我们在同一目录中有两个Azure资源。 Azure API管理和Azure功能背后的一组webAPI API。我们希望azure函数能够调用API。如How to use managed identities for App Service and Azure Functions中所述,我们已经在天蓝色函数上启用了MSI。我们已经在AAD中为API创建了应用注册,并创建了要访问的角色权限。在Calling your APIs with Azure AD Managed Service Identity using application permissions之后,尝试将权限/角色分配给azure函数时遇到错误: 在Powershell中:
New-AzureADServiceAppRoleAssignment -ObjectId 8XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -Id 3XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -PrincipalId 8XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -ResourceId 9XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
New-AzureADServiceAppRoleAssignment : Error occurred while executing NewServicePrincipalAppRoleAssignment
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ New-AzureADServiceAppRoleAssignment -ObjectId 8XXXXXX-XXXX-XXXX-XXXX ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewServ
icePrincipalAppRoleAssignment
给我们一个权限错误,即使AAD管理员(我认为是AAD DC管理员的成员)运行该错误也是如此。有人遇到过吗?为什么这会引发权限错误?我们已经验证了3个不同的人的ID是否正确。
答案 0 :(得分:1)
您可能面临的问题是,尽管将您的应用程序注册命名为与启用MSI的应用程序相同,但两者最终在AAD中代表了不同的服务主体。 Using app registrations with MSI isn't currently supported.
请尝试使用MSI身份的对象ID运行powershell命令。我能够使它正常工作,并向启用了MSI的应用授予了对Graph Api的访问权限。
这是我用来分配函数应用程序所需的GraphApi角色的PS:
$functionAppName = "My-FANCY-FUNC"
$context = Get-AzureRmContext -ErrorAction SilentlyContinue #this lets you search AAD for func
if(!$context){
$login = Connect-AzureRmAccount | Out-Null
Connect-AzureAD #needed this for Graph API
$context = $login
} else { Write-Host "Login session already established for " $context.Subscription.SubscriptionName }
#get the SP associated with the MSI
$MSIPrincipal = Get-AzureRmADServicePrincipal -SearchString $functionAppName | Where-Object DisplayName -eq $functionAppName
#get the SP associatesd with the MS Graph
$graph = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Microsoft Graph" }
#find the target app roles in the graph
$targetRoles = $graph.AppRoles | Where-Object Value -in "Group.ReadWrite.All", "Directory.ReadWrite.All"
#iterate throgh the known roles and add the MSI SP to them
$targetRoles | ForEach-Object {New-AzureADServiceAppRoleAssignment -Id $_.Id -PrincipalId $MSIPrincipal.Id -ObjectId $MSIPrincipal.Id -ResourceId $graph.ObjectId}
根据您的问题,我怀疑此行将返回多个实体:
Get-AzureRmADServicePrincipal -SearchString $functionAppName | Where-Object DisplayName -eq $functionAppName
删除无关的应用程序注册即可清除