-4113-83a2-ed986ed13743",
						],
				}
			),
		],
	),
)

result = await graph_client.policies.default_app_management_policy.patch(request_body)

Comentários

Esta página foi útil?

Last updated on 2025-07-04

Compartilhar via

Gerir aplicações Microsoft Entra com o Microsoft Graph

Pré-requisitos

Registar uma aplicação no Microsoft Entra ID

Criar um principal de serviço para uma aplicação

Endereçar uma aplicação ou um objeto de principal de serviço

Configurar outras propriedades básicas para a sua aplicação

Restringir o início de sessão apenas aos utilizadores atribuídos a todas as funções na aplicação.

Atribuir permissões a uma aplicação

Criar funções de aplicação

Criar funções de aplicação num objeto de aplicação

Gerir proprietários

Identificar principais de serviço sem proprietário ou com apenas um proprietário

Atribuir um proprietário a uma aplicação

Atribuir um proprietário a um principal de serviço

Bloquear propriedades confidenciais para principais de serviço

Para bloquear todas as propriedades confidenciais de um principal de serviço

Para bloquear propriedades confidenciais específicas de um principal de serviço

Configurar autoridades de certificação fidedignas para aplicações

Passo 1: Criar uma cadeia de certificados de fidedignidade

Passo 2: atribuir a cadeia de certificados de confiança a uma política de gestão de aplicações

Conteúdo relacionado

Comentários

Recursos adicionais