使用服务主体身份验证从 azure 函数中读取 AD 组
Read AD group from azure function using service principal authentication
我想使用 azure 函数使用 powershell 脚本读取和列出特定 AD 组的成员。要连接 AD,我正在使用服务主体。连接到 AzureAD 是成功的,但是尝试访问 AD 组时出现错误(在这个阶段我只想获取一个特定的组并回显它):
System.Management.Automation.RemoteException: Error occurred while executing GetGroups
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: <requestID>
DateTimeStamp: Mon, 14 Oct 2019 20:40:26 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
为什么会这样?有人在 azure 函数中使用过 azuread 模块命令吗?我已授予此应用程序的 ms graph 权限:
$Script={
param ()
##Save AzureAD module to the modules folder before publishing
Import-Module .\modules\AzureAD
$appId = "<AppId>"
$thumb = "<CertThumb>"
$tenantId = "TenantID"
Connect-AzureAD -TenantId $tenantId -ApplicationId $appId -CertificateThumbprint $thumb
$groupName = "<Name of the group>"
$group = Get-AzureADGroup -SearchString $groupName
#or
#$group = Get-AzureADGroup -ObjectId "<object id>"
echo $group
}
&$env:64bitPowerShellPath -WindowStyle Hidden -NonInteractive -Command $Script
请注意,我的代码被包装到 $Script 变量中,并添加了最后一行以使代码作为临时解决方法工作,直到 AD 模块将被添加到 PS 核心:
https://github.com/Azure/azure-functions-powershell-worker/issues/232
根据您提供的图片,您已经为服务主体分配了一些图 API 权限。在你这样做之后,你可以用服务主体调用一些图 API。如果要使用带有服务主体的 Azure AD PowerShell 模块来管理 Azure AD,则需要将 Azure AD 角色分配给服务主体。详情请参考https://docs.microsoft.com/en-us/powershell/azure/active-directory/signing-in-service-principal?view=azureadps-2.0.
关于如何创建服务主体和分配角色,请参考以下脚本。
# Login to Azure AD PowerShell With Admin Account
Connect-AzureAD
# Create the self signed cert
$currentDate = Get-Date
$endDate = $currentDate.AddYears(1)
$notAfter = $endDate.AddYears(1)
$pwd = "<password>"
$thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName com.foo.bar -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "cert:\localmachine\my$thumb" -FilePath c:\temp\examplecert.pfx -Password $pwd
# Load the certificate
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\temp\examplecert.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
# Create the Azure Active Directory Application
$application = New-AzureADApplication -DisplayName "test123" -IdentifierUris "https://test123"
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "Test123" -StartDate $currentDate -EndDate $endDate -Type AsymmetricX509Cert -Usage Verify -Value $keyValue
# Create the Service Principal and connect it to the Application
$sp = New-AzureADServicePrincipal -AppId $application.AppId
# Give the Service Principal Reader access to the current tenant (Get-AzureADDirectoryRole)
#Regarding the Azure AD role, please refer to https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-delegate-by-task
$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "role name"}
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
正如另一个回复中提到的,将服务主体添加为目录角色是一种方法,但您应该注意它会给您的服务主体其他权限,例如create group、delete group。
实际上问题是您授予了错误的权限,您需要授予 Azure Active Directory Graph 与 Directory.Read.All 应用程序权限而不是 Microsoft Graph,因为命令 Get-AzureADGroup 本质上调用 Azure Active Directory Graph.
注意:在本地测试命令时,授予权限后,关闭您的powershell会话并打开一个新会话,再次登录并运行命令。如果您 运行 正在运行该功能,请重新启动该功能应用程序以确保权限已受到影响。
我想使用 azure 函数使用 powershell 脚本读取和列出特定 AD 组的成员。要连接 AD,我正在使用服务主体。连接到 AzureAD 是成功的,但是尝试访问 AD 组时出现错误(在这个阶段我只想获取一个特定的组并回显它):
System.Management.Automation.RemoteException: Error occurred while executing GetGroups
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: <requestID>
DateTimeStamp: Mon, 14 Oct 2019 20:40:26 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
为什么会这样?有人在 azure 函数中使用过 azuread 模块命令吗?我已授予此应用程序的 ms graph 权限:
$Script={
param ()
##Save AzureAD module to the modules folder before publishing
Import-Module .\modules\AzureAD
$appId = "<AppId>"
$thumb = "<CertThumb>"
$tenantId = "TenantID"
Connect-AzureAD -TenantId $tenantId -ApplicationId $appId -CertificateThumbprint $thumb
$groupName = "<Name of the group>"
$group = Get-AzureADGroup -SearchString $groupName
#or
#$group = Get-AzureADGroup -ObjectId "<object id>"
echo $group
}
&$env:64bitPowerShellPath -WindowStyle Hidden -NonInteractive -Command $Script
请注意,我的代码被包装到 $Script 变量中,并添加了最后一行以使代码作为临时解决方法工作,直到 AD 模块将被添加到 PS 核心: https://github.com/Azure/azure-functions-powershell-worker/issues/232
根据您提供的图片,您已经为服务主体分配了一些图 API 权限。在你这样做之后,你可以用服务主体调用一些图 API。如果要使用带有服务主体的 Azure AD PowerShell 模块来管理 Azure AD,则需要将 Azure AD 角色分配给服务主体。详情请参考https://docs.microsoft.com/en-us/powershell/azure/active-directory/signing-in-service-principal?view=azureadps-2.0.
关于如何创建服务主体和分配角色,请参考以下脚本。
# Login to Azure AD PowerShell With Admin Account
Connect-AzureAD
# Create the self signed cert
$currentDate = Get-Date
$endDate = $currentDate.AddYears(1)
$notAfter = $endDate.AddYears(1)
$pwd = "<password>"
$thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName com.foo.bar -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "cert:\localmachine\my$thumb" -FilePath c:\temp\examplecert.pfx -Password $pwd
# Load the certificate
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\temp\examplecert.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
# Create the Azure Active Directory Application
$application = New-AzureADApplication -DisplayName "test123" -IdentifierUris "https://test123"
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "Test123" -StartDate $currentDate -EndDate $endDate -Type AsymmetricX509Cert -Usage Verify -Value $keyValue
# Create the Service Principal and connect it to the Application
$sp = New-AzureADServicePrincipal -AppId $application.AppId
# Give the Service Principal Reader access to the current tenant (Get-AzureADDirectoryRole)
#Regarding the Azure AD role, please refer to https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-delegate-by-task
$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "role name"}
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
正如另一个回复中提到的,将服务主体添加为目录角色是一种方法,但您应该注意它会给您的服务主体其他权限,例如create group、delete group。
实际上问题是您授予了错误的权限,您需要授予 Azure Active Directory Graph 与 Directory.Read.All 应用程序权限而不是 Microsoft Graph,因为命令 Get-AzureADGroup 本质上调用 Azure Active Directory Graph.
注意:在本地测试命令时,授予权限后,关闭您的powershell会话并打开一个新会话,再次登录并运行命令。如果您 运行 正在运行该功能,请重新启动该功能应用程序以确保权限已受到影响。