将 Microsoft Graph 权限分配给 Azure 托管服务标识 [英] Assigning Microsoft Graph permissions to Azure Managed Service Identity

问题描述

我正在尝试为我的 Azure 逻辑应用程序的 Azure 托管服务标识分配权限，但遇到了错误.

我使用的是 2.0.1.16 版本的 AzureAD powershell 模块.

我所做的如下:

1. 创建逻辑应用
2. 在该逻辑应用的工作流设置中生成 Azure 托管服务标识.
3. 执行下面的 PowerShell 为 group.readwrite.all 角色分配托管服务标识.

它首先抛出一个拒绝访问错误，随后的尝试将抛出一个InvalidRequest"错误.我是全局管理员，对资源组具有完全访问权限(它是一个基本的开发租户，我拥有完全权限)

我已经在不同的租户上尝试过.有没有人能让这个工作?

 PS C:Usersmarkp>$msi = 获取 AzureADServicePrincipal |?{$_.DisplayName -ieq "test"}PS C:Usersmarkp>$麦PS C:Usersmarkp>$msiObjectId AppId 显示名称-------- ----- ------------8d87a1f9-fab0-45a9-a6f3-1e93b2d99b52 032c3c1c-2530-4eae-b390-153e3b0eb3c6 测试PS C:Usersmarkp>$graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"PS C:Usersmarkp>$图表ObjectId AppId 显示名称-------- ----- ------------5a634981-6bbe-4c81-9aef-185a71df56f7 00000003-0000-0000-c000-000000000000 Microsoft GraphPS C:Usersmarkp>$角色 = $graph.AppRoles |?{$_.Value -imatch "group.read.all" }PS C:Usersmarkp>$角色AllowedMemberTypes:{应用程序}说明:允许应用读取群组属性和成员资格，以及读取日历和对话 f或所有组，没有登录用户.DisplayName : 读取所有组编号:5b567255-7703-4780-807c-7be8301ae99b已启用:真值:Group.Read.AllPS C:Usersmarkp>新 AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -PrincipalId $msi.ObjectId -Id $role.Id -ResourceId $graph.ObjectIdNew-AzureADServiceAppRoleAssignment:执行 NewServicePrincipalAppRoleAssignment 时出错代码:Authorization_RequestDenied消息:权限不足，无法完成操作.HttpStatusCode:禁止HttpStatusDescription: 禁止HttpResponseStatus:已完成在行:1 字符:1+ 新 AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -Principa ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException+ FullyQualifiedErrorId:Microsoft.Open.AzureAD16.Client.ApiException，Microsoft.Open.AzureAD16.PowerShell.NewServicePrincipalAppRoleAssignmentPS C:Usersmarkp>新 AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -PrincipalId $msi.ObjectId -Id $role.Id -ResourceId $graph.ObjectIdNew-AzureADServiceAppRoleAssignment:执行 NewServicePrincipalAppRoleAssignment 时出错代码:Request_BadRequest消息:一个或多个属性无效.请求 ID:57ef7908-dd8b-4a21-b48e-f2692d324264日期时间戳:格林威治标准时间 2018 年 9 月 28 日星期五 14:36:55HttpStatusCode:错误请求HttpStatusDescription:错误请求HttpResponseStatus:已完成在行:1 字符:1+ 新 AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -Principa ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException+ FullyQualifiedErrorId:Microsoft.Open.AzureAD16.Client.ApiException，Microsoft.Open.AzureAD16.PowerShell.NewServicePrincipalAppRoleAssignment

解决方案

初始设置

我设置了一个名为test"的新逻辑应用程序.在我的试用订阅中，就像您在上面解释的一样，并通过工作流程设置为其启用了 MSI.然后我使用了与上面完全相同的 PowerShell 命令.

解释正在发生的两件最重要的事情

1. 第一次运行 - 即使您收到错误代码:Authorization_RequestDenied，添加新角色分配的操作实际上已经完成了它的工作.添加了新的权限.(我将在下面的部分中提供一些证据)

2. 第一次运行后的后续运行 - 您收到代码错误:Request_BadRequest，因为您尝试添加的权限/角色分配已在第一次运行中添加.

证据

1. PowerShell 脚本完全来自您的帖子.

2. 这些查询仅适用于 Azure AD 图形资源管理器(而不是新的 Microsoft 图形资源管理器).此外，查询是区分大小写的，因此即使是很小的差异也会产生影响.

   您基本上可以在第一次运行 PowerShell 脚本之前和之后查看服务主体的角色分配，以查看实际添加了所需的权限(我创建了一个新的逻辑应用程序，其中没有任何内容，只启用了 MSI测试这部分)

Azure AD 图形查询:

Azure AD 图形查询:https://graph.windows.net/{tenant Id}/servicePrincipals/{MSI 服务主体 ID}/appRoleAssignments在您的情况下，{MSI 服务主体 ID} 为 8d87a1f9-fab0-45a9-a6f3-1e93b2d99b52.

