Azure自动化:Runbook,RunAs帐户:如何允许访问AAD(例如对于Get-AzADUser)? [英] Azure Automation: Runbook, RunAs Account: How to allow access to AAD (e.g. for Get-AzADUser)?
问题描述
下午好
我选择这个问题的原因是stackoverflow,因为可能主要是程序员遇到了这个问题:
I have selected stackoverflow for this question because probably mainly programmers are confronted with this question:
如果我们调用 Get-AzADUser
来获取Azure Automation Runbook中的所有AAD用户,那么我们将得到:错误权限不足"
If we call Get-AzADUser
to get all AAD Users in the Azure Automation Runbook, then we get: Error 'Insufficient privileges'
- 我们有一个带有"Azure运行方式帐户"的自动化帐户
- 在PowerShell Runbook中,我们称之为:
# Connect to AAD
$Conn = Get-AutomationConnection -Name AzureRunAsConnection
$account = Connect-AzAccount -ServicePrincipal `
-TenantId $Conn.TenantID `
-ApplicationId $Conn.ApplicationID `
-CertificateThumbprint $Conn.CertificateThumbprint
# Get All AAD Users
$AllADUsers = Get-AzADUser
- 如果我们启动Runbook,则会收到错误消息:
> Get-AzADUser : Insufficient privileges to complete the operation.
> FullyQualifiedErrorId :
> Microsoft.Azure.Commands.ActiveDirectory.GetAzureADUserCommand
这是权限配置:
-
自动化帐户
已设置以帐户运行方式
»Azure运行方式帐户
(而不是Azure经典运行方式帐户) - 实际上,
Azure运行方式帐户
具有误导性,它是已注册的应用程序,可以在Azure应用程序注册
中找到 - 已注册的应用具有以下设置:
- The
Automation Account
has setRun as accounts
»Azure Run As Account
(and not an Azure Classic Run As Account) - In fact,
Azure Run As Account
is misleading, it is a Registered App and can be found in AzureApp registrations
- The Registered App has these settings:
»具有 all 权限的自定义角色.
» A custom role with all permissions.
»API权限:
Microsoft Graph (6)
Delegated Directory.AccessAsUser.All
Delegated Directory.ReadWrite.All
Delegated User.ReadWrite.All
Application Directory.ReadWrite.All
Application User.Export.All
Application User.ReadWrite.All
»所有API权限均已授予我们的租户
» All API Permissions are Granted for our Tenant
不幸的是,我们仍然收到错误权限不足"
Unfortunately, we still get the Error 'Insufficient privileges'
非常感谢您的帮助!
亲切的问候,托马斯
推荐答案
根据一些测试,您需要添加Azure AD的权限,而不是Micorsoft Graph的权限.看来 Get-AzADUser
命令在后端中使用Azure AD图,但在Microsoft图中却没有.因此,我们需要执行以下操作:
According to some test, you need to add the permissions of Azure AD but not Micorsoft Graph. It seems the Get-AzADUser
command use Azure AD graph in the backend but not microsoft graph. So we need to do the operations as below:
此后,我们可以成功使用命令Get-AzADUser(如果在powershell中测试该命令,则在添加Azure AD权限时,请关闭该powershell并重新打开并重新连接,以避免缓存)
After that we can use the command Get-AzADUser successfully(if you test the command in powershell, when you add the Azure AD permission, please close the powershell and reopen it and re-connect to avoid the impact of cache)
我在我这边对其进行了测试,它显示出与您相同的错误,并且添加此权限后可以使用户成功.希望对您有帮助〜
I test it in my side, it shows same error with yours' and it can get the users successful after adding this permission. Hope it helps~
这篇关于Azure自动化:Runbook,RunAs帐户:如何允许访问AAD(例如对于Get-AzADUser)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!