不能使用“ az”向Azure AD中的应用授予权限;得到403

时间:2019-04-17 19:16:59

标签: azure azure-active-directory

我正在尝试编写脚本以在Azure AD中添加权限,由于某种原因,我得到了403。

以下是命令:

az ad app permission grant --id 934b23f2-ab55-4876-83ce-b38e9966ea53 --api  2ac352a9-b35a-4db8-bbce-84d9245faa45

这是调试输出:

msrest.http_logger : Request URL: 'https://graph.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2PermissionGrants?api-version=1.6'
msrest.http_logger : Request method: 'POST'
msrest.http_logger : Request headers:
msrest.http_logger :     'Accept': 'application/json'
msrest.http_logger :     'Content-Type': 'application/json; charset=utf-8'
msrest.http_logger :     'accept-language': 'en-US'
msrest.http_logger :     'Content-Length': '323'
msrest.http_logger :     'User-Agent': 'python/3.6.6 (Windows-10-10.0.18362-SP0) msrest/0.6.6 msrest_azure/0.6.0 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.0.62'
msrest.http_logger : Request body:
msrest.http_logger : {"odata.type": "Microsoft.DirectoryServices.OAuth2PermissionGrant", "clientId": "874bf2e7-d191-4d86-ba64-234c885c703a", "consentType": "AllPrincipals", "resourceId": "e7c4266c-e7c0-440f-910a-2557f24b842c", "scope": "user_impersonation", "startTime": "2019-04-18T00:11:56.102063", "expiryTime": "2020-04-18T00:11:56.102063"}
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : Starting new HTTPS connection (1): graph.windows.net:443
urllib3.connectionpool : https://graph.windows.net:443 "POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2PermissionGrants?api-version=1.6 HTTP/1.1" 403 219
msrest.http_logger : Response status: 403
msrest.http_logger : Response headers:
msrest.http_logger :     'Cache-Control': 'no-cache'
msrest.http_logger :     'Pragma': 'no-cache'
msrest.http_logger :     'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8'
msrest.http_logger :     'Expires': '-1'
msrest.http_logger :     'ocp-aad-diagnostics-server-name': 'flQBgrwiZdgfrwyQn7i7mb8tOHe8Zm56rla4LDh9+Zw='
msrest.http_logger :     'request-id': 'e514bba2-7cc9-47e7-bd16-ff1ea17fbad8'
msrest.http_logger :     'client-request-id': '924eb878-616e-11e9-8077-f26e0bc197ab'
msrest.http_logger :     'x-ms-dirapi-data-contract-version': '1.6'
msrest.http_logger :     'ocp-aad-session-key': '-RrCLfYgOSFwqxz4IBLGEBFBrYfXBZbU8zNwiCGag-dWYfm6EGWjClVXFX9LjmWphFkDKZaqQP39ko2PuX_K4DXuqK1NwUB5wayM8e5wnXvaSoYQW1B4nwJDR7JAHnwU.e2QPHdU1fQSwX4_tnWM81ajF8thbjmTeEPBE9HPtOJI'
msrest.http_logger :     'DataServiceVersion': '3.0;'
msrest.http_logger :     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger :     'Access-Control-Allow-Origin': '*'
msrest.http_logger :     'X-AspNet-Version': '4.0.30319'
msrest.http_logger :     'X-Powered-By': 'ASP.NET'
msrest.http_logger :     'Duration': '545850'
msrest.http_logger :     'Date': 'Thu, 18 Apr 2019 00:11:55 GMT'
msrest.http_logger :     'Content-Length': '219'
msrest.http_logger : Response content:
msrest.http_logger : {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"e514bba2-7cc9-47e7-bd16-ff1ea17fbad8","date":"2019-04-18T00:11:56"}}
msrest.exceptions : Operation failed with status: 'Forbidden'. Details: 403 Client Error: Forbidden for url: https://graph.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2PermissionGrants?api-version=1.6
cli.azure.cli.core.util : Operation failed with status: 'Forbidden'. Details: 403 Client Error: Forbidden for url: https://graph.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2PermissionGrants?api-version=1.6
Operation failed with status: 'Forbidden'. Details: 403 Client Error: Forbidden for url: https://graph.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2PermissionGrants?api-version=1.6
az_command_data_logger : exit code: 1
telemetry.save : Save telemetry record of length 2468 in cache
telemetry.check : Negative: The C:\Users\mikebaz\.azure\telemetry.txt was modified at 2019-04-17 20:04:03.430973, which in less than 600.000000 s
command ran in 2.421 seconds.

这就是我要授予的:

[
  {
    "additionalProperties": null,
    "expiryTime": "",
    "resourceAccess": [
      {
        "additionalProperties": null,
        "id": "4b7cb559-04e7-4d6e-8b59-362ceccc6a89",
        "type": "Scope"
      }
    ],
    "resourceAppId": "2ac352a9-b35a-4db8-bbce-84d9245faa45"
  }
]

我可以在门户网站中成功进行资助(这就是我在上面获得资助详细信息的方式),所以我知道我可以进行资助。

对我在这里缺少什么有任何想法吗?

1 个答案:

答案 0 :(得分:2)

我至少注意到一个问题,就是命令中--api参数的值可能不正确。

在Json中,您提到的是Portal的工作副本,resourceAppId2ac352a9-b35a-4db8-bbce-84d9245faa45,因此应该是命令中--api参数或目标API的值。

[
  {
    "additionalProperties": null,
    "expiryTime": "",
    "resourceAccess": [
      {
        "additionalProperties": null,
        "id": "4b7cb559-04e7-4d6e-8b59-362ceccc6a89",
        "type": "Scope"
      }
    ],
    "resourceAppId": "2ac352a9-b35a-4db8-bbce-84d9245faa45"
  }
]

还要确保您拥有934b23f2-ab55-4876-83ce-b38e9966ea53是应用程序的applicationid或objectid。

az ad app permission grant --id 934b23f2-ab55-4876-83ce-b38e9966ea53 --api 2ac352a9-b35a-4db8-bbce-84d9245faa45 --scope user_impersonation --consent-type AllPrincipals