使用VSTS任务创建AD应用程序 [英] Create AD application with VSTS task
问题描述
我正在尝试创建VSTS任务,该任务应该创建一个AD应用程序. 以DeployAzureResouceGroup为例,我创建了以下脚本:
I am trying to create a VSTS task, which should create an AD application. Taken the DeployAzureResouceGroup as a sample, I have created to following script:
[CmdletBinding()]
param()
Trace-VstsEnteringInvocation $MyInvocation
Import-VstsLocStrings "$PSScriptRoot\Task.json"
$connectedServiceNameSelector = Get-VstsInput -Name "connectedServiceNameSelector" -Require
$connectedServiceName = Get-VstsInput -Name "connectedServiceName"
$connectedServiceNameClassic = Get-VstsInput -Name "connectedServiceNameClassic"
$domains = (Get-VstsInput -Name "domains").Split(";")
$appName = Get-VstsInput -Name "appName"
if($connectedServiceNameSelector -eq "ConnectedServiceNameClassic")
{
$connectedServiceName = $connectedServiceNameClassic
$action = $actionClassic
$resourceGroupName = $cloudService
}
Import-Module $PSScriptRoot\ps_modules\VstsAzureHelpers_
Initialize-Azure
# Import the loc strings.
Import-VstsLocStrings -LiteralPath $PSScriptRoot/Task.json
# Import all the dlls and modules which have cmdlets we need
Import-Module "$PSScriptRoot\DeploymentUtilities\Microsoft.TeamFoundation.DistributedTask.Task.Deployment.Internal.psm1"
Import-Module "$PSScriptRoot\DeploymentUtilities\Microsoft.TeamFoundation.DistributedTask.Task.Deployment.dll"
# Load all dependent files for execution
. "$PSScriptRoot\Utility.ps1"
try
{
Validate-AzurePowerShellVersion
$azureUtility = Get-AzureUtility "$connectedServiceName"
Write-Verbose "Loading $azureUtility"
. "$PSScriptRoot\$azureUtility"
Write-Output "test"
Write-Output "Creating a new Application in AAD (App URI -)" -Verbose
$azureAdApplication = New-AzureRmADApplication -DisplayName "test" -IdentifierUris "https://app.com" -HomePage "https://app.com"
$appId = $azureAdApplication.ApplicationId
Write-Output "Azure AAD Application creation completed successfully (Application Id: $appId)" -Verbose
Write-Verbose "Completing Azure Resource Group Deployment Task" -Verbose
}
catch
{
Write-TaskSpecificTelemetry "UNKNOWNDEP_Error"
throw
}
当我使用Service主体作为Service Endpoint用户时,出现错误找不到我资源".
When I use a Service principal as Service Endpoint user, I got the error Resource me not found.
使用自定义AD帐户时,出现错误:运行Login-AzureRmAccount进行登录.
When I use my custom AD account, I got the error:Run Login-AzureRmAccount to login.
我做错了什么?如何使该脚本正常工作?
What am I doing wrong? How can I get this script working?
推荐答案
如果不需要Powershell脚本,请从
If you don't need Powershell scripting, go install Azure AD Application Management extension from https://marketplace.visualstudio.com/items?itemName=RalphJansen.Azure-AD-Application-Management You can add new tasks from pipeline GUI for managing AD applications.
如果您确实需要Powershell脚本,那么事情就会变得棘手.
从 https://stackoverflow.com/a/51848069/1548275 获取Powershell代码作为基础.区别在于,如果您不是从扩展程序运行代码,则没有Get-VstsInput
或Get-VstsEndpoint
可以执行.
If you do need Powershell scripting, then things get tricky.
Get Powershell code from https://stackoverflow.com/a/51848069/1548275 as a base. The difference is, that if you're not running your code from an extension, you don't have Get-VstsInput
nor Get-VstsEndpoint
available to execute.
此外,您没有要运行的AzureAD模块cmdlet.您需要获取Nuget程序包,将其解压缩到您自己的存储库中,并将其作为脚本的一部分,以便稍后在管道任务中Import-Module
.
Also, you don't have AzureAD module cmdlets to run. You need to get the Nuget-package, unzip it to your own repo and have it as part of your scripts to be later Import-Module
in a pipeline task.
最后,您需要Graph API的身份验证令牌.如扩展代码所示,您将需要3个变量:
Finally, you need an auth token for Graph API. As the extension code shows, you will need 3 variables:
-
$tenantId = (Get-AzureRmSubscription).TenantId
-
$clientId = (Get-AzureRmADServicePrincipal -DisplayName "Your Project Service Connection name from Azure AD App Registrations").ApplicationId.Guid
-
$clientSecret = 'hard-coded, reset SPN password'
$tenantId = (Get-AzureRmSubscription).TenantId
$clientId = (Get-AzureRmADServicePrincipal -DisplayName "Your Project Service Connection name from Azure AD App Registrations").ApplicationId.Guid
$clientSecret = 'hard-coded, reset SPN password'
如您所见,扩展程序可以访问所有三个脚本,但据我所知,常规脚本没有访问权限.
As you can see, an extension would have access to all three, but regular script (to my knowledge) doesn't.
SPN密码重置包含在The Net中.简而言之,它是这样的:
SPN password reset is covered in The Net. Briefly, it is something like this:
$clientId = (Get-AzureRmADServicePrincipal -DisplayName "Your Project Service Connection name from Azure AD App Registrations").Id.Guid
$password = ConvertTo-SecureString –asplaintext –force "oh, this is very secret!"
New-AzureRmADSpCredential -ObjectId $clientId -Password $password
还:将纯文本密码更新为Azure DevOps项目设置,管道服务连接以了解更新.
Also: Update the plaintext password into Azure DevOps project settings, Service Connections for Pipeline to know about the update.
这篇关于使用VSTS任务创建AD应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!