使用VSTS任务创建AD应用程序 [英] Create AD application with VSTS task

问题描述

我正在尝试创建VSTS任务，该任务应该创建一个AD应用程序. 以DeployAzureResouceGroup为例，我创建了以下脚本:

I am trying to create a VSTS task, which should create an AD application. Taken the DeployAzureResouceGroup as a sample, I have created to following script:

[CmdletBinding()]
param()

Trace-VstsEnteringInvocation $MyInvocation
Import-VstsLocStrings "$PSScriptRoot\Task.json"
$connectedServiceNameSelector = Get-VstsInput -Name "connectedServiceNameSelector" -Require
$connectedServiceName = Get-VstsInput -Name "connectedServiceName"
$connectedServiceNameClassic = Get-VstsInput -Name "connectedServiceNameClassic"
$domains = (Get-VstsInput -Name "domains").Split(";")
$appName = Get-VstsInput -Name "appName"

if($connectedServiceNameSelector -eq "ConnectedServiceNameClassic")
{
    $connectedServiceName = $connectedServiceNameClassic
    $action = $actionClassic
    $resourceGroupName = $cloudService
}

Import-Module $PSScriptRoot\ps_modules\VstsAzureHelpers_
Initialize-Azure

# Import the loc strings.
Import-VstsLocStrings -LiteralPath $PSScriptRoot/Task.json

# Import all the dlls and modules which have cmdlets we need
Import-Module "$PSScriptRoot\DeploymentUtilities\Microsoft.TeamFoundation.DistributedTask.Task.Deployment.Internal.psm1"
Import-Module "$PSScriptRoot\DeploymentUtilities\Microsoft.TeamFoundation.DistributedTask.Task.Deployment.dll"

# Load all dependent files for execution
. "$PSScriptRoot\Utility.ps1"


try
{
    Validate-AzurePowerShellVersion
    $azureUtility = Get-AzureUtility "$connectedServiceName"
    Write-Verbose "Loading $azureUtility"
    . "$PSScriptRoot\$azureUtility"
    Write-Output "test"
    Write-Output "Creating a new Application in AAD (App URI -)" -Verbose
    $azureAdApplication = New-AzureRmADApplication -DisplayName "test" -IdentifierUris "https://app.com" -HomePage "https://app.com"
    $appId = $azureAdApplication.ApplicationId
    Write-Output "Azure AAD Application creation completed successfully (Application Id: $appId)" -Verbose

    Write-Verbose "Completing Azure Resource Group Deployment Task" -Verbose
}
catch
{
    Write-TaskSpecificTelemetry "UNKNOWNDEP_Error"
    throw
}

当我使用Service主体作为Service Endpoint用户时，出现错误找不到我资源".

When I use a Service principal as Service Endpoint user, I got the error Resource me not found.

使用自定义AD帐户时，出现错误:运行Login-AzureRmAccount进行登录.

When I use my custom AD account, I got the error:Run Login-AzureRmAccount to login.

我做错了什么?如何使该脚本正常工作?

What am I doing wrong? How can I get this script working?

推荐答案

如果不需要Powershell脚本，请从Azure AD应用程序管理扩展. marketplace.visualstudio.com/items?itemName=RalphJansen.Azure-AD-Application-Management"rel =" nofollow noreferrer> https://marketplace.visualstudio.com/items?itemName=RalphJansen.Azure-AD-Application-Management 您可以从管道GUI添加新任务来管理AD应用程序.

If you don't need Powershell scripting, go install Azure AD Application Management extension from https://marketplace.visualstudio.com/items?itemName=RalphJansen.Azure-AD-Application-Management You can add new tasks from pipeline GUI for managing AD applications.

如果您确实需要Powershell脚本，那么事情就会变得棘手. 从 https://stackoverflow.com/a/51848069/1548275 获取Powershell代码作为基础.区别在于，如果您不是从扩展程序运行代码，则没有Get-VstsInput或Get-VstsEndpoint可以执行.

If you do need Powershell scripting, then things get tricky. Get Powershell code from https://stackoverflow.com/a/51848069/1548275 as a base. The difference is, that if you're not running your code from an extension, you don't have Get-VstsInput nor Get-VstsEndpoint available to execute.

此外，您没有要运行的AzureAD模块cmdlet.您需要获取Nuget程序包，将其解压缩到您自己的存储库中，并将其作为脚本的一部分，以便稍后在管道任务中Import-Module.

Also, you don't have AzureAD module cmdlets to run. You need to get the Nuget-package, unzip it to your own repo and have it as part of your scripts to be later Import-Module in a pipeline task.

最后，您需要Graph API的身份验证令牌.如扩展代码所示，您将需要3个变量:

Finally, you need an auth token for Graph API. As the extension code shows, you will need 3 variables:

• $tenantId = (Get-AzureRmSubscription).TenantId
• $clientId = (Get-AzureRmADServicePrincipal -DisplayName "Your Project Service Connection name from Azure AD App Registrations").ApplicationId.Guid
• $clientSecret = 'hard-coded, reset SPN password'

• $tenantId = (Get-AzureRmSubscription).TenantId
• $clientId = (Get-AzureRmADServicePrincipal -DisplayName "Your Project Service Connection name from Azure AD App Registrations").ApplicationId.Guid
• $clientSecret = 'hard-coded, reset SPN password'

如您所见，扩展程序可以访问所有三个脚本，但据我所知，常规脚本没有访问权限.

As you can see, an extension would have access to all three, but regular script (to my knowledge) doesn't.

SPN密码重置包含在The Net中.简而言之，它是这样的:

SPN password reset is covered in The Net. Briefly, it is something like this:

$clientId = (Get-AzureRmADServicePrincipal -DisplayName "Your Project Service Connection name from Azure AD App Registrations").Id.Guid
$password = ConvertTo-SecureString –asplaintext –force "oh, this is very secret!"
New-AzureRmADSpCredential -ObjectId $clientId -Password $password

还:将纯文本密码更新为Azure DevOps项目设置，管道服务连接以了解更新.

Also: Update the plaintext password into Azure DevOps project settings, Service Connections for Pipeline to know about the update.

这篇关于使用VSTS任务创建AD应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！