使用应用程序注册更改Azure VM本地管理员密码的权限 [英] Permissions to change Azure VM Local Admin Password using App Registration

问题描述

我找到了这答案，其中作者显示了如何更改VM上的本地管理员密码.我想知道如何使用Active Directory中的应用程序注册"帐户发出此请求调用.我需要授予(以及如何)此应用程序注册哪些权限?

I found THIS answer where author shows how to change local admin password on the VM. I'm wondering what can I do to make this request call using App Registration account in Active Directory. What permissions do I need to give (and how) to this App Registration?

我正在使用MSAL获取这样的访问令牌(在Python中):

I'm using MSAL to get access token like this (in Python):

def az_get_access_token(client_id, authority, secret, default_scope):
    # Create a preferably long-lived app instance which maintains a token cache.
    app = msal.ConfidentialClientApplication(
        client_id,
        authority=authority,
        client_credential=secret,
        # token_cache=...  # Default cache is in memory only.
        # To learn how to use SerializableTokenCache from
        #   https://msal-python.rtfd.io/en/latest/#msal.SerializableTokenCache
    )

    # Get access token
    result = app.acquire_token_silent(scopes=[default_scope], account=None)

    if not result:
        logging.debug("No suitable token exists in cache. Let's get a new one from AAD.")
        result = app.acquire_token_for_client(scopes=[default_scope])

    if 'access_token' not in result:
        logging.error('Azure error: %s, description: %s' % (result['error'], result['error_description']))
        raise Exception

    access_token = result['access_token'] # JWT access token

    return access_token

然后像这样拨打电话给其他人:

And then making a call to the rest like this:

access_token = az_get_access_token(client_id, authority, app_secret, default_scope)

vm_pwd_change_payload = {
    'properties': {
        'publisher': 'Microsoft.Compute',
        'type': 'VMAccessAgent',
        'typeHandlerVersion': '2.0',
        'autoUpgradeMinorVersion': True,
        'settings': {
            'UserName': local_admin_user_name
        },
        'protectedSettings': {
            'Password': local_admin_new_password
        }
    },
    'location': "West US"
}

vm_pwd_update_change_resp = requests.put(
    'https://management.azure.com/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Compute/virtualMachines/%s?api-version=2020-12-01' % (subscriptionId, resourceGroupName, vmName),
    headers={
        'Authorization': 'Bearer ' + access_token,
        'Content-Type': 'application/json'
    },

    data=json.dumps(vm_pwd_change_payload)
)

if not vm_pwd_update_change_resp.ok:
    print("Reason: %s" % vm_pwd_update_change_resp.reason)
    print("\t%s" % vm_pwd_update_change_resp.text)
else:
    print("CHANGED!!!!!!")

(此外，不确定要在 authority 和 scope 中放入什么内容)

(Also, not sure what to put in authority and in the scope)

推荐答案

将 https://login.microsoftonline.com/{teannt id} 设置为 authority https://management.azure.com/.default 作为 scope .

出于权限方面的考虑，由于尚无针对应用程序注册中的Azure rest API的应用程序权限(显示为灰色)，因此我们可以将RBAC角色分配给VM的应用程序注册帐户.详细步骤此处.

For permission, since Application permission for Azure rest API in app registration is not available (it's gray out), we can assign RBAC role to the App Registration account for the VM. Detailed steps here.

找到虚拟机->访问控制->添加->添加角色分配->选择一个角色(例如 Contributor )，然后输入您的应用注册名称.

Find the VM -> Access Control -> Add -> Add role assignment -> select a role (for example Contributor) and enter the name of your App Registration.

如您所见，之后您必须将URL更改为以下内容: https://management.azure.com/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Compute/virtualMachines/%s/extensions/enablevmaccess?api-version = 2020-12-01 .

As you found, after that you have to change URL to the following: https://management.azure.com/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Compute/virtualMachines/%s/extensions/enablevmaccess?api-version=2020-12-01.

这篇关于使用应用程序注册更改Azure VM本地管理员密码的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！