创建广告组和添加服务主体时出现问题 [英] Issue while creating AD Group and adding service principal
本文介绍了创建广告组和添加服务主体时出现问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
I am trying the steps listed in the link below to Connect to Azure SQL Database by obtaining a token from Azure Active Directory (AAD)
Azure SQL authentication with a Managed Service Identity
I created a web application and enabled MSI on it and Obtained the service principal for it.
However, while creating an AADGroup, I get the below error
Azure:/
PS Azure:\\> New-AzureRmADGroup -DisplayName 'MyDevAppUsers' -MailNickname 'MyDevAppUsers'
New-AzureRmADGroup : Insufficient privileges to complete the operation.
At line:1 char:1
+ New-AzureRmADGroup -DisplayName 'MyDevAppUsers' -MailNickname 'SSPDe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-AzADGroup], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ActiveDirectory.NewAzureADGroupCommand
So, I tried creating the group manually from the portal and tried to add the service principal to the group but getting the below error
Add-AzureADGroupMember : Error occurred while executing AddGroupMember
Code: Request_BadRequest
Message: Only Users can be members of a Unified Group. paramName: Members, paramValue: , objectType:
Microsoft.Online.DirectoryServices.Group
RequestId: b11e8d64-2387-4132-9825-7958979a17ce
DateTimeStamp: Sat, 29 Sep 2018 07:36:31 GMT
Details: PropertyName - members, PropertyErrorCode - InvalidValue
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:3 char:1
+ Add-AzureADGroupMember -ObjectId $($AADGroup.ObjectId) -RefObjectId $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-AzureADGroupMember], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShe
ll.AddGroupMember
Please help with the issue.
推荐答案
以下是您可以尝试的一些方法:
Here are a few things you can try:
1.添加读取目录数据"在AAD目录的权限"部分下.
1. Add "Read Directory Data" under the Permissions section in your AAD directory.
2.确保您使用的是具有全局管理员"权限的帐户,并且您以管理员身份运行命令.
2. Ensure that you are using an account that has Global Admin permissions and that you are running the commands as an administrator.
3.从必需的访问"页面中删除Azure Active Directory和Graph API,并使用适当的应用程序权限重新添加它们.
3. Remove Azure Active Directory and Graph API from the Required Access page and re-add them with the appropriate app permissions.
See also this similar thread on Github.
这篇关于创建广告组和添加服务主体时出现问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
