我需要创建 powershell 代码来在 azure 订阅范围上添加 PIM 角色分配。 我准备了下面的代码:
$subscriptionid = "subID"
$tenantId = "tenantID"
$clientId = "ClientID"
$clientSecret = "ClientSecret"
$secureClientSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($clientId, $secureClientSecret)
Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId $tenantId -Subscription $subscriptionid
Connect-MgGraph -TenantID $tenantId -ClientSecretCredential $credential
$auth_token = (Get-AzAccessToken).Token
我正在使用
$auth_token
,我注册的应用程序已添加到EntraID中的全局管理员组中。我正在尝试使用 Microsoft Graph Rest API(MS 文档 - Graph Rest API 文档)。我已经准备好了代码:
$body_json = @"
"roleDefinitionId": "Azure RBAC Contributor role ID",
"resourceId": "My Azure Subscription ID",
"subjectId": "My Entra ID group ID",
"assignmentState": "Eligible",
"type": "AdminAdd",
"schedule": {
"type": "Once",
"startDateTime": "2023-11-12T23:37:43.356Z",
"endDateTime": "2024-11-08T23:37:43.356Z"
}
"@
$response = Invoke-RestMethod -method POST `
-uri "https://graph.microsoft.com/privilegedAccess/azureResources/roleAssignmentRequests" `
-Body $body_json `
-Headers @{"Content-type"="application/json";"Authorization"="Bearer $auth_token"}
运行脚本后,我仍然面临错误代码
Invoke-RestMethod: {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2023-10-30T18:29:03","request-id":"cdbbd9ac-aead-4f5f-9e55-8013d4b6a554","client-request-id":"cdbbd9ac-aead-4f5f-9e55-8013d4b6a554"}}}
注意:要为组创建治理角色分配请求,应用程序或用户必须具有
委派 API 权限。PrivilegedAccess.ReadWrite.AzureADGroup
我分配了用户特权角色管理员,如下所示:
并直接使用以下脚本创建角色分配:
Connect-MgGraph -Scopes "Directory.AccessAsUser.All", "PrivilegedAccess.Read.AzureAD", "PrivilegedAccess.Read.AzureADGroup", "PrivilegedAccess.Read.AzureResources", "PrivilegedAccess.ReadWrite.AzureAD", "PrivilegedAccess.ReadWrite.AzureADGroup", "PrivilegedAccess.ReadWrite.AzureResources"
$params = @{
roleDefinitionId = "e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477"
resourceId = "226cf998-ddcc-4005-acfb-xxxx"
subjectId = "d0e182b5-0fed-4f44-9916-xxxx"
assignmentState = "Eligible"
type = "AdminAdd"
reason = "Assign an eligible role"
schedule = @{
startDateTime = [System.DateTime]::Parse("2023-10-31T02:19:11.77+05:30")
endDateTime = [System.DateTime]::Parse("2024-07-26T02:19:11.77+05:30")
type = "Once"
}
}
$privilegedAccessId= "aadRoles"
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
如果问题仍然存在,按照此SO线程中的SaurabhSharma的建议,将azureResources更改为aadroles
我尝试使用访问令牌和角色通过具有上述权限的 Rest API 创建治理角色分配请求,并且请求成功:
POST https://graph.microsoft.com/beta/privilegedAccess/aadRoles/roleAssignmentRequests
{
"resourceId": "226cf998-ddcc-4005-acfb-xxxx",
"roleDefinitionId": "644ef478-e28f-4e28-b9dc-3fdde9aa0b1f",
"subjectId": "10468df0-7214-4ef8-8ec3-xxxx",
"type": "AdminAdd",
"assignmentState": "Eligible",
"schedule": {
"startDateTime": "2023-10-31T02:19:11.77+05:30",
"endDateTime": "2024-07-26T02:19:11.77+05:30",
"type": "Once"
}
}
参考:
用于使 AAD 角色分配请求不起作用的图形 API 调用 - Microsoft 问答,作者:Siva-kumar-selvaraj