几个 Azure AD.New-MsolServicePrincipal : 拒绝访问 [英] Several Azure AD. New-MsolServicePrincipal : Access Denied
问题描述
我想将我的 Azure Active Directory 设置为 SharePoint 2013 Foundation 的身份提供者.我从属于另一个基础架构(我公司的基础架构)的帐户激活了 Azure 试用版.所以我现在拥有的:
I want to set my Azure Active Directory as an identity provider for SharePoint 2013 Foundation. I activated Azure trial from account that is a part of another infrastructure (my company's infrastructure). So what i have now:
- 安装了 SharePoint 2013 Foundation 的 Azure VM.由我创建用于测试目的
- Azure Active Directory 是我公司基础架构的一部分.我什至没有任何权限查看它.但我看到它,因为我的公司使用它
- Azure Active Directory 以我为全局管理员 (my-ad-name).由我创建用于测试目的
- 访问控制服务.由我创建用于测试目的
所以按照文章 使用 Microsoft Azure Active Directory 进行 SharePoint 2013 身份验证 我得到错误
So following the article Using Microsoft Azure Active Directory for SharePoint 2013 authentication i get error
PS C:Users u1> New-MsolServicePrincipal -ServicePrincipalNames @("https://my-ad-name.accesscontrol.windo
ws.net/") -DisplayName "Test ACS Namespace" -Addresses $replyUrl
The following symmetric key was created as one was not supplied m2XQJAeUKEQztjn/sEDJwy8TbG8jPxpw6cemkm8Fnkw=
New-MsolServicePrincipal : Access Denied. You do not have permissions to call this cmdlet.
At line:1 char:1
+ New-MsolServicePrincipal -ServicePrincipalNames @("https://my-ad-name.accesscon ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [New-MsolServicePrincipal], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.AccessDeniedException,Microsoft.Online.Admini
stration.Automation.NewServicePrincipal
可能是因为我没有权限使用 Azure AD 吗?有没有办法仅将访问控制服务与我需要的 AD 连接起来?
May that be because of the Azure AD that I don't have rights on? Are there ways to connect Access Control Service only with the AD i need?
推荐答案
当您使用 Connect-MsolService 连接到 Azure AD PowerShell 时,您用于登录的用户名将定义您正在工作的目录in. 不能使用外部用户(最初来自第二个目录中的一个目录的用户).
When you connect to Azure AD PowerShell using Connect-MsolService, the username you use to sign in will define which directory you are working in. External users (users originally from one directory present in a second directory) cannot be used.
例如,假设您在一个目录中拥有用户 bob@contoso.com,我们将通过已验证的域名 contoso.com 来识别该目录.如果 bob@contoso.com 使用 Azure 门户创建新目录(此处由其初始域名 fabrikam.onmicrosoft.com 标识),则第一个用户(和管理员) 将是一个外部用户 bob@contoso.com.
Say, for instance, you have user bob@contoso.com, in a directory which we'll identify by the verified domain name contoso.com. If bob@contoso.com uses the Azure portal to create a new directory (identified here by it's initial domain name fabrikam.onmicrosoft.com), the first user (and admin) will be an external user bob@contoso.com.
为了在 fabrikam.onmicrosoft.com 的上下文中连接到 Azure AD PowerShell,需要在该目录中创建一个新本机"用户.因此,例如,如果在 fabrikam.onmicrosoft.com 中将 admin@fabrikam.onmicrosoft.com 创建为管理员,则该新用户帐户将能够登录Azure AD PowerShell 并创建一个新的服务主体.
In order to connect to Azure AD PowerShell in the context of fabrikam.onmicrosoft.com, a new "native" user needs to be created in that directory. So, for instance, if admin@fabrikam.onmicrosoft.com is created as an admin in fabrikam.onmicrosoft.com, that new user account would be able to sign in to Azure AD PowerShell and create a new service principal.
注意:您始终可以使用 Get-MsolCompanyInformation 来确认您在哪个目录中工作.
Note: You can always confirm which directory you're working in by using Get-MsolCompanyInformation.
这篇关于几个 Azure AD.New-MsolServicePrincipal : 拒绝访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
