授予服务主体访问其他租户中的应用程序的权限 [英] Grant service principal access to application in other tenant

问题描述

我在一个租户(OneTenant)中拥有一个Azure AD服务主体，我想授予对另一个租户(OtherTenant)中的应用程序的访问权限.

I have an Azure AD service principal in one tenant (OneTenant) that I would like to give access to an application in another tenant (OtherTenant).

租户OneTenant中的服务主体是Azure Logic应用程序的托管服务身份.因此，我真正想要的是从我的逻辑应用程序调用API.此API受OtherTenant中的Azure AD应用程序保护.

The service principal in tenant OneTenant is a managed service identity for an Azure Logic App. So what I actually want is to call an API from my Logic App. This API is protected by an Azure AD application in OtherTenant.

OtherTenant中的应用程序定义了许多角色，并且OneTenant中的服务主体应具有这些角色之一，以便可以调用API.

The application in OtherTenant defines a number of roles and the service principal in OneTenant should have one of these roles so it can call the API.

我尝试了以下操作:

• 将OtherTenant中的应用设置为多租户

• 运行以下PS命令以尝试将SP添加到应用程序中的角色:

• set the app in OtherTenant to multi-tenant

• ran the following PS command to attempt to add the SP to a role in the app:

New-AzureADServiceAppRoleAssignment `
  -ObjectId <object-id-of-sp-in-one-tenant> `
  -Id <role-id> `
  -PrincipalId <object-id-of-sp-in-one-tenant> `
  -ResourceId <app-id-in-other-tenant>

(均已登录OneTenant和OtherTenant)

这会产生一个错误，指出找不到app-id-in-other-tenant或object-id-of-sp-in-one-tenant，这取决于我登录的位置.

This gives an error stating that either app-id-in-other-tenant or object-id-of-sp-in-one-tenant can not be found, depending on where I am signed in.

我还尝试根据OtherTenant中的app-id在OneTenant中创建服务主体，在这种情况下，我会收到一条错误消息:Authenticating principal does not have permission to instantiate multi-tenantapplications and there is not matching Applicationin the request tenant.

I also tried creating a Service Principal in OneTenant based on the app-id from OtherTenant In that case I get an error message: Authenticating principal does not have permission to instantiate multi-tenantapplications and there is not matching Applicationin the request tenant.

推荐答案

好吧，我终于开始测试解决方案由Rohit Saigal作品呈现.它确实指向正确的方向，但并不完整.

Ok, I finally got around to testing if the solution presented by Rohit Saigal works. It does point in the right direction but is not complete.

第一步是在OneTenant中创建一个服务主体，该服务主体表示OtherTenant 中的应用程序.因此，在登录OneTenant时，运行以下脚本:

First step is to create a service principal in OneTenant that represents the application in OtherTenant. So while signed in to OneTenant, run the following script:

$spInOneTenant = New-AzureADServicePrincipal -AppId <app-id-in-other-tenant>

下一步是使用以下参数运行New-AzureADServiceAppRoleAssignment cmdlet:

Next step is to run the New-AzureADServiceAppRoleAssignment cmdlet with the following parameters:

New-AzureADServiceAppRoleAssignment `
    -Id <role-id> `
    -ObjectId <object-id-of-sp-in-one-tenant> `
    -PrincipalId <object-id-of-sp-in-one-tenant> `
    -ResourceId $spInOneTenant.ObjectId

技巧是将在上一步中创建的服务主体的对象ID用作ResourceId.

The trick is to use the object id of the service principal you created in the previous step as the ResourceId.

这篇关于授予服务主体访问其他租户中的应用程序的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！