未授权 (401) 列出 MS Graph 中服务主体的同步作业 API
Unauthorized (401) listing synchronization jobs for service principal in MS Graph API
我正在尝试使用 MS Graph API 通过这些 instructions but I am having trouble calling this endpoint 在 Powershell 中使用客户端凭据配置 Azure AD Connect Cloud Sync:
https://graph.microsoft.com/beta/servicePrincipals/{SERVICE_PRINCIPAL_ID}/synchronization/jobs
我可以使用 Graph Explorer 成功调用它,但在 Powershell 中使用应用程序权限和客户端密码身份验证时运气不好。我收到 401 未经授权的错误。我可以调用其他端点,例如:
https://graph.microsoft.com/beta/servicePrincipals/{SERVICE_PRINCIPAL_ID} # no /synchronization/jobs at the end
该应用程序具有 API 权限:Directory.ReadWrite.All 和 Application.ReadWrite.OwnedBy(应用程序)权限已由管理员授予:
以下是我用于验证的代码的详细信息:
$Body = @{
'tenant' = $TenantId
'client_id' = $ClientId
'scope' = 'https://graph.microsoft.com/.default'
'client_secret' = $ClientSecret
'grant_type' = 'client_credentials'
}
$Params = @{
'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
'Method' = 'Post'
'Body' = $Body
'ContentType' = 'application/x-www-form-urlencoded'
}
$AuthResponse = Invoke-RestMethod @Params
这就是我对端点的称呼:
$Headers = @{
'Authorization' = "Bearer $($AuthResponse.access_token)"
}
$Params = @{
Uri = "https://graph.microsoft.com/beta/servicePrincipals/{SERVICE_PRINCIPAL_ID}/synchronization/jobs"
Method = 'Get'
ContentType = 'application/json'
Headers = $Headers
}
$res = Invoke-RestMethod @Params
错误:
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized
如果我使用 Graph Explorer 中的标记,它会起作用...
我从 Powershell 解码的令牌包含此“角色”部分,但没有像 Graph Explorer 令牌中的“scp”:
"roles": [
"Application.ReadWrite.OwnedBy",
"Directory.ReadWrite.All"
],
混淆的完整令牌:
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/{TENANT_ID}/",
"iat": 1629836586,
"nbf": 1629836586,
"exp": 1629840486,
"aio": "{AIO}",
"app_displayname": "AppForAdConnect2",
"appid": "{APPID}",
"appidacr": "1",
"idp": "https://sts.windows.net/{TENANT_ID}/",
"idtyp": "app",
"oid": "{OID}",
"rh": "{RH}",
"roles": [
"Application.ReadWrite.OwnedBy",
"Directory.ReadWrite.All"
],
"sub": "{SUB}",
"tenant_region_scope": "NA",
"tid": "{TENANT_ID}",
"uti": "{UTI}",
"ver": "1.0",
"wids": [
"{WID}"
],
"xms_tcdt": 1584535155
}
感谢您的帮助!
我尝试使用以下脚本为您的服务主体提供的相同权限,它成功地为我提供了输出。
$TenantName = "<your azure AD tenant primary domain here (ex-abc.onmicrosoft.com)>"
$clientID = "Application (client) ID of the registered App here"
$clientSecret = "client secret for the app"
$Scope = "https://graph.microsoft.com/.default"
$Body = @{
Grant_Type = "client_credentials"
Scope = $Scope
client_Id = $clientID
Client_Secret = $clientSecret
}
$authUri = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token"
$TokenResponse = Invoke-RestMethod -Uri $authUri -Method POST -Body $Body
$spobject = "ServicePrincipalObjectID that was returned after you did post operation in the document"
$Headers = @{
"Authorization" = "Bearer $($TokenResponse.access_token)"
"Content-type" = "application/json"
}
$apiUri = "https://graph.microsoft.com/beta/servicePrincipals/$spobject/synchronization/jobs"
$response = Invoke-RestMethod -Headers $Headers -Uri $apiUri -Method GET
$response
这与我从 Graph Explorer 获得的输出相同。
注意:如果您在 serviceprincipalobjectID 中使用突出显示的对象 ID(下图 1),它将抛出 401 错误,而不是您必须转到企业应用程序并使用 objectID (下图 2)显示在那里。
更新:
如前所述,我们无法使用 AD2AADSync 服务主体的客户端凭据执行上述操作,但我们可以使用另一种方式执行这些操作。
我们可以使用 Microsoft Graph Powershell SDK :
第 1 步: 使用以下命令在 powershell 中安装模块
Install-Module Microsoft.Graph
第 2 步: 将上述模块的配置文件设置为 beta,因为我们将使用它来获取同步作业。
Select-MgProfile -Name "beta"
第 3 步: 使用以下脚本获取同步作业的值。
Connect-MgGraph -Scopes "Application.ReadWrite.All","Directory.ReadWrite.All"
$value = Get-MgServicePrincipalSynchronizationJob -ServicePrincipalId "AD2AADSync_service_principal_objectId"
$value
$value.Status
输出:
参考:
