琐碎配置流程总结

使用 SharePoint Online 时，您可以在 Azure AD 中定义应用程序，这些应用程序可以被授予对 SharePoint 以及 Office 365 中所有其他服务的权限。如果您正在使用 SharePoint Online，则此模型是首选模型

设置 AzureAD app的 app-only 权限

在 Azure AD 中执行仅应用程序时，通常使用证书来请求访问：任何拥有证书及其私钥的人都可以使用该应用程序以及授予该应用程序的权限。

现在已准备好配置 Azure AD 应用程序以使用仅应用访问令牌调用 SharePoint Online。为此，您必须创建和配置一个自签名 X.509 证书，该证书将用于在请求仅应用访问令牌时针对 Azure AD 对您的应用程序进行身份验证。首先，您必须创建自签名 X.509 证书，该证书可以使用 Windows SDK 中提供的 makecert.exe 工具或通过不依赖于 makecert 的 PowerShell 脚本创建。使用 PowerShell 脚本是首选方法

请注意使用管理员权限去运行

.\Create-SelfSignedCertificate.ps1 -CommonName "MyCompanyName" -StartDate 2017-10-01 -EndDate 2022-10-01

Create-SelfSignedCertificate.ps1 脚本如下

PowerShellCopy

#Requires -RunAsAdministrator
<#
.SYNOPSIS
Creates a Self Signed Certificate for use in server to server authentication
.DESCRIPTION
.EXAMPLE
PS C:> .\Create-SelfSignedCertificate.ps1 -CommonName "MyCert" -StartDate 2015-11-21 -EndDate 2017-11-21
This will create a new self signed certificate with the common name "CN=MyCert". During creation you will be asked to provide a password to protect the private key.
.EXAMPLE
PS C:> .\Create-SelfSignedCertificate.ps1 -CommonName "MyCert" -StartDate 2015-11-21 -EndDate 2017-11-21 -Password (ConvertTo-SecureString -String "MyPassword" -AsPlainText -Force)
This will create a new self signed certificate with the common name "CN=MyCert". The password as specified in the Password parameter will be used to protect the private key
.EXAMPLE
PS C:> .\Create-SelfSignedCertificate.ps1 -CommonName "MyCert" -StartDate 2015-11-21 -EndDate 2017-11-21 -Force
This will create a new self signed certificate with the common name "CN=MyCert". During creation you will be asked to provide a password to protect the private key. If there is already a certificate with the common name you specified, it will be removed first.
#>
Param(
​
   [Parameter(Mandatory=$true)]
   [string]$CommonName,
​
   [Parameter(Mandatory=$true)]
   [DateTime]$StartDate,
​
   [Parameter(Mandatory=$true)]
   [DateTime]$EndDate,
​
   [Parameter(Mandatory=$false, HelpMessage="Will overwrite existing certificates")]
   [Switch]$Force,
​
   [Parameter(Mandatory=$false)]
   [SecureString]$Password
)
​
# DO NOT MODIFY BELOW
​
function CreateSelfSignedCertificate(){
​
    #Remove and existing certificates with the same common name from personal and root stores
    #Need to be very wary of this as could break something
    if($CommonName.ToLower().StartsWith("cn="))
    {
        # Remove CN from common name
        $CommonName = $CommonName.Substring(3)
    }
    $certs = Get-ChildItem -Path Cert:\LocalMachine\my | Where-Object{$_.Subject -eq "CN=$CommonName"}
    if($certs -ne $null -and $certs.Length -gt 0)
    {
        if($Force)
        {
​
            foreach($c in $certs)
            {
                remove-item $c.PSPath
            }
        } else {
            Write-Host -ForegroundColor Red "One or more certificates with the same common name (CN=$CommonName) are already located in the local certificate store. Use -Force to remove them";
            return $false
        }
    }
​
    $name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
    $name.Encode("CN=$CommonName", 0)
​
    $key = new-object -com "X509Enrollment.CX509PrivateKey.1"
    $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    $key.KeySpec = 1
    $key.Length = 2048
    $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
    $key.MachineContext = 1
    $key.ExportPolicy = 1 # This is required to allow the private key to be exported
    $key.Create()
​
    $serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
    $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") # Server Authentication
    $ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
    $ekuoids.add($serverauthoid)
    $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
    $ekuext.InitializeEncode($ekuoids)
​
    $cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
    $cert.InitializeFromPrivateKey(2, $key, "")
    $cert.Subject = $name
    $cert.Issuer = $cert.Subject
    $cert.NotBefore = $StartDate
    $cert.NotAfter = $EndDate
    $cert.X509Extensions.Add($ekuext)
    $cert.Encode()
​
    $enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
    $enrollment.InitializeFromRequest($cert)
    $certdata = $enrollment.CreateRequest(0)
    $enrollment.InstallResponse(2, $certdata, 0, "")
    return $true
}
​
function ExportPFXFile()
{
    if($CommonName.ToLower().StartsWith("cn="))
    {
        # Remove CN from common name
        $CommonName = $CommonName.Substring(3)
    }
    if($Password -eq $null)
    {
        $Password = Read-Host -Prompt "Enter Password to protect private key" -AsSecureString
    }
    $cert = Get-ChildItem -Path Cert:\LocalMachine\my | where-object{$_.Subject -eq "CN=$CommonName"}
​
    Export-PfxCertificate -Cert $cert -Password $Password -FilePath "$($CommonName).pfx"
    Export-Certificate -Cert $cert -Type CERT -FilePath "$CommonName.cer"
}
​
function RemoveCertsFromStore()
{
    # Once the certificates have been been exported we can safely remove them from the store
    if($CommonName.ToLower().StartsWith("cn="))
    {
        # Remove CN from common name
        $CommonName = $CommonName.Substring(3)
    }
    $certs = Get-ChildItem -Path Cert:\LocalMachine\my | Where-Object{$_.Subject -eq "CN=$CommonName"}
    foreach($c in $certs)
    {
        remove-item $c.PSPath
    }
}
​
if(CreateSelfSignedCertificate)
{
    ExportPFXFile
    RemoveCertsFromStore
}

