将自定义角色分配给 Azure Active Directory System 托管标识 [英] Assign custom role to Azure Active Directory System managed identity

问题描述

为了在 APIS 之间建立 Azure AD 系统托管标识，我在应用程序的清单中为我的目标 API 定义了一个自定义角色.

appRoles":[{允许的成员类型":[应用"],description":允许应用程序读取所有事物本身."，displayName":阅读所有内容"，id":86a914fa-a862-4962-9975-be5c9a05dca3"，isEnabled":真，语言":空，来源":应用程序"，价值":Things.Read.All"}

现在我想将此角色分配给要调用它的 api，以便我可以在从 AzureServiceTokenProvider 收到的访问令牌中验证它.问题是我在应用注册中没有看到系统分配的身份.

在标识(声明系统分配标识的位置)Azure 角色分配"下有一个按钮，可用于添加角色分配.这里有一个可用的角色列表.我正在寻找我定义的自定义角色，它不在下拉列表中.

如何将定义的角色分配给系统身份，以便它可以访问它被允许的一个或多个 API，而不再访问?我希望在访问令牌中获得这个角色.这是正确的期望吗?

解决方案

你定义的是一个

而 {principalId-value} 将是 Azure 资源托管标识的 ID.在这里找到它:

{appRoleId-value} 是您在清单中创建的应用角色的 ID.

您可以使用管理员帐户登录

然后你会发现app角色(应用权限)已经被授予了.

Working to establish Azure AD system managed identity between APIS, I have defined a custom role for my target API in the manifest of the application.

"appRoles": [
    {
        "allowedMemberTypes": [
            "Application"
        ],
        "description": "Allow the application to read all things as itself.",
        "displayName": "Read all things",
        "id": "86a914fa-a862-4962-9975-be5c9a05dca3",
        "isEnabled": true,
        "lang": null,
        "origin": "Application",
        "value": "Things.Read.All"
    }

Now I want to assign this role to my api that is going to call it so I can validate it in the access token received from AzureServiceTokenProvider. Problem is that I don't see the System Assigned identity in the app registration.

There is a button under Identity (Where System Assigned Identity is declared) 'Azure Role Assignments' which leads to Add Role assignment. There is a list of Roles available here. I was looking for the custom role I have defined, it is not in the drop down.

How to assign the defined role to the system identity so it can access the api or apis that it is allowed and no more? I expect to get this role in the access token. Is this the correct expectation?

解决方案

What you have defined is an app role. But "Azure Role Assignments" is for assigning role for subscription. They are totally 2 different things.

You can use Microsoft Graph API to Grant an appRoleAssignment to a service principal.

POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
Content-Type: application/json
Content-Length: 110

{
  "principalId": "principalId-value",
  "resourceId": "resourceId-value",
  "appRoleId": "appRoleId-value"
}

In this example, {id} and {resourceId-value} would both be the object id of the resource service principal, which is the enterprise app associated with the Azure AD app you have created appRoles in. You can find it like this:

And {principalId-value} would be the id of the Azure resource managed identity. Find it here:

{appRoleId-value} is the id of the app role you created in manifest.

You could use an admin account to log into Microsoft Graph Explorer to call Microsoft Graph API.

If you want to verify if the result is successful, please navigate to Azure Portal -> Azure Active Directory -> Enterprise applications -> All Applications. Enter the name of the Azure resource.

Then you will find the app role (application permission) has been granted.

这篇关于将自定义角色分配给 Azure Active Directory System 托管标识的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！