如何模拟已登录的用户来管理其他Azure服务 [英] How to impersonate logged in user to manage other Azure service
问题描述
我有一个webapp可以在ADF中进行更改(ADF中的对象的某种部署).我想根据ADF对用户进行身份验证.我能够检测到谁正在访问Web应用程序.我得到像user1@company.com这样的Azure AD ID.我想验证同一用户是否可以访问ADF,如果可以,请生成承载令牌以在ADF中进行更改(使用rest api)或使用SDK.
当用户登录Web应用时,您可以使用以下方法获取访问令牌,无需验证同一用户是否可以访问ADF,因为如果他没有访问权限,那么令牌将无法调用其余的api,那么他将获得401未经授权的错误.
1.首先,请确保您具有
2.在门户中导航至 Azure Active Directory ->应用注册->找到与您的Web应用相对应的AD应用-> API权限->添加 Azure服务管理的权限 user_impersonation ,如下所示.
3.然后,当用户登录Web应用程序时,在他同意权限之后,您可以使用端点 https://webappname.azurewebsites.net/.auth/me 获得令牌,并且使用令牌调用
4.确保用户具有RBAC角色,例如您的订阅/ADF中的 Contributor ,则令牌将能够成功调用其余api.
例如,我使用
I have webapp to make changes in ADF (kinda deployment of objects in ADF). I want to authenticate user against ADF. I am able to detect who is accessing web app. I get Azure AD Id like user1@company.com. I want to validate if the same user has access to ADF and if yes, generate bearer token to make changes in ADF (using rest api) or using SDK.
You can use the way below to get the access token when the user login to the web app, no need to validate if the same user has access to ADF, because if he does not have the access, the token will not be able to call the rest api, he will get the 401 unauthorized error.
1.First, make sure you have configured your web app to use Azure AD login, then navigate to the resource explorer -> find your web app -> add ["resource=https://management.azure.com"] to additionalLoginParams like below -> PUT.
2.Navigate to the Azure Active Directory in the portal -> App registrations -> find the AD App corresponding your web app -> API permissions -> add the permission user_impersonation of Azure Service Management like below.
3.Then when the user login the web app, after he consents the permissions, you can get the token with endpoint https://webappname.azurewebsites.net/.auth/me, and use the token to call the data factory rest api.
4.Make sure the user has an RBAC role e.g. Contributor in your subscription/ADF, then the token will be able to call the rest api successfully.
For example, I test with Pipelines - List By Factory api, it works fine.
这篇关于如何模拟已登录的用户来管理其他Azure服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
