使用多租户应用程序从Azure租户获取订阅 [英] Get Subscriptions from Azure tenant using multi-tenant application

问题描述

我正在尝试构建一个多租户应用程序，以从我的个人帐户中检索所有订阅信息.

I'm trying to build a multi-tenant application to retrieve all subscription information from my personal account.

使用Powershell ARM，我可以检索以下信息:

Using the Powershell ARM I'm able to retrieve this information:

但是，当尝试使用azure管理API进行此操作时:

However, when trying to do this action using the azure management API:

https://management.azure.com/subscriptions?api -version = 2016-06-01

使用使用我的租户，应用程序ID和密钥机密生成的JWT，它会返回以下内容:

Using a JWT generated using my tenant, application id and key secret it returns the following:

{值":[]}

{"value": [] }

我的应用程序权限似乎不错:

My application permissions seem fine:

我在权限中遗漏了什么吗?

Am I missing something from my permissions?

我可以使租户使用相同的端点.这可能与我对AAD用户的公司权限有关吗?

I am able to get my tenants using the same endpoint. Could this be something to do with my companies permissions for AAD users?

推荐答案

首先，您正在使用客户端凭据流.使用此流程，您将无法代表用户. 委派权限不适用于此流程，而是其他代表用户的流程，例如代码授予流程.因此，您需要选择需要使用的流程.如果您仍想使用客户端凭据流，则可以执行以下步骤来为其授予权限:

First,you'r using client credentials flow. With this flow, you cannot on behalf a user. The Delegated permissions is not for this flow, it's for other on behalf user flow, like code grant flow. So,you need to choose which one flow you need to use. If you still want to use client crendentials flow, you can take following steps to give it permissions:

您需要通过天蓝色RBAC . 转到Azure门户>选择一个特定的订阅>访问控制(IAM)>添加>选择您的服务主体>选择贡献者角色>保存

You need to assign Role to your Service principal via Azure RBAC. Go to Azure portal > Select one specific subscription > Access control(IAM) > Add > choose your service principal > select Contributor role > Save

您可以采取相同的步骤从其他订阅中为sp添加分配角色.

You can take same steps to add assign role to your sp from other subscription.

完成此操作后，您将具有足够的权限，可以通过客户端凭据流使用REST API.

After doing this, you can have enough permissions to use REST API via client credentials flow.

关于其他租户的列表订阅:

我没有对此进行测试，因为我没有多个订阅.但是对于多租户APP，它还需要其他租户管理员的同意并为其分配角色.

I didn't test this because I don't have mulitple subscriptions. But with multiple tenant APP, it also needs other tenant admin consent and assign role to it too.

使用客户凭证流，您仍然仍然只能获得一位租户的访问令牌.因此，您只能列出一位租户的订阅.

With client credetials flow, you still can only get access token for one tenant. So, you can only list subscriptions from one tenant once.

即使powershell实际上实际上也多次从其他租户获得不同的id的订阅. 因此，您不能使用API​​直接实现这一目标.

Even powershell actually gets subscriptions from other tenant from different teannt IDs many times. So, you cannot use API to achieve that directly.

我使用Fiddler通过运行Get-azureRM订阅的Powershell来捕获流量:

I use Fiddler to catch the Traffic with Powershell running Get-azureRMsubscriptions:

希望这会有所帮助！

这篇关于使用多租户应用程序从Azure租户获取订阅的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！