无法使用服务主体

时间:2017-03-06 10:14:02

标签: azure azure-active-directory

C:\> $app = New-AzureRmADApplication -DisplayName "exampleapp" -HomePage "https://www.contoso.org/exampleapp" -IdentifierUris "https://www.contoso.org/exampleapp" -Password "Qwertyu123$"
New-AzureRmADApplication : Resource not found for the segment 'me'.

我可以使用所有者帐户发出相同的命令。问题是这个应用程序几乎拥有Azure的所有权限(包括所有者)

edit - 用于启动Azure会话的命令:

Add-AzureRmAccount -TenantId $env:tenant_id -ServicePrincipal `
   -Credential ([pscredential]::new($env:app_id,(ConvertTo-SecureString -String $env:app_key -AsPlainText -Force)))

permissions example

显然我错过了一些许可,哪一个?

  

身体:{" odata.error":{       "代码":" Authorization_RequestDenied",       " message":{         " lang":" en",         "值":"没有足够的权限来完成操作。"       },       " requestId":" 9c3bf711-c9ad-4883-a5cf-fa7926ccdf63",       " date":" 2017-03-06T10:14:29" }}

3 个答案:

答案 0 :(得分:0)

我尝试重现您的错误但失败了,这是我的测试步骤:

  1. 在azure广告经典门户网站中,我添加了一个网络应用: enter image description here
  2. 输入应用名称,选择网络应用/网络API,输入登录网址和应用ID网址: enter image description here enter image description here
  3. 按照显示的图片配置权限: enter image description here
  4. 在powershell中,运行Add-AzureRmAccount脚本,然后创建一个新的应用程序,两者都正常工作: enter image description here
  5. 请使用小提琴来捕获New-AzureRmADApplication的http请求,你会发现它执行了一个rest api: enter image description here

    您可以使用在线工具(如jwt.io)来解码您的访问令牌,请检查“角色”声明,我将应用权限配置为您显示的图片,角色将是: enter image description here

    " aud"是https://graph.windows.net/。如果有什么我没有注意到的,请告诉我。

答案 1 :(得分:0)

所以我猜这将是一种以某种短暂的失败而闻名的云,我没有改变,但这现在正在发挥作用。

答案 2 :(得分:-1)

我一直在使用这个有效的脚本:

# This script creates an Azure AD application.
# Before running this script you need to install the Azure RM cmdlets as an administrator. 
# For this:
# 1) Run Powershell as an administrator
# 2) in the PowerShell window, type: Install-Module AzureRM.Resources

$ErrorActionPreference = 'Stop'

# Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps.
# Look it up in the Azure portal in the "Properties" of the Azure AD. 
$script:tenantId = '00000000-0abc-0000-abcd-ef0001111234' 

# Variables for the registration of the AAD application for the Web API Service
$script:serviceAadAppName = "exampleapp"
$script:serviceHomePage = "https://www.contoso.org/exampleapp"
$script:serviceAppIdIRI = "https://"+$script:tenantId+"/"+$serviceAadAppName


# Import required modules
Import-Module AzureRM.Resources

# Login to Azure PowerShell (interactive: you'll need to sign-in with creds enabling your to create apps in the tenant)
$creds = Login-AzureRmAccount -TenantId $script:tenantId


# Create the Azure Active Directory Application
# Note that if, at this point, you get an error: "New-AzureRmADApplication : Your Azure credentials have not been set up or have expired, please run Login-AzureRMAccount to set up your Azure credentials"
# then you will need to run Clear-AzureProfile (you might have an expired token)

$serviceApplication = New-AzureRmADApplication -DisplayName $script:serviceAadAppName -HomePage $script:serviceHomePage -IdentifierUris $script:serviceAppIdIRI

# Create the Service Principal and connect it to the Application
$servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $serviceApplication.ApplicationId$serviceApplication.ApplicationId

然后可以在创建应用程序期间添加更多内容(如凭据),之后(使用Set-AzureRMADApplication)