使用多租户应用程序从 Azure 租户获取订阅 [英] Get Subscriptions from Azure tenant using multi-tenant application
问题描述
我正在尝试构建一个多租户应用程序以从我的个人帐户中检索所有订阅信息.
使用 Powershell ARM,我可以检索此信息:
但是,当尝试使用 azure 管理 API 执行此操作时:
<块引用>我的权限是否遗漏了什么?
我可以让我的租户使用相同的端点.这可能与我的公司对 AAD 用户的权限有关吗?
首先,您正在使用客户端凭据流.使用此流程,您不能代表用户.委派权限不适用于此流程,它适用于其他代表用户流程,例如代码授权流程.因此,您需要选择需要使用的流程.如果您仍想使用客户端凭据流,可以采取以下步骤授予其权限:
您需要通过
关于其他租户的列表订阅:
我没有对此进行测试,因为我没有多个订阅.但是对于多租户APP,它也需要其他租户管理员同意并为其分配角色.
使用客户端凭据流,您仍然只能获取一个租户的访问令牌.因此,您只能列出一次来自一个租户的订阅.
更新:
甚至 powershell 实际上也多次从不同的租户 ID 获取其他租户的订阅.因此,您不能直接使用 API 来实现.
我使用 Fiddler 通过运行 Get-azureRMsubscriptions 的 Powershell 捕获流量:
希望这会有所帮助!
I'm trying to build a multi-tenant application to retrieve all subscription information from my personal account.
Using the Powershell ARM I'm able to retrieve this information:
However, when trying to do this action using the azure management API:
https://management.azure.com/subscriptions?api-version=2016-06-01
Using a JWT generated using my tenant, application id and key secret it returns the following:
{"value": [] }
My application permissions seem fine:
Am I missing something from my permissions?
Edit: I am able to get my tenants using the same endpoint. Could this be something to do with my companies permissions for AAD users?
First,you'r using client credentials flow. With this flow, you cannot on behalf a user. The Delegated permissions is not for this flow, it's for other on behalf user flow, like code grant flow. So,you need to choose which one flow you need to use. If you still want to use client crendentials flow, you can take following steps to give it permissions:
You need to assign Role to your Service principal via Azure RBAC. Go to Azure portal > Select one specific subscription > Access control(IAM) > Add > choose your service principal > select Contributor role > Save
You can take same steps to add assign role to your sp from other subscription.
After doing this, you can have enough permissions to use REST API via client credentials flow.
About list subscriptions from other tenants:
I didn't test this because I don't have mulitple subscriptions. But with multiple tenant APP, it also needs other tenant admin consent and assign role to it too.
With client credetials flow, you still can only get access token for one tenant. So, you can only list subscriptions from one tenant once.
Update:
Even powershell actually gets subscriptions from other tenant from different teannt IDs many times. So, you cannot use API to achieve that directly.
I use Fiddler to catch the Traffic with Powershell running Get-azureRMsubscriptions:
Hope this helps!
这篇关于使用多租户应用程序从 Azure 租户获取订阅的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