执行完会有两个文件 系统会要求您提供密码来加密您的私钥，并且 .PFX 文件和 .CER 文件都将导出到当前文件夹。

去Azure APP 注册权限

打开 Office 365 管理中心 admin.microsoft.com

“Azure Active Directory”

App registrations 注册一个新的,然后选择app permission 选择全部站点的权限 这应该需要管理人员的审批

添加权限建议

单击添加权限并添加您要授予此应用程序的权限。下面的列表是一个建议，您可以授予较少的权限，但这可能会导致某些调用因访问被拒绝错误而失败。

• SharePoint -> 委派权限 -> AllSites -> AllSites.FullControl
• SharePoint -> 委派权限 -> 站点 -> Sites.Search.All
• SharePoint -> 委派权限 -> TermStore -> TermStore.ReadWrite.All
• SharePoint -> 委派权限 -> 用户 -> User.ReadWrite.All
• Microsoft Graph -> 委派权限 -> 用户 -> User.Read
• Microsoft Graph -> 委派权限 -> 目录 -> Directory.ReadWrite.All
• Microsoft Graph -> 委派权限 -> 目录 -> Directory.AccessAsUser.All
• Microsoft Graph -> 委派权限 -> 组 -> Group.ReadWrite.All

然后找到 Certificates & secrets 上传刚刚生成的 .cer文件

Azure上的应用配置

可以使用命令来快速的配置权限

$app = Register-PnPAzureADApp -ApplicationName "PnP.Framework.Consumer" -Tenant contoso.onmicrosoft.com -OutPath c:\temp -CertificatePassword (ConvertTo-SecureString -String "password" -AsPlainText -Force)  -GraphApplicationPermissions "Group.ReadWrite.All", "User.ReadWrite.All" -SharePointApplicationPermissions "Sites.FullControl.All", "TermStore.ReadWrite.All", "User.ReadWrite.All"  -Store CurrentUser -DeviceLogin

• SharePoint -> Application Permissions -> Sites -> Sites.FullControl.All
• SharePoint -> Application Permissions -> TermStore -> TermStore.ReadWrite.All
• SharePoint -> Application Permissions -> User -> User.ReadWrite.All
• Microsoft Graph -> Application Permissions -> User -> User.ReadWrite.All
• Microsoft Graph -> Application Permissions -> Group -> Group.ReadWrite.All

请注意 PnP Sites Core 已存档，不再维护，但 PnP Framework 包含几乎所有 PnP Sites Core 功能并将积极维护

因此强烈建议将您的应用程序从 PnP Sites Core 切换到 PnP Framework。

我再也看不到 weblogin 选项了,没错，Web 登录依赖于 .NET API，而这在 .NET Standard 2.0 中不可用，因此我们确实从 PnP 框架中删除了此功能。但是，如果您需要此选项，您可以从 PnP PowerShell 复制实现，并将其与 PnP 框架的身份验证管理器类结合使用在您的应用程序中。

参考链接:

1.PNP框架github.com/pnp/pnpfram…

2.Azure AD 注册流程 docs.microsoft.com/en-us/share…