如何以编程方式管理客户基于使用量的订阅? [英] How to manage customer's usage-based subscription programmatically?

问题描述

首先让我描述一个手动"方案.我以合作伙伴身份登录到合作伙伴中心，然后转到客户列表( https://partnercenter.microsoft.com/en-us/pcv/customers/list ).对于任何客户，都可以使用All resources (Azure portal)链接:

Let me first describe a "manual" scenario. I login to Partner Center as a partner and go to customer list (https://partnercenter.microsoft.com/en-us/pcv/customers/list). For any customer it is possible to manage all its usage-based subscriptions in Azure portal using All resources (Azure portal) link:

特别是，我可以向订阅添加共同管理员(即，添加具有角色Owner的用户):

In particular, I can add a co-admin to subscription (i.e. add a user with role Owner):

如何自动执行客户订购管理?

How to automate this management of customer's subscriptions?

我的努力:我对CREST API和文档:

My efforts: I have some experience of CREST API and RBAC API. This is limitation of an Azure Active Directory (AAD) application described in docs:

您只能为与订阅相同相同目录中的应用程序授予对订阅中资源的访问权限.

You can only grant access to resource in your subscription for applications in the same directory as your subscription.

由于每个客户的订阅都存在于单独客户的AAD中，因此RBAC API似乎无济于事:

Due to each customer's subscription exists in separate customer's AAD, it seems RBAC API cann't help:

1. 它需要基于AAD应用程序的令牌(即，基于TenantId， ClientId，ClientSecret)，并且没有办法 在客户的目录中以编程方式创建AAD应用程序.

1. It requires an AAD application-based token (i.e. based on TenantId, ClientId, ClientSecret), and there is no way to programmatically create an AAD application in customer's directory.

位于合作伙伴的AAD中的应用程序无法访问 客户的订阅.

An application located in partner's AAD cann't get access to customer's subscription.

是否存在以编程方式将admin/co-admin/owner添加到客户的订阅中的任何方法?

Does any way to programmatically add an admin/co-admin/owner to customer's subscription exist?

推荐答案

与Patrick Liang

With Patrick Liang help on MSDN forums, finally I've come up with a solution: enable Pre-consent feature for a partner's AAD app to grant access to customers subscriptions. Let me describe it:

1.合作伙伴中心资源管理器项目

https://github.com/Microsoft/Partner-Center-Explorer/

这是一个类似于 partnercenter.microsoft.com 的Web应用程序，并且是使用各种Microsoft API的一个很好的例子.最重要的是，该项目是从合作伙伴AAD应用访问客户订阅的完整示例.但是，它建议用户进行交互(作为合作伙伴对Login.live.com进行OAuth身份验证)，而在尝试避免这种交互时，我遇到了一些问题.下面，我描述如何使用代码中已经存在的所有凭据连接到客户的订阅.

It's a web application similar to partnercenter.microsoft.com and it's a good example of various Microsoft APIs usage. Most important, this project is a complete example of accessing customer's subscription from partner AAD app. However, it suggests user interaction (OAuth authentification to login.live.com as a partner) and I faced some issues when tried to avoid it. Below I describe how to connect to customer's subscription with all credentials already in code.

2.合作伙伴AAD应用

创建本地 AAD应用程序而不是Web AAD应用程序，但是以相同的方式配置其其他应用程序的权限". 跳过不适用于本机应用程序的步骤(例如，跳过client_secret获取和跳过清单更新).

Create native AAD app instead of web AAD app but configure its "Permissions to other applications" the same way. Skip steps which are not applicable to native app (for example, skip client_secret obtaining and skip manifest update).

3. PowerShell脚本

应用程序配置的最后一步是运行此脚本:

Last step of app configuring is to run this script:

Connect-MsolService
$g = Get-MsolGroup | ? {$_.DisplayName -eq 'AdminAgents'} 
$s = Get-MsolServicePrincipal | ? {$_.AppPrincipalId -eq 'INSERT-CLIENT-ID-HERE'}
Add-MsolGroupMember -GroupObjectId $g.ObjectId -GroupMemberType ServicePrincipal -GroupMemberObjectId $s.ObjectId

需要安装多个模块才能执行这些comandlet.如果在用于IT专业人员的Microsoft Online Services登录助手"安装过程中遇到错误，请尝试安装BETA模块:

It's required to install several modules to execute these comandlets. If you get an error during "Microsoft Online Services Sign-In Assistant for IT Professionals" install, try to install BETA module:

面向IT专业人员的Microsoft在线服务登录助手(测试版)

您可能需要这个:

用于Windows PowerShell(64位)的Microsoft在线服务模块

4.代码

最后，我们准备进行身份验证并

Finally we are ready to authenticate and create a role assignment:

public async void AssignRoleAsync()
{
    var token = await GetTokenAsync();

    var response = await AssignRoleAsync(token.AccessToken);
}

public async Task<AuthenticationResult> GetTokenAsync()
{
    var authContext = new AuthenticationContext($"https://login.windows.net/{CustomerId}");

    return await authContext.AcquireTokenAsync(
        "https://management.core.windows.net/"
        , ApplicationId
        , new UserCredential(PartnerUserName, PartnerPassword));
}


public async Task<HttpResponseMessage> AssignRoleAsync(string accessToken)
{
    string newAssignmentId = Guid.NewGuid().ToString();
    string subSegment = $"subscriptions/{CustomerSubscriptionId}/providers/Microsoft.Authorization";
    string requestUri = $"https://management.azure.com/{subSegment}/roleAssignments/{newAssignmentId}?api-version=2015-07-01";
    string roleDefinitionId = "INSERT_ROLE_GUID_HERE";

    using (var client = new HttpClient())
    {
        client.DefaultRequestHeaders.Add("Authorization", "Bearer " + accessToken);

        var body = new AssignRoleRequestBody();
        body.properties.principalId = UserToAssignId;
        body.properties.roleDefinitionId = $"/{subSegment}/roleDefinitions/{roleDefinitionId}";

        var httpRequest = HttpHelper.CreateJsonRequest(body, HttpMethod.Put, requestUri);

        return await client.SendAsync(httpRequest);
    }
}

要获取角色定义ID，只需请求

To obtain role definition IDs, just make a request to get all roles per subscription scope.

有用的链接:

MSDN:如何以编程方式管理客户基于使用量的订阅?

管理角色-使用REST API的基于访问的控制

这篇关于如何以编程方式管理客户基于使用量的订阅?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！