好的,所以解决方案是将角色“混合身份管理员”添加到服务主体或用于调用端点“synchronization/jobs”的用户。出于某种原因,这个应用程序模板需要这个额外的角色,API 权限不够。
我正在尝试使用 MS Graph API 通过这些 instructions but I am having trouble calling this endpoint 在 Powershell 中使用客户端凭据配置 Azure AD Connect Cloud Sync:
https://graph.microsoft.com/beta/servicePrincipals/{SERVICE_PRINCIPAL_ID}/synchronization/jobs
我可以使用 Graph Explorer 成功调用它,但在 Powershell 中使用应用程序权限和客户端密码身份验证时运气不好。我收到 401 未经授权的错误。我可以调用其他端点,例如:
https://graph.microsoft.com/beta/servicePrincipals/{SERVICE_PRINCIPAL_ID} # no /synchronization/jobs at the end
该应用程序具有 API 权限:Directory.ReadWrite.All 和 Application.ReadWrite.OwnedBy(应用程序)权限已由管理员授予:
以下是我用于验证的代码的详细信息:
$Body = @{
'tenant' = $TenantId
'client_id' = $ClientId
'scope' = 'https://graph.microsoft.com/.default'
'client_secret' = $ClientSecret
'grant_type' = 'client_credentials'
}
$Params = @{
'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
'Method' = 'Post'
'Body' = $Body
'ContentType' = 'application/x-www-form-urlencoded'
}
$AuthResponse = Invoke-RestMethod @Params
这就是我对端点的称呼:
$Headers = @{
'Authorization' = "Bearer $($AuthResponse.access_token)"
}
$Params = @{
Uri = "https://graph.microsoft.com/beta/servicePrincipals/{SERVICE_PRINCIPAL_ID}/synchronization/jobs"
Method = 'Get'
ContentType = 'application/json'
Headers = $Headers
}
$res = Invoke-RestMethod @Params
错误:
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized
如果我使用 Graph Explorer 中的标记,它会起作用... 我从 Powershell 解码的令牌包含此“角色”部分,但没有像 Graph Explorer 令牌中的“scp”:
"roles": [
"Application.ReadWrite.OwnedBy",
"Directory.ReadWrite.All"
],
混淆的完整令牌:
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/{TENANT_ID}/",
"iat": 1629836586,
"nbf": 1629836586,
"exp": 1629840486,
"aio": "{AIO}",
"app_displayname": "AppForAdConnect2",
"appid": "{APPID}",
"appidacr": "1",
"idp": "https://sts.windows.net/{TENANT_ID}/",
"idtyp": "app",
"oid": "{OID}",
"rh": "{RH}",
"roles": [
"Application.ReadWrite.OwnedBy",
"Directory.ReadWrite.All"
],
"sub": "{SUB}",
"tenant_region_scope": "NA",
"tid": "{TENANT_ID}",
"uti": "{UTI}",
"ver": "1.0",
"wids": [
"{WID}"
],
"xms_tcdt": 1584535155
}
感谢您的帮助!
我尝试使用以下脚本为您的服务主体提供的相同权限,它成功地为我提供了输出。
$TenantName = "<your azure AD tenant primary domain here (ex-abc.onmicrosoft.com)>"
$clientID = "Application (client) ID of the registered App here"
$clientSecret = "client secret for the app"
$Scope = "https://graph.microsoft.com/.default"
$Body = @{
Grant_Type = "client_credentials"
Scope = $Scope
client_Id = $clientID
Client_Secret = $clientSecret
}
$authUri = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token"
$TokenResponse = Invoke-RestMethod -Uri $authUri -Method POST -Body $Body
$spobject = "ServicePrincipalObjectID that was returned after you did post operation in the document"
$Headers = @{
"Authorization" = "Bearer $($TokenResponse.access_token)"
"Content-type" = "application/json"
}
$apiUri = "https://graph.microsoft.com/beta/servicePrincipals/$spobject/synchronization/jobs"
$response = Invoke-RestMethod -Headers $Headers -Uri $apiUri -Method GET
$response
这与我从 Graph Explorer 获得的输出相同。
注意:如果您在 serviceprincipalobjectID 中使用突出显示的对象 ID(下图 1),它将抛出 401 错误,而不是您必须转到企业应用程序并使用 objectID (下图 2)显示在那里。
更新:
如前所述,我们无法使用 AD2AADSync 服务主体的客户端凭据执行上述操作,但我们可以使用另一种方式执行这些操作。
我们可以使用 Microsoft Graph Powershell SDK :
第 1 步: 使用以下命令在 powershell 中安装模块
Install-Module Microsoft.Graph
第 2 步: 将上述模块的配置文件设置为 beta,因为我们将使用它来获取同步作业。
Select-MgProfile -Name "beta"
第 3 步: 使用以下脚本获取同步作业的值。
Connect-MgGraph -Scopes "Application.ReadWrite.All","Directory.ReadWrite.All"
$value = Get-MgServicePrincipalSynchronizationJob -ServicePrincipalId "AD2AADSync_service_principal_objectId"
$value
$value.Status
输出:
参考:
好的,所以解决方案是将角色“混合身份管理员”添加到服务主体或用于调用端点“synchronization/jobs”的用户。出于某种原因,这个应用程序模板需要这个额外的角色,API 权限不够。