我有一个多租户 AzureAD 应用程序,它在我的 Web 应用程序的登录用户的上下文下调用了许多 PowerShell 脚本。
是否可以将 AccessToken 或 IDToken 传递给 PowerShell 脚本,并让它创建一个具有以下功能的会话?Connect-AzureAD commandlet?
我看到了一个凭证超载,也许有办法使用(或转换)令牌为可用的东西与此参数?
PS C:\Users> get-help connect-azuread -examples
NAME
Connect-AzureAD
SYNOPSIS
Connects with an authenticated account to use Active Directory cmdlet requests.
Example 1: Connect a PowerShell session to a tenant
PS C:\> Connect-AzureAD -Confirm
This command connects the current PowerShell session to an Azure Active Directory tenant. The command prompts you
for a username and password for the tenant you want to connect to. The Confirm parameter prompts you for
confirmation.
If multi-factor authentication is enabled for your credentials, you must log in using the interactive option or
use service principal authentication.
Example 2: Connect a session using a variable
PS C:\> $Credential = Get-Credential
PS C:\> Connect-AzureAD -Credential $Credential
The first command gets the user credentials, and then stores them in the $Credential variable.
The second command connects the current PowerShell session using the credentials in $Credential.
This account authenticates with Azure Active Directory using organizational ID credentials. You cannot use
multi-factor authentication or Microsoft account credentials to run Azure Active Directory cmdlets with this
account.
Example 3: Connect a session as a service principal
# Login to Azure AD PowerShell With Admin Account
Connect-AzureAD
# Create the self signed cert
$currentDate = Get-Date
$endDate = $currentDate.AddYears(1)
$notAfter = $endDate.AddYears(1)
$pwd = "<password>"
$thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName com.foo.bar -KeyExportPolicy
Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath c:\temp\examplecert.pfx -Password $pwd
# Load the certificate
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\temp\examplecert.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
# Create the Azure Active Directory Application
$application = New-AzureADApplication -DisplayName "test123" -IdentifierUris "https://test123"
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "Test123" -StartDate
$currentDate -EndDate $endDate -Type AsymmetricX509Cert -Usage Verify -Value $keyValue
# Create the Service Principal and connect it to the Application
$sp=New-AzureADServicePrincipal -AppId $application.AppId
# Give the Service Principal Reader access to the current tenant (Get-AzureADDirectoryRole)
Add-AzureADDirectoryRoleMember -ObjectId 5997d714-c3b5-4d5b-9973-ec2f38fd49d5 -RefObjectId $sp.ObjectId
# Get Tenant Detail
$tenant=Get-AzureADTenantDetail
# Now you can login to Azure PowerShell with your Service Principal and Certificate
Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
This command authenticates the user to Azure Active Directory as a service principal.
下面是一个简单的例子:
Connect-AzureAD
-TenantId {Tenant ID}
-AadAccessToken {AAD Graph Access Token}
-MsAccessToken {Microsoft Graph Access Token}
-AccountId {Your UPN}
请注意,如果您必须提供 AadAccessToke 因为你要连接到AAD模块。
MsAccessToken 是可选的。但如果你需要使用一些需要Microsoft Graph权限的cmds,你应该提供 MsAccessToken. 一个例子是 Get-AzureADPolicy.
这里只能使用访问令牌。不支持Id token。
最后一个参数设置在 文件 纲要 AADAccessToken 参数。
Connect-AzureAD
[-AzureEnvironmentName <EnvironmentName>]
[-TenantId <String>]
-AadAccessToken <String>
[-MsAccessToken <String>]
-AccountId <String>
[-LogLevel <LogLevel>]
[-LogFilePath <String>]
[-InformationAction <ActionPreference>]
[-InformationVariable <String>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
您可以使用 access token 中的Connect-AzureAD powershell cmdlet来连接到Azure AD。但它必须是一个 访问 不 身份证 token。而其受众一定是微软图。