图形API的MSI权限 [英] MSI Permissions for Graph API

问题描述

我的问题是，像在门户网站中使用Azure应用注册一样，是否有任何记录的方法可以向Graph API授予管理服务身份"权限?我无法在Azure门户或文档中找到任何Powershell选项或管理MSI服务主体权限的功能.我在MSDN论坛上发现了类似的问题，但想确保没有任何其他人知道的进一步更新或变通办法?

My question is, do we have any documented method of granting a Manage Service Identity permissions to the Graph API as we would with an Azure App Registration in the portal? I was unable to find any Powershell options or ability to manage permissions for the MSI service principal in the Azure Portal or documentation. I found a similar question on MSDN forums, but wanted to make sure there were not any further updates or workarounds that anybody knew of?

MSDN论坛帖子:

MSDN Forum Post: https://social.msdn.microsoft.com/Forums/azure/en-US/dae34534-f193-4444-b52e-ba9cfa4a1fda/does-azure-msi-support-accessing-graph-api?forum=WindowsAzureAD

推荐答案

免责声明-我对MSI不太熟悉，但是由于它们被建模为服务主体，因此应该起作用.另外，我无法验证这些步骤.

Disclaimer - I'm not overly familiar with MSIs, but as they are modeled as service principals, this should work. Also I'm not able to validate these steps.

这些步骤要求您使用 Azure AD PowerShell (v2)将应用程序权限分配给您的MSI(以访问Microsoft Graph)，并且您是租户中的管理员或应用程序管理员.对于Microsoft Graph，可以在此处找到记录的权限.相同的指令也可以用于Azure AD保护的其他资源.我假设您已经安装了PowerShell模块.

These steps require that you use Azure AD PowerShell (v2) to assign application permissions to your MSI (to access Microsoft Graph), and that you are an administrator or app admin in your tenant. For Microsoft Graph, the documented permissions can be found here. The same instructions could be used for other resources secured by Azure AD too. I'll assume that you've already installed the PowerShell module.

1. Connect-AzureAD将PS连接到Azure广告.输入您的管理员凭据.
2. $graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"查找代表Microsoft Graph的服务主体并将其分配给变量. Microsoft Graph的服务主体当前是在首次访问时及时创建的，因此可能不存在.可以通过调用New-AzureADServicePrincipal -AppId "00000003-0000-0000-c000-000000000000"来创建.
3. $graph.AppRoles-这将向您显示Microsoft Graph公开的所有可用应用程序权限，您可以从中选择.例如，如果您的MSI需要读取组信息，请从列表中找到"Group.Read.All"权限，并记下其权限ID(这是一个GUID).例如，这是AppRoles列表中的记录之一: AllowedMemberTypes : {Application} Description : Allows the app to read events of all calendars without a signed-in user. DisplayName : Read calendars in all mailboxes Id : 798ee544-9d2d-430c-a058-570e29e34338 IsEnabled : True Value : Calendars.Read
4. 找到您的MSI的objectId(假设您不知道，但您确实知道其clientId/appId): $msi = Get-AzureADServicePrincipal -Filter "AppId eq '{Your_MSI_appId}'"
5. 对于MSI所需的每个权限，运行以下PS cmdlet将权限分配给您的MSI: New-AzureADServiceAppRoleAssignment -Id {permissionId} -PrincipalId $msi.ObjectId -ResourceId $graph.ObjectId

1. Connect-AzureAD to connect PS to Azure Ad. Enter your admin creds.
2. $graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" to find the service principal representing Microsoft Graph and assign it to a variable. The service principal for Microsoft Graph is currently created just in time on first access, so there is a possibility it doesn't exist. It can be created by calling New-AzureADServicePrincipal -AppId "00000003-0000-0000-c000-000000000000".
3. $graph.AppRoles - this will show you all the available application permissions that you can choose from that are exposed by Microsoft Graph. For example if your MSI needs to read group information, find the "Group.Read.All" permission from the list, and make a note of its permission Id (it's a GUID). For example here's one of the records from the AppRoles list: AllowedMemberTypes : {Application} Description : Allows the app to read events of all calendars without a signed-in user. DisplayName : Read calendars in all mailboxes Id : 798ee544-9d2d-430c-a058-570e29e34338 IsEnabled : True Value : Calendars.Read
4. Find your MSI's objectId (assuming you don't know it, but that you do know its clientId/appId): $msi = Get-AzureADServicePrincipal -Filter "AppId eq '{Your_MSI_appId}'"
5. For each of the permissions your MSI needs, run the following PS cmdlet to assign the permission to your MSI: New-AzureADServiceAppRoleAssignment -Id {permissionId} -PrincipalId $msi.ObjectId -ResourceId $graph.ObjectId

那应该做到.现在，您应该能够为您的MSI获取访问令牌，以调用Microsoft Graph，并且该访问令牌应包含与您在上面分配的权限(id)相匹配的roles声明.然后，您可以使用该访问令牌来调用Microsoft Graph.这类似于 https://docs中的步骤6和7. microsoft.com/en-us/azure/active-directory/msi-overview .

And that should do it. You should now be able to acquire an access token for your MSI to call Microsoft Graph, and the access token should contain a roles claim that matches the permissions (ids) that you've assigned above. You can then use that access token to call Microsoft Graph. This is similar to steps 6 and 7 in https://docs.microsoft.com/en-us/azure/active-directory/msi-overview.

希望这会有所帮助，

这篇关于图形API的MSI权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！