为什么我的服务主体不继承订阅的“所有者”的组角色分配？ [英] Why doesn't my service principal inherit a subscription's group role assignment of "owner"?

问题描述

您好。我无法让服务主体继承组的角色分配。



我在Azure AD中创建了一个安全组，并将其分配给"所有者"。我订阅的角色，然后我创建了一个服务主体并将其添加到上述安全组。我本来希望能够使用服务主体，因为它是
订阅的所有者，但服务主体似乎没有任何访问权限< g class =" gr_ gr_49 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace"数据-GR-ID =" 49" id =" 49"> powershell< / g>。$


这是我的所作所为：



创建一个安全组

- 进入订阅并分配"所有者"。组$
- 创建服务主体和访问密钥

- 向安全组添加服务主体

- 连接到Azure < g class =" gr_ gr_46 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace"数据-GR-ID =" 46" ID = QUOT; 46">&的powershell LT; / g取代;使用服务主体的凭证

- 尝试运行Get-AzSubscription



完成后，Get-中没有列出订阅AzSubscription输出。



这是< g class =" gr_ gr_47 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace"数据-GR-ID =" 47" ID = QUOT; 47">&的powershell LT; / g取代;命令我运行连接作为服务主体：



Connect-< g class =" gr_ gr_48 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace"数据-GR-ID =" 48英寸; ID = QUOT; 48英寸;> AzAccount< / g取代; -ServicePrincipal -Credential（Get-Credential）-TenantId
$ myTenantId



在Get-Credential弹出窗口中，我输入了服务主体的应用程序ID，服务主管在密码中的密钥。

PS：我很抱歉格式出错了。尽管我最好尝试重新编辑此帖子以删除标记，但我认为WYSIWYG编辑器会自动在关键字周围添加标签。

解决方案

你好Josh，

我按照你所遵循的确切步骤我能够看到我的订阅。 

++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++凭证（Get-Credential）-Tenant abcdef-e674-4de5-a600-15459e0091a4

cmdlet命令管道位置的Get-Credential 1

以下参数的供应值：

警告：提供的服务主要秘密将包含在

 用户配置文件中的"AzureRmContext.json"文件中（C：\ Users \ karedd \\ \\ .Azure）。请确保此目录有适当的保护。



帐户  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; SubscriptionName&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; TenantId&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;环境与NBSP; &NBSP;
  &NBSP;  

-------  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; ----------------&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; --------&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;
  &NBSP; &NBSP; &NBSP; &NBSP;   ----------
$
0ba96e8e-055d-49f Visual Studio Enterprise 1a74ee17-e674-4de5-a600  &NBSP;   AzureCloud

++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++表明我有权访问此订阅。然后我运行了Get-AzSubscription命令，我能够提取子细节

++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Get-Azsubscription | fl



$
Id  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; ：cfadfDFDFDEA

姓名  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; ：Visual Studio Enterprise

状态  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;  ：已启用

SubscriptionId  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; ：DSFCASDSASD

TenantId  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; ：SDASDSDSADSADSADSADSA

CurrentStorageAccountName： 

ExtendedProperties  &NBSP; &NBSP; &NBSP; ：{[帐户，SDASDSDAS，[租户，1FSDFD]，[环境，AzureCloud]}

++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++

您可以从Azure门户查看>订阅> IAM（访问控制）>检查"访问"选项卡？ 

您可以输入服务主体名称，然后检查服务主体是否具有所有者访问权限？

Hi. I'm having trouble getting a service principal to inherit a group's role assignment.

I've created a security group in Azure AD and assigned it the "Owner" role for my subscription, then I created a service principal and added it to the aforementioned security group. I was expecting to be able to use the service principal like it was an owner of the subscription, but the service principal seems not to have any access through <g class="gr_ gr_49 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="49" id="49">powershell</g>.

Here's what I did:

Created a security group
- Went into the subscription and assigned "Owner" to the group
- Created a service principal and an access key
- Added the service principal to the security group
- Connected to Azure with <g class="gr_ gr_46 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="46" id="46">powershell</g> using the service principal's credentials
- Attempted to run Get-AzSubscription

After doing as much, there is no subscription listed in the Get-AzSubscription output.

Here's the <g class="gr_ gr_47 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="47" id="47">powershell</g> command I ran to connect as the service principal:

Connect-<g class="gr_ gr_48 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="48" id="48">AzAccount</g> -ServicePrincipal -Credential (Get-Credential) -TenantId $myTenantId

In the Get-Credential popup, I entered the application id of the service principal and the service principal's key in the password.

PS: I'm very sorry about the formatting going awry. Despite my best attempts to re-edit this post to remove the markup, I think the WYSIWYG editor is automatically adding tags around keywords.

解决方案

Hello Josh,

I followed the exact steps you followed and I am able to see my subscription. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Connect-AzAccount -ServicePrincipal -Credential (Get-Credential) -Tenant abcdef-e674-4de5-a600-15459e0091a4
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
WARNING: The provided service principal secret will be included in the 'AzureRmContext.json' file found in the
 user profile ( C:\Users\karedd\.Azure ). Please ensure that this directory has appropriate protections.

Account                             SubscriptionName         TenantId                   Environment         
-------                              ----------------                  --------                             ----------
0ba96e8e-055d-49f Visual Studio Enterprise 1a74ee17-e674-4de5-a600     AzureCloud

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

As soon as I authenticate , the output shows that I have access to this subscription. I then ran the Get-AzSubscription command and I was able to pull the sub details

+++++++++++++++++++++++++++++++++++++++++++++++++

PS C:\WINDOWS\system32> Get-Azsubscription | fl


Id                        : cfadfDFDFDEA
Name                      : Visual Studio Enterprise
State                     : Enabled
SubscriptionId            : DSFCASDSASD
TenantId                  : SDASDSDSADSADSADSADSA
CurrentStorageAccountName : 
ExtendedProperties        : {[Account, SDASDSDAS, [Tenants, 1FSDFD], [Environment, AzureCloud]}

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Can you check from the Azure Portal > subscriptions > IAM (Access Control) > Check Access tab ? 

You can enter the service principal name and then check if the service principal has the owner access ?

这篇关于为什么我的服务主体不继承订阅的“所有者”的组角色分配？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！