使用VSTS中的服务主体对Azure Graph 403 Authorization_RequestDenied [英] Azure Graph 403 Authorization_RequestDenied using service principal from VSTS

问题描述

我有一个VSTS使用的服务主体来运行Azure Powershell脚本.我尝试调用的命令是Get-AzureRmRoleAssignment.我收到以下错误消息

I have a service principal that is used by VSTS to run an Azure Powershell script. The command i'm trying to call is Get-AzureRmRoleAssignment. I'm getting the following error message

  "Exception": {
     "Request": {
       "Method": "POST",
       "RequestUri": "https://graph.windows.net/********/getObjectsByObjectIds?api-version=1.6",
       "Properties": "System.Collections.Generic.Dictionary`2[System.String,System.Object]",
       "Headers": "System.Collections.Generic.Dictionary`2[System.String,System.Collections.Generic.IEnumerable`1[System.String]]"
     },
     "Response": {
       "StatusCode": 403,
       "ReasonPhrase": "Forbidden",
       "Content": {
         "odata.error": {
           "code": "Authorization_RequestDenied",
           "message": {
             "lang": "en",
             "value": "Insufficient privileges to complete the operation."
           }
         }
       },
       "Headers": "System.Collections.Generic.Dictionary`2[System.String,System.Collections.Generic.IEnumerable`1[System.String]]"
}
}

我已验证服务主体具有角色分配的读取权限.

I've verified that the service principal has read access for role assignment.

推荐答案

实际上，此powershell脚本Get-AzureRmRoleAssignment不仅需要具有Azure REST API权限的角色分配读取权限，而且还需要使用Azure AD Graph API读取目录数据权限.

Actually, this powershell script Get-AzureRmRoleAssignment doesn't only needs read access for role assignment with Azure REST API permission but also needs Read directory data permission with Azure AD Graph API.

我们可以使用Fiddler找出此命令调用的API:

We can use Fiddler to find out which API does this command calls:

这意味着Get-AzureRmRoleAssignment需要调用3个API才能完成操作.其中两个是Azure REST API，其中一个是Azure AD Graph API:

It means that Get-AzureRmRoleAssignment needs call 3 APIs to complete the operation. Two of them are Azure REST API, one of them is Azure AD Graph API:

POST https://graph.windows.net/<tenantID>/getObjectsByObjectIds?api-version=1.6

解决方案:

因此，请检查您的sp是否具有读取目录数据权限的权限.(最好同时添加"c3>"应用程序权限和委派"权限，然后单击授予权限"按钮).这是我的测试结果:

So, check if your sp has permissions to read directory data permission.(You'd better add Read directory data permission both Application permissions and Delegated permissions and then click Grant permissions button). Here is my test result:

希望这会有所帮助！

这篇关于使用VSTS中的服务主体对Azure Graph 403 Authorization_RequestDenied的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！