Azure自动化:Runbook，RunAs帐户:如何允许访问AAD(例如对于Get-AzADUser)? [英] Azure Automation: Runbook, RunAs Account: How to allow access to AAD (e.g. for Get-AzADUser)?

问题描述

下午好

我选择这个问题的原因是stackoverflow，因为可能主要是程序员遇到了这个问题:

I have selected stackoverflow for this question because probably mainly programmers are confronted with this question:

如果我们调用 Get-AzADUser 来获取Azure Automation Runbook中的所有AAD用户，那么我们将得到:错误权限不足"

If we call Get-AzADUser to get all AAD Users in the Azure Automation Runbook, then we get: Error 'Insufficient privileges'

1. 我们有一个带有"Azure运行方式帐户"的自动化帐户
2. 在PowerShell Runbook中，我们称之为:

    # Connect to AAD
    $Conn = Get-AutomationConnection -Name AzureRunAsConnection
    $account = Connect-AzAccount -ServicePrincipal `
               -TenantId $Conn.TenantID  `
               -ApplicationId $Conn.ApplicationID  `
               -CertificateThumbprint $Conn.CertificateThumbprint
    # Get All AAD Users
    $AllADUsers = Get-AzADUser

1. 如果我们启动Runbook，则会收到错误消息:

> Get-AzADUser : Insufficient privileges to complete the operation.
> FullyQualifiedErrorId :
> Microsoft.Azure.Commands.ActiveDirectory.GetAzureADUserCommand

这是权限配置:

1. 自动化帐户已设置以帐户运行方式» Azure运行方式帐户(而不是Azure经典运行方式帐户)
2. 实际上， Azure运行方式帐户具有误导性，它是已注册的应用程序，可以在Azure 应用程序注册
中找到
3. 已注册的应用具有以下设置:

1. The Automation Account has set Run as accounts » Azure Run As Account (and not an Azure Classic Run As Account)
2. In fact, Azure Run As Account is misleading, it is a Registered App and can be found in Azure App registrations
3. The Registered App has these settings:

»具有 all 权限的自定义角色.

» A custom role with all permissions.

»API权限:

Microsoft Graph (6)
Delegated    Directory.AccessAsUser.All
Delegated    Directory.ReadWrite.All
Delegated    User.ReadWrite.All
Application  Directory.ReadWrite.All
Application  User.Export.All
Application  User.ReadWrite.All

»所有API权限均已授予我们的租户

» All API Permissions are Granted for our Tenant

不幸的是，我们仍然收到错误权限不足"

Unfortunately, we still get the Error 'Insufficient privileges'

非常感谢您的帮助！

亲切的问候，托马斯

推荐答案

根据一些测试，您需要添加Azure AD的权限，而不是Micorsoft Graph的权限.看来 Get-AzADUser 命令在后端中使用Azure AD图，但在Microsoft图中却没有.因此，我们需要执行以下操作:

According to some test, you need to add the permissions of Azure AD but not Micorsoft Graph. It seems the Get-AzADUser command use Azure AD graph in the backend but not microsoft graph. So we need to do the operations as below:

此后，我们可以成功使用命令Get-AzADUser(如果在powershell中测试该命令，则在添加Azure AD权限时，请关闭该powershell并重新打开并重新连接，以避免缓存)

After that we can use the command Get-AzADUser successfully(if you test the command in powershell, when you add the Azure AD permission, please close the powershell and reopen it and re-connect to avoid the impact of cache)

我在我这边对其进行了测试，它显示出与您相同的错误，并且添加此权限后可以使用户成功.希望对您有帮助〜

I test it in my side, it shows same error with yours' and it can get the users successful after adding this permission. Hope it helps~

这篇关于Azure自动化:Runbook，RunAs帐户:如何允许访问AAD(例如对于Get-AzADUser)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！