在使用上述查询首次运行 New-AzureADServiceAppRoleAssignment 之前为 MSI 服务主体分配角色.

使用上述查询首次运行 New-AzureADServiceAppRoleAssignment 后 MSI 服务主体的角色分配.

另一个相关但略有不同的 SO 帖子

I'm trying to assign permissions to an Azure Managed Service Identity for my Azure Logic App, but am running into errors.

I'm using the 2.0.1.16 version of the AzureAD powershell module.

What I have done is the following:

1. Create a logic app
2. Generate a Azure Managed Service Identity in the workflow settings of that logic app.
3. Execute the PowerShell below to assign the group.readwrite.all role the the managed service identity.

It first throws an access denied error, and subsequent tries will throw a "InvalidRequest" Error. I'm a global administrator, and have full access to the resource group (it is a basic dev tenant where I have full permissions)

I have tried it on different tenants. Has anyone been able to get this to work?

    PS C:Usersmarkp> $msi = Get-AzureADServicePrincipal | ?{$_.DisplayName -ieq "test"}
PS C:Usersmarkp> $mai
PS C:Usersmarkp> $msi

ObjectId                             AppId                                DisplayName
--------                             -----                                -----------
8d87a1f9-fab0-45a9-a6f3-1e93b2d99b52 032c3c1c-2530-4eae-b390-153e3b0eb3c6 TEST


PS C:Usersmarkp> $graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
PS C:Usersmarkp> $graph

ObjectId                             AppId                                DisplayName
--------                             -----                                -----------
5a634981-6bbe-4c81-9aef-185a71df56f7 00000003-0000-0000-c000-000000000000 Microsoft Graph


PS C:Usersmarkp> $role = $graph.AppRoles | ?{$_.Value -imatch "group.read.all" }
PS C:Usersmarkp> $role


AllowedMemberTypes : {Application}
Description        : Allows the app to read group properties and memberships, and read the calendar and conversations f
                     or all groups, without a signed-in user.
DisplayName        : Read all groups
Id                 : 5b567255-7703-4780-807c-7be8301ae99b
IsEnabled          : True
Value              : Group.Read.All



PS C:Usersmarkp> New-AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -PrincipalId $msi.ObjectId -Id $role.Id -ResourceId $graph.ObjectId
New-AzureADServiceAppRoleAssignment : Error occurred while executing NewServicePrincipalAppRoleAssignment
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ New-AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -Principa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewServ
   icePrincipalAppRoleAssignment

PS C:Usersmarkp> New-AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -PrincipalId $msi.ObjectId -Id $role.Id -ResourceId $graph.ObjectId
New-AzureADServiceAppRoleAssignment : Error occurred while executing NewServicePrincipalAppRoleAssignment
Code: Request_BadRequest
Message: One or more properties are invalid.
RequestId: 57ef7908-dd8b-4a21-b48e-f2692d324264
DateTimeStamp: Fri, 28 Sep 2018 14:36:55 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:1
+ New-AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -Principa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewServ
   icePrincipalAppRoleAssignment

解决方案

Initial Setup

I setup a new logic app named "test" in my trial subscription just like you have explained above and enabled the MSI for it through workflow settings. Then I used the exact same PowerShell commands that you have above.

Explanation of two most important things that are happening

1. First Run - Even though you get error with Code: Authorization_RequestDenied, the operation of adding new role assignments has actually done it's work. New permissions have been added. (I'll give a little evidence on this in section below)

2. Subsequent Runs after the first run - You get an error with Code: Request_BadRequest, because the permissions/role assignments you're trying to add had already been added in the first run.

Evidence

1. PowerShell Scripts exactly from your post.

2. These queries worked for me only from Azure AD Graph Explorer (and NOT the new Microsoft Graph Explorer). Also, queries are case sensitive, so even a small difference will effect.

   You can basically look at the role assignments for the Service Principal, before and after running your PowerShell script the first time to see that the required permissions actually get added (I created a new logic app with nothing in it and just MSI enabled to test this part)

Azure AD Graph Query:

Azure AD Graph Query: https://graph.windows.net/{tenant Id}/servicePrincipals/{MSI Service Principal ID}/appRoleAssignments
    
{MSI Service Principal ID} is 8d87a1f9-fab0-45a9-a6f3-1e93b2d99b52 in your case.

Role Assignments for the MSI Service Principal BEFORE the first run of New-AzureADServiceAppRoleAssignment using above query.

Role Assignments for the MSI Service Principal AFTER the first run of New-AzureADServiceAppRoleAssignment using above query.

Another SO Post which is related but slightly different

This SO post mentions almost the same PowerShell scripts that you are using. Interesting thing being it looks like scripts worked without error for many people as well. But notice the last comment by user Olandese

这篇关于将 Microsoft Graph 权限分配给 Azure 托管服务标识的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！