Azure 对 microsoft.aadiam/diagnosticSettings/write 的权限 [英] Azure permissions over microsoft.aadiam/diagnosticSettings/write

问题描述

我正在尝试使用以下 URL 通过 REST 调用上述 API 提供程序:

2.创建全局管理员用户，请同时更改默认密码.

注意:用户格式应为xxxx@xxx.onmicrosoft.com，否则根据我的测试不能使用密码方式获取token

3.为订阅分配所有者角色

4.那么我们可以通过以下方式获取访问令牌

发布 https://login.windows.net/<tenant-id>/oauth2/token内容类型:application/x-www-form-urlencodedgrant_type=密码&resource={资源}&用户名={用户名}&密码={密码}&client_id={client-id}

4.尝试操作diagnosticSettings

把 https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview{"properties":{"logs":[{"category":"AuditLogs","enabled":true,"retentionPolicy":{"days":0,"enabled":false}},{"category":"SignInLogs","enabled":false,"retentionPolicy":{"days":0,"enabled":false}}],"metrics":[],"storageAccountId":"/subscriptions/{subscriptionId}/resourceGroups/{groupname}/providers/Microsoft.Storage/storageAccounts/{accountName}"}}

I'm trying to call above API provider via REST with the following URL: https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings with api-version=2017-04-01-preview

However, even though the Service Principal I am using is a member of the "Global Administrator" role in my AAD tenant I am getting a does not have authorization to perform action error.

This endpoint doesn't seem to be documented though. Anybody know what is required to call this API endpoint with a service principal?

Thanks, David

解决方案

I test it with global administrator user, it works correctly for me.

The following is the detail steps:

1. Create an native azure AD application and grant permission for it.

2.create an global administrator user, please also change the default password.

Note: the user format should be xxxx@xxx.onmicrosoft.com, or you can't use the password way to get the token based on my test

3.Assign the owner role to the subscription

4.Then we could use the following way to get the access token

Post  https://login.windows.net/<tenant-id>/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=password
&resource={resource}
&username={username}
&password={password}
&client_id={client-id}

4.Try to operate the diagnosticSettings

put https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview

{"properties":{"logs":[{"category":"AuditLogs","enabled":true,"retentionPolicy":{"days":0,"enabled":false}},{"category":"SignInLogs","enabled":false,"retentionPolicy":{"days":0,"enabled":false}}],"metrics":[],"storageAccountId":"/subscriptions/{subscriptionId}/resourceGroups/{groupname}/providers/Microsoft.Storage/storageAccounts/{accountName}"}}

这篇关于Azure 对 microsoft.aadiam/diagnosticSettings/write 的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！