Azure服务主体可以更新其自己的密码吗? [英] Can Azure Service Principal Update Its Own Passwords?

问题描述

我需要使用Azure服务主体以编程方式进行操作:
1.添加/删除其他服务主体的密码，并且
2.自行添加/删除密码

1很容易做到.

但是由于以下错误，我似乎无法执行2.#2有可能吗?如何?

  graphrbac.PasswordCredentialsUpdateParameters失败:graphrbac.ApplicationsClient#UpdatePasswordCredentials:未能响应请求:StatusCode = 403-原始错误:autorest/azure:服务返回了错误.Status = 403代码=未知"消息=未知服务错误"详细信息= [{"odata.error":{代码":"Authorization_RequestDenied"，日期":"2019-06-06T22:19:35"，消息":{"lang":"en"，值:"权限不足，无法完成操作.}，" requestId:"< ID>}}]] 

解决方案

#2有可能吗?怎么样?

是的，有可能.

只需将您的服务主体添加到

删除密码(成功后不返回任何内容):

  $ password = Get-AzureADApplicationPasswordCredential -ObjectId< ObjectId>Remove-AzureADApplicationPasswordCredential -ObjectId< ObjectId>-KeyId $ password.KeyId 

此外，您可以检查我的测试示例中的屏幕快照，以及门户中的屏幕快照，请确保服务主体为其自身添加/删除密码 .

I need to use an Azure service principal to programmatically:
1. add/delete passwords for other services principal , and
2. add/delete passwords for itself

1 is easy to do.

But I can't seem to do 2 due to the following error. Is #2 possible? How?

graphrbac.PasswordCredentialsUpdateParameters failed:
graphrbac.ApplicationsClient#UpdatePasswordCredentials: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" 
Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-06-06T22:19:35","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"<ID>"}}]

解决方案

Is #2 possible? How?

Yes, it is possible.

Just add your service principal to the Application Administrator directory role in your tenant, no need to add other permissions, it will work(there may be some delay).

Navigate to the Azure Active Directory in the portal -> Roles and administrators -> click Application administrator -> Add assignment -> search by your AD App name(service principal name) -> select it -> Select.

My test sample:

I test it with powershell, in other languages, it should also work.

Add password:

Connect-AzureAD -TenantId "<TenantId>" -ApplicationId "<ApplicationId>" -CertificateThumbprint "D0F0B179xxxxx6E41833FDE5947"
New-AzureADApplicationPasswordCredential -ObjectId <ObjectId>

Remove password(it returns no content when successful):

$password = Get-AzureADApplicationPasswordCredential -ObjectId <ObjectId>
Remove-AzureADApplicationPasswordCredential -ObjectId <ObjectId> -KeyId $password.KeyId

Besides, you could check the screenshot in my test sample and that in the portal, make sure the service principal add/delete passwords for itself.

这篇关于Azure服务主体可以更新其自己的密码吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！