使用服务主体认证从azure函数读取AD组

问题描述 投票:0回答:2

我想使用使用Azure函数的Powershell脚本读取和列出特定AD组的成员。要连接AD,我正在使用服务主体。连接到AzureAD是成功的,但是尝试访问AD组会给我一个错误(在此阶段,我只想获取一个特定的组并回显它):

System.Management.Automation.RemoteException: Error occurred while executing GetGroups 
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: <requestID>
DateTimeStamp: Mon, 14 Oct 2019 20:40:26 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed

为什么会这样?有人在azure函数中使用azuread模块命令吗?我已为此应用授予ms图权限:enter image description here

$Script={
    param ()
    ##Save AzureAD module to the modules folder before publishing
    Import-Module .\modules\AzureAD

    $appId = "<AppId>"
    $thumb = "<CertThumb>"
    $tenantId = "TenantID"
    Connect-AzureAD -TenantId $tenantId -ApplicationId  $appId -CertificateThumbprint $thumb

    $groupName = "<Name of the group>"

    $group = Get-AzureADGroup -SearchString $groupName 
    #or
    #$group = Get-AzureADGroup -ObjectId "<object id>"

    echo $group
}

&$env:64bitPowerShellPath -WindowStyle Hidden -NonInteractive -Command $Script

注意,我的代码被包装到$ Script变量中,并添加了最后一行,以使该代码作为临时替代方法工作,直到将AD modul添加到PS Core:https://github.com/Azure/azure-functions-powershell-worker/issues/232

powershell azure-active-directory azure-functions azure-ad-graph-api
2个回答
0
投票

根据您提供的图片,您已经为服务主体分配了一些图形API权限。完成之后,您可以使用服务主体调用一些图形API。如果要使用带有服务主体的Azure AD PowerShell模块来管理Azure AD,则需要将Azure AD角色分配给服务主体。有关更多详细信息,请参阅https://docs.microsoft.com/en-us/powershell/azure/active-directory/signing-in-service-principal?view=azureadps-2.0

关于如何创建服务主体和分配角色,请参考以下脚本。

# Login to Azure AD PowerShell With Admin Account
Connect-AzureAD 

# Create the self signed cert
$currentDate = Get-Date
$endDate  = $currentDate.AddYears(1)
$notAfter  = $endDate.AddYears(1)
$pwd  = "<password>"
$thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName com.foo.bar -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath c:\temp\examplecert.pfx -Password $pwd

# Load the certificate
$cert  = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\temp\examplecert.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())


# Create the Azure Active Directory Application
$application = New-AzureADApplication -DisplayName "test123" -IdentifierUris "https://test123"
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "Test123" -StartDate $currentDate -EndDate $endDate -Type AsymmetricX509Cert -Usage Verify -Value $keyValue

# Create the Service Principal and connect it to the Application
$sp = New-AzureADServicePrincipal -AppId $application.AppId

# Give the Service Principal Reader access to the current tenant (Get-AzureADDirectoryRole)
#Regarding the Azure AD role, please refer to https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-delegate-by-task
$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "role name"}
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
0
投票

如另一封回复所述,将服务主体添加为目录角色是一种方法,但是您应注意,它将为您的服务主体提供其他权限,例如create groupdelete group

实际上,问题是由您授予错误的权限引起的,您需要为Azure Active Directory Graph授予Directory.Read.All应用程序权限,而不是Microsoft Graph,因为命令Get-AzureADGroup本质上调用了Azure Active Directory Graph

enter image description here

Note:在本地测试命令时,在授予权限后,关闭您的Powershell会话并打开一个新的会话,再次登录并运行该命令。如果您在函数中运行该函数,则可能重新启动函数应用程序以确保权限受到影响。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.