对托管身份和访问控制感到困惑

对于如何使用 Azure 应用程序注册控制访问有点困惑。我正在尝试并尝试通过一个非常基本的示例来阐明我的理解。

• 我创建了一个 Azure 数据工厂资源 (otesadf)
• 创建了一个应用程序注册（testappreg），此过程还创建了一个

  applicationId

  和一个

  secret

在 ADF 资源的角色分配下，未列出

testappreg

，但我可以像这样创建一个令牌并创建

DataFactoryManagementClient

的实例：

var tenant = "tenant";
var clientId = "client";
var secret = "super”_secret";

var client = ConfidentialClientApplicationBuilder
    .Create(clientId)
    .WithClientSecret(secret)
    .WithAuthority($"https://login.windows.net/{tenant}")
    .Build();

var x = client.AcquireTokenForClient(new []{ "https://graph.microsoft.com/.default" });
var accessToken = x.ExecuteAsync().Result.AccessToken; 

ServiceClientCredentials cred = new TokenCredentials(accessToken);
var dmclient = new DataFactoryManagementClient(cred) { SubscriptionId = "sub_id" };

我预计这会失败，因为我没有在

role assignments

下授予应用程序对 ADF 的访问权限。

与使用

https://graph.microsoft.com/.default

作为范围有关吗？

** 编辑 **

通过这样做设法让它工作（注意https://management.azure.com/.default的范围）

        var cred = new ClientSecretCredential(tenant, clientId, secret);
        var ctx = new TokenRequestContext(new string[] { "https://management.azure.com/.default" });
        var token = await cred.GetTokenAsync(ctx);
        var mgmtToken = new TokenCredentials(token.Token);
        var client = new DataFactoryManagementClient(mgmtToken) { SubscriptionId = "SUB_ID" };
        var response = await client.Pipelines.CreateRunWithHttpMessagesAsync(
            "test",
            "otestadf",
            "foobar");

        var cred = new ClientSecretCredential(tenant, clientId, secret);
        var ctx = new TokenRequestContext(new string[] { "https://management.azure.com/.default" });
        var token = await cred.GetTokenAsync(ctx);
        var mgmtToken = new TokenCredentials(token.Token);
        var client = new DataFactoryManagementClient(mgmtToken) { SubscriptionId = "SUB_ID" };
        var response = await client.Pipelines.CreateRunWithHttpMessagesAsync(
            "test",
            "otestadf",
            "foobar");