我有几个用于更新动态分发列表的 Azure 自动化 Runbook。为了完成这项工作,我使用此处的步骤授予 Azure 自动化系统分配的托管标识访问和更改 Exchange Online 的权限; https://learn.microsoft.com/en-us/powershell/exchange/connect-exo-powershell-management-identity?view=exchange-ps#step-4-grant-the-exchangemanageasapp-api-permission-for -在线呼叫交换的托管身份。这些操作手册按设计工作。
我正在使用单独的自动化帐户和托管身份开发更多自动化。我想确认有权访问 Exchange Online 的托管标识。 如何列出哪些托管身份有权访问 Exchange Online? 我已尝试过
Get-MgServicePrincipalAppRoleAssignedTo
,但这仅列出 Entra ID Enterprise 和注册应用程序,而不列出 Exchange Online。
同样,有没有办法列出分配给 Azure 自动化托管标识的所有权限和角色?我在 Entra ID 中授予了新的托管身份用户管理角色,但这不会显示在托管身份下,但托管身份会在各个角色下列出。
感谢您的宝贵时间。
我为自动化帐户启用了 系统管理身份并授予了 Exchange API 权限:
$AppRoleID = "dc50a0fb-09a3-484d-be87-e023b12c6440"
$ResourceID = (Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'").Id
$MI_ID = "ManagedIdentityServicePrincipalObjID"
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MI_ID -PrincipalId $MI_ID -AppRoleId $AppRoleID -ResourceId $ResourceID
要获取分配给托管身份的权限,请使用以下命令:
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId ManagedIdentityServicePrincipalObjID | select -Property Id, AppRoleId, PrincipalDisplayName
要列出具有 Exchange API 权限/Office 365 Exchange Online 权限的托管身份, 请使用以下代码:
# Define the Office 365 Exchange Online ResourceId
$ExchangeOnlineResourceId = (Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'").Id
# Retrieve all managed identities
$ManagedIdentities = Get-MgServicePrincipal -Filter "ServicePrincipalType eq 'ManagedIdentity'"
# Iterate over each managed identity
foreach ($ManagedIdentity in $ManagedIdentities) {
$ServicePrincipalId = $ManagedIdentity.Id
$AppRoleAssignments = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ServicePrincipalId
$ExchangeOnlinePermissions = $AppRoleAssignments | Where-Object { $_.ResourceId -eq $ExchangeOnlineResourceId }
if ($ExchangeOnlinePermissions) {
Write-Output "Managed Identity $($ManagedIdentity.DisplayName) (ID: $($ManagedIdentity.Id)) has Office 365 Exchange Online permissions:"
$ExchangeOnlinePermissions | Select-Object -Property Id, AppRoleId, PrincipalDisplayName
Write-Output ""
}
}
我将用户管理员角色分配给托管身份:
要检索角色,请使用以下脚本:
$response = $null
$uri = "[https://graph.microsoft.com/beta/roleManagement/directory/transitiveRoleAssignments?`$count=true&`$filter=principalId](https://graph.microsoft.com/beta/roleManagement/directory/transitiveRoleAssignments?`$count=true&`$filter=principalId "https://graph.microsoft.com/beta/rolemanagement/directory/transitiveroleassignments?`$count=true&`$filter=principalid") eq 'ManagedIdentityServicePrincipalObjID'"
$method = 'GET'
$headers = @{'ConsistencyLevel' = 'eventual'}
$response = (Invoke-MgGraphRequest -Uri $uri -Headers $headers -Method $method -Body $null).value