Entra ID PIM - Powershell + Graph Rest API - 创建角色分配

问题描述 投票:0回答:1

我需要创建 powershell 代码来在 azure 订阅范围上添加 PIM 角色分配。 我准备了下面的代码:

$subscriptionid = "subID"
$tenantId = "tenantID"
$clientId = "ClientID"
$clientSecret = "ClientSecret"

$secureClientSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($clientId, $secureClientSecret)
Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId $tenantId -Subscription $subscriptionid

Connect-MgGraph -TenantID $tenantId -ClientSecretCredential $credential
$auth_token = (Get-AzAccessToken).Token

我正在使用

$auth_token
,我注册的应用程序已添加到EntraID中的全局管理员组中。我正在尝试使用 Microsoft Graph Rest API(MS 文档 - Graph Rest API 文档)。我已经准备好了代码:

$body_json = @"
    "roleDefinitionId": "Azure RBAC Contributor role ID",
    "resourceId": "My Azure Subscription ID",
    "subjectId": "My Entra ID group ID",
    "assignmentState": "Eligible",
    "type": "AdminAdd",
    "schedule": {
      "type": "Once",
      "startDateTime": "2023-11-12T23:37:43.356Z",
      "endDateTime": "2024-11-08T23:37:43.356Z"
    }
"@

$response = Invoke-RestMethod -method POST `
    -uri "https://graph.microsoft.com/privilegedAccess/azureResources/roleAssignmentRequests" `
    -Body $body_json `
    -Headers @{"Content-type"="application/json";"Authorization"="Bearer $auth_token"}

运行脚本后,我仍然面临错误代码

Invoke-RestMethod: {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2023-10-30T18:29:03","request-id":"cdbbd9ac-aead-4f5f-9e55-8013d4b6a554","client-request-id":"cdbbd9ac-aead-4f5f-9e55-8013d4b6a554"}}}
azure-active-directory azure-powershell azure-rest-api
1个回答
0
投票

注意:要为组创建治理角色分配请求,应用程序或用户必须具有 

PrivilegedAccess.ReadWrite.AzureADGroup
委派 API 权限。

  • 不支持应用程序权限执行MsDoc的操作。因此,需要用户交互来创建角色分配。
  • 因此,如果您想使用 Azure AD 应用程序创建角色,请使用 代表用户访问流来生成访问令牌。
  • 确保访问令牌包含所需的范围。

我分配了用户特权角色管理员,如下所示:

enter image description here

并直接使用以下脚本创建角色分配:

Connect-MgGraph -Scopes "Directory.AccessAsUser.All", "PrivilegedAccess.Read.AzureAD", "PrivilegedAccess.Read.AzureADGroup", "PrivilegedAccess.Read.AzureResources", "PrivilegedAccess.ReadWrite.AzureAD", "PrivilegedAccess.ReadWrite.AzureADGroup", "PrivilegedAccess.ReadWrite.AzureResources"

$params = @{
    roleDefinitionId = "e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477"
    resourceId = "226cf998-ddcc-4005-acfb-xxxx"
    subjectId = "d0e182b5-0fed-4f44-9916-xxxx"
    assignmentState = "Eligible"
    type = "AdminAdd"
    reason = "Assign an eligible role"
    schedule = @{
        startDateTime = [System.DateTime]::Parse("2023-10-31T02:19:11.77+05:30")
        endDateTime = [System.DateTime]::Parse("2024-07-26T02:19:11.77+05:30")
        type = "Once"
    }
}

$privilegedAccessId= "aadRoles"
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params

enter image description here

如果问题仍然存在,按照此SO线程中的SaurabhSharma的建议,将azureResources更改为aadroles

我尝试使用访问令牌和角色通过具有上述权限的 Rest API 创建治理角色分配请求,并且请求成功:

POST https://graph.microsoft.com/beta/privilegedAccess/aadRoles/roleAssignmentRequests

{
"resourceId": "226cf998-ddcc-4005-acfb-xxxx",
"roleDefinitionId": "644ef478-e28f-4e28-b9dc-3fdde9aa0b1f",
"subjectId": "10468df0-7214-4ef8-8ec3-xxxx",
"type": "AdminAdd",
"assignmentState": "Eligible",
"schedule": {
"startDateTime": "2023-10-31T02:19:11.77+05:30",
"endDateTime": "2024-07-26T02:19:11.77+05:30",
"type": "Once"
}
}

enter image description here

参考:

用于使 AAD 角色分配请求不起作用的图形 API 调用 - Microsoft 问答,作者:Siva-kumar-selvaraj

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.