是否可以将系统管理的身份分配给需要用户分配的Azure AD企业应用程序? [英] Is it possible to assign a system managed identity to an Azure AD Enterprise Application that requires user assignment?

问题描述

我有一个Azure功能应用程序，该应用程序使用通过Azure门户配置的集成Azure AD身份验证.

通过快递"模式设置，这将与企业应用程序一起创建一个Azure应用程序注册.

默认情况下，此企业应用程序接受所有用户.因此，这意味着租户中的所有用户都可以触发受保护的Azure功能，这不是我想要的.

我的目标是允许租户中具有托管身份的某些用户和某些Azure资源(例如应用程序服务)触发该功能.

因此，我转到Azure Function应用程序的企业应用程序设置，将其属性更改为需要用户分配".然后，在用户/组"下，我可以添加允许进行身份验证的用户/组.

在这里，我发现我只能添加普通的AAD用户.托管身份服务主体(即系统为我的App Service分配了托管身份主体)未显示在列表上.

我还没有尝试过用户分配的托管身份.但是我更喜欢使用系统分配的托管身份.

这是受支持的方案吗?

解决方案

是的，您可以，但是要将MSI(本质上是服务主体)添加到企业应用程序的 Users and groups 中，与添加用户/组不同，您需要利用

2.使用下面的Powershell将应用角色分配给您的MSI(托管身份)，替换< appservice-name> 和&function; functionapp-name> .

确保已安装

完成上述步骤后，导航至 Users and groups ，您会发现MSI已添加到其中.

在这种情况下，您还有另一种方法，只需

I have an Azure Function app that uses the integrated Azure AD Authentication configured via the Azure portal.

Via the "Express" mode setup, this creates an Azure App Registration along with Enterprise Application.

By default, this Enterprise Application accepts all users. So that means all users in the tenant can trigger the protected Azure Functions, which is not what I wanted.

My goal is to allow certain users and certain Azure resources in the tenant which have Managed Identities, such as an App Service, to trigger the function.

So I go to the Enterprise Application settings of the Azure Function app, changed its properties to "User Assignment Required". Then under Users/Groups, I can add users/groups that are allowed to authenticate.

Here I found out that I can only add regular AAD users. The managed identity service principals (i.e., the system assigned managed identity principals for my App Service) do not show up on the list.

I have not tried user-assigned managed identities. But I prefer using system-assigned managed identities.

Is this a supported scenario?

解决方案

Yes, you can, but to add the MSI(essentially a service principal) to the Users and groups of an enterprise application, it is different from adding a user/group, you need to leverage the azure ad app role.

Please follow the steps below.

1.Navigate to Azure Active Directory in the portal -> App registrations -> search for your function app name with the filter All applications -> click it -> App roles | Preview -> Create app role -> create the role like below -> Apply.

2.Use the powershell below to give the app role to your MSI(managed identity), replace the <appservice-name> and <functionapp-name>.

Make sure you have installed the AzureAD powershell module and have enough permission to assign the app role(this step is unavailable in azure portal).

Connect-AzureAD
$MSI = Get-AzureADServicePrincipal -Filter "displayName eq '<appservice-name>'"
$funapp = Get-AzureADServicePrincipal -Filter "displayName eq '<functionapp-name>'"
$PermissionName = "Function.Test"
$approle = $funapp.AppRoles | Where-Object {$_.Value -eq $PermissionName}
New-AzureADServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $funapp.ObjectId -Id $approle.Id

After doing the steps above, navigate to the Users and groups, you will find the MSI is added to it.

In this case, you also have another way, just create a security group in AAD and add the MSI service principal as a member to it, then add the group to the Users and groups, then the MSI will also be able to call the function.

So in conclusion, you have two solutions, you could choose the preferred way.

1. Leverage the App role

2. Leverage the AAD Group

To call the function successfully, also make sure you set the function with Anonymous.

Navigate to the httptrigger in your function app, set the Authorization level to Anonymous, because we have configured AAD auth.

这篇关于是否可以将系统管理的身份分配给需要用户分配的Azure AD企业应用程序?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！