图形 API 的 MSI 权限 [英] MSI Permissions for Graph API

问题描述

我的问题是，我们是否有任何记录在案的方法来向 Graph API 授予管理服务标识权限，就像我们在门户中使用 Azure 应用注册一样?我在 Azure 门户或文档中找不到任何 Powershell 选项或管理 MSI 服务主体权限的能力.我在 MSDN 论坛上发现了一个类似的问题，但想确保没有任何人知道的任何进一步的更新或解决方法?

My question is, do we have any documented method of granting a Manage Service Identity permissions to the Graph API as we would with an Azure App Registration in the portal? I was unable to find any Powershell options or ability to manage permissions for the MSI service principal in the Azure Portal or documentation. I found a similar question on MSDN forums, but wanted to make sure there were not any further updates or workarounds that anybody knew of?

MSDN 论坛帖子:https://social.msdn.microsoft.com/Forums/azure/en-US/dae34534-f193-4444-b52e-ba9cfa4a1fda/does-azure-msi-support-accessing-graph-api?forum=WindowsAzureAD

MSDN Forum Post: https://social.msdn.microsoft.com/Forums/azure/en-US/dae34534-f193-4444-b52e-ba9cfa4a1fda/does-azure-msi-support-accessing-graph-api?forum=WindowsAzureAD

推荐答案

免责声明 - 我对 MSI 并不太熟悉，但由于它们被建模为服务主体，这应该工作.我也无法验证这些步骤.

Disclaimer - I'm not overly familiar with MSIs, but as they are modeled as service principals, this should work. Also I'm not able to validate these steps.

这些步骤要求您使用 Azure AD PowerShell(v2) 为您的 MSI 分配应用程序权限(以访问 Microsoft Graph)，并且您是租户中的管理员或应用程序管理员.对于 Microsoft Graph，可在此处找到记录的权限.相同的指令也可用于受 Azure AD 保护的其他资源.我假设你已经安装了 PowerShell 模块.

These steps require that you use Azure AD PowerShell (v2) to assign application permissions to your MSI (to access Microsoft Graph), and that you are an administrator or app admin in your tenant. For Microsoft Graph, the documented permissions can be found here. The same instructions could be used for other resources secured by Azure AD too. I'll assume that you've already installed the PowerShell module.

1. Connect-AzureAD 将 PS 连接到 Azure Ad.输入您的管理员凭据.
2. $graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" 查找代表 Microsoft Graph 的服务主体并将其分配给变量.Microsoft Graph 的服务主体当前是在首次访问时及时创建的，因此它可能不存在.可以通过调用New-AzureADServicePrincipal -AppId "00000003-0000-0000-c000-000000000000"来创建.
3. $graph.AppRoles - 这将向您显示 Microsoft Graph 公开的所有可用应用程序权限，您可以从中选择这些权限.例如，如果您的 MSI 需要读取组信息，请从列表中找到Group.Read.All"权限，并记下其权限 Id(它是一个 GUID).例如，这是 AppRoles 列表中的一条记录:AllowedMemberTypes : {应用程序}说明:允许应用在没有登录用户的情况下读取所有日历的事件.DisplayName : 读取所有邮箱中的日历编号:798ee544-9d2d-430c-a058-570e29e34338已启用:真值:Calendars.Read
4. 找到您的 MSI 的 objectId(假设您不知道它，但您知道它的 clientId/appId):$msi = Get-AzureADServicePrincipal -Filter "AppId eq '{Your_MSI_appId}'"
5. 对于您的 MSI 需要的每个权限，运行以下 PS cmdlet 将权限分配给您的 MSI:New-AzureADServiceAppRoleAssignment -Id {permissionId} -PrincipalId $msi.ObjectId -ResourceId $graph.ObjectId

1. Connect-AzureAD to connect PS to Azure Ad. Enter your admin creds.
2. $graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" to find the service principal representing Microsoft Graph and assign it to a variable. The service principal for Microsoft Graph is currently created just in time on first access, so there is a possibility it doesn't exist. It can be created by calling New-AzureADServicePrincipal -AppId "00000003-0000-0000-c000-000000000000".
3. $graph.AppRoles - this will show you all the available application permissions that you can choose from that are exposed by Microsoft Graph. For example if your MSI needs to read group information, find the "Group.Read.All" permission from the list, and make a note of its permission Id (it's a GUID). For example here's one of the records from the AppRoles list: AllowedMemberTypes : {Application} Description : Allows the app to read events of all calendars without a signed-in user. DisplayName : Read calendars in all mailboxes Id : 798ee544-9d2d-430c-a058-570e29e34338 IsEnabled : True Value : Calendars.Read
4. Find your MSI's objectId (assuming you don't know it, but that you do know its clientId/appId): $msi = Get-AzureADServicePrincipal -Filter "AppId eq '{Your_MSI_appId}'"
5. For each of the permissions your MSI needs, run the following PS cmdlet to assign the permission to your MSI: New-AzureADServiceAppRoleAssignment -Id {permissionId} -PrincipalId $msi.ObjectId -ResourceId $graph.ObjectId

应该这样做.您现在应该能够为您的 MSI 获取访问令牌以调用 Microsoft Graph，并且访问令牌应该包含与您在上面分配的权限 (id) 匹配的 roles 声明.然后，您可以使用该访问令牌调用 Microsoft Graph.这类似于 https://docs 中的步骤 6 和 7.microsoft.com/en-us/azure/active-directory/msi-overview.

And that should do it. You should now be able to acquire an access token for your MSI to call Microsoft Graph, and the access token should contain a roles claim that matches the permissions (ids) that you've assigned above. You can then use that access token to call Microsoft Graph. This is similar to steps 6 and 7 in https://docs.microsoft.com/en-us/azure/active-directory/msi-overview.

希望这会有所帮助，

这篇关于图形 API 的 MSI 权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！