Azure Runbook无法修改Azure AD应用程序 [英] Azure Runbook can't modify Azure AD application
问题描述
我正在尝试在Azure自动化运行手册中执行此操作
I'm trying to execute this in an Azure Automation runbook
$app = Get-AzureADApplication -ObjectId $ApplicationId
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $TenantName + " Users"
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = "Users of the tenant"
$appRole.Value = $TenantName
$app.AppRoles.Add($appRole)
Set-AzureADApplication -ObjectId $ApplicationId -AppRoles $app.AppRoles
读取应用程序工作正常,当我打印应用程序变量时,我可以看到它是正确的应用程序.从我自己的机器上执行脚本也不会出错.但是通过运行手册执行它会给我:
Reading the application works fine, when I print the app variable I can see it's the correct application. Executing the script from my own machine also gives no errors. Yet executing it via the runbook gives me:
Set-AzureADApplication : Error occurred while executing SetApplication
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
现在,我已经向Azure AD中的自动化应用程序注册授予了Active Directory API的所有权利.我还单击了授予权限".我知道这是正确的应用程序注册,因为当我对开始使用的"Graph Api"赋予正确的权限时,该脚本还会邀请外部用户.
By now I have given the automation application registration in Azure AD all rights of the Active Directory API. I have also clicked "Grant Permissions". I know it's the correct app registration because the script also invites an external user, when I gave the correct rights on the "Graph Api" that started to work.
推荐答案
我在运行手册中尝试了您的确切脚本,并使其工作,我不得不在PowerShell之前添加代码到作为服务主体登录".脚本.您可以在此处查看更多详细信息:
I tried out your exact script in a run book and to make it work, I had to add code to "Login as the service principal" just before your PowerShell script. You can see more details here: Using Azure Run As Account in Azure Automation
在权限方面,我只授予了1个应用程序权限(即读取和写入所有应用程序"),然后单击授予权限",因为它确实需要管理员的同意.这些步骤是由我的Azure AD中具有全局管理员"目录角色的用户完成的.
On the permissions front, I only gave 1 application permission (i.e. "Read and write all applications") and then clicked "Grant Permissions" as it did need Admin consent. Steps were done by a user with "Global administrator" directory role in my Azure AD.
这是我最后可用的PowerShell脚本(从Edit Runbook复制):
Here is my final working PowerShell script (copied from edit runbook):
# Get Azure Run As Connection Name
$connectionName = "AzureRunAsConnection"
# Get the Service Principal connection details for the Connection name
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
# Logging in to Azure AD with Service Principal
"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
$ApplicationId = "redacted-xxxx-xxxx-xxxx-xxxxxxxe3"
$TenantName = "RohitTenant"
$app = Get-AzureADApplication -ObjectId $ApplicationId
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $TenantName + " Users"
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = "Users of the tenant"
$appRole.Value = $TenantName
$app.AppRoles.Add($appRole)
Set-AzureADApplication -ObjectId $ApplicationId -AppRoles $app.AppRoles
以下是我执行的其他一些重要步骤的屏幕截图,您可能已经或可能尚未完成.
Here are screenshots from some other important steps that I followed, which you may or may not have done already.
-
在创建自动化帐户时创建Azure运行方式帐户
Create Azure Run As account while creating automation account
确保您的自动化帐户的帐户设置现在具有运行方式"帐户.
Make sure account settings for your automation account has the run as accounts now.
找到为以帐户身份运行"创建的应用程序注册,并授予其读写所有Azure AD应用程序的权限.
Find the App Registration created for Run as Account and give it permission to read and write all Azure AD applications.
这篇关于Azure Runbook无法修改Azure AD应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
