Azure 服务主体可以更新自己的密码吗? [英] Can Azure Service Principal Update Its Own Passwords?

问题描述

我需要使用 Azure 服务主体以编程方式:
1. 添加/删除其他服务主体的密码，以及
2.为自己添加/删除密码

1 很容易做到.

但由于以下错误，我似乎无法执行 2.#2可能吗?如何?

graphrbac.PasswordCredentialsUpdateParameters 失败:graphrbac.ApplicationsClient#UpdatePasswordCredentials:响应请求失败:StatusCode=403 - 原始错误:autorest/azure:服务返回错误.状态=403 代码="未知" 消息="未知服务错误"详细信息=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-06-06T22:19:35","message":{"lang":"en","value":"权限不足，无法完成操作."},"requestId":"<ID>"}}]

解决方案

#2 可能吗?怎么样?

是的，这是可能的.

只需将您的服务主体添加到

删除密码(成功时不返回内容):

$password = Get-AzureADApplicationPasswordCredential -ObjectId 删除-AzureADApplicationPasswordCredential -ObjectId <ObjectId>-KeyId $password.KeyId

此外，您可以查看我的测试示例和门户中的屏幕截图，确保服务主体为自己添加/删除密码.

I need to use an Azure service principal to programmatically:
1. add/delete passwords for other services principal , and
2. add/delete passwords for itself

1 is easy to do.

But I can't seem to do 2 due to the following error. Is #2 possible? How?

graphrbac.PasswordCredentialsUpdateParameters failed:
graphrbac.ApplicationsClient#UpdatePasswordCredentials: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" 
Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-06-06T22:19:35","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"<ID>"}}]

解决方案

Is #2 possible? How?

Yes, it is possible.

Just add your service principal to the Application Administrator directory role in your tenant, no need to add other permissions, it will work(there may be some delay).

Navigate to the Azure Active Directory in the portal -> Roles and administrators -> click Application administrator -> Add assignment -> search by your AD App name(service principal name) -> select it -> Select.

My test sample:

I test it with powershell, in other languages, it should also work.

Add password:

Connect-AzureAD -TenantId "<TenantId>" -ApplicationId "<ApplicationId>" -CertificateThumbprint "D0F0B179xxxxx6E41833FDE5947"
New-AzureADApplicationPasswordCredential -ObjectId <ObjectId>

Remove password(it returns no content when successful):

$password = Get-AzureADApplicationPasswordCredential -ObjectId <ObjectId>
Remove-AzureADApplicationPasswordCredential -ObjectId <ObjectId> -KeyId $password.KeyId

Besides, you could check the screenshot in my test sample and that in the portal, make sure the service principal add/delete passwords for itself.

这篇关于Azure 服务主体可以更新自己的密码吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！