0

所以在过去的几天里,我一直在努力让 REST 与我们的 azure 一起执行数千个小更改。我认为有 REST 命令可以做到这一点,但我仍然在努力让自己正确地进行身份验证。所以昨天我在stackoverflow上找到了这段代码(问题49211916)

##get token
$TENANTID=""
$APPID=""
$PASSWORD=""
$result=Invoke-RestMethod -Uri https://login.microsoftonline.com/$TENANTID/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://management.core.windows.net/"; "client_id" = "$APPID"; "client_secret" = "$PASSWORD" }
$token=$result.access_token

$Headers=@{
    'authorization'="Bearer $token"
    'host'="management.azure.com"
    'contentype'='application/json'
}

对我来说看起来不错。我已经在 AAD 中创建了一个应用程序,因此我复制并粘贴了它的前 3 个值。

然后我开始执行我的实际任务 - 更改 Intune 中的设备类别。所以我运行几天前在问题 957046 中找到的代码:

     #this is an example for 1 device:
 $intuneDeviceId = 'deadbeef-aaaa-bbbb-cccc-0123456789ab' #update the IntuneDeviceID, you will need to implement a loop for mutiple devices
 $deviceCategoryReqBody = '{"@odata.id":"https://graph.microsoft.com/beta/deviceManagement/deviceCategories/98765432-aaaa-bbbb-cccc-0123456789ab"}' #update the deviceCateg id
 $patchDeviceReqBody = '{}'

 #Running a GET method on the device ID to check its validity
 Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/deviceManagement/managedDevices/$intuneDeviceId/deviceCategory" -Headers $authToken -Method Get

 #calling the PUT method to update device category for that specific device
 Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/deviceManagement/managedDevices/$intuneDeviceId/deviceCategory/`$ref" -Headers $authToken -Method Put -Body $deviceCategoryReqBody

 #calling the PATCH method to update device details about device category
 Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/deviceManagement/managedDevices/$intuneDeviceId" -Headers $authToken -Method Patch -Body $patchDeviceReqBody

  #Running a GET method on the device ID to check its validity
 Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceCategories/" -Headers $authToken -Method Get

#endregion

我替换了变量,并且在运行第一个 GET 命令时出现错误:

Invoke-RestMethod : The underlying connection was closed: Could not establish trust rel
ationship for the SSL/TLS secure channel.

我错过了什么?正如我所说 - 我已经在 AAD 中注册了一个应用程序(这是我获取租户 ID、应用程序 ID 和密码的地方)。我已添加 API 权限,但我不是我们租户的全局管理员,因此他们目前处于“未授予 Contoso”状态。在我调用 rest 方法之前,全局管理员是否必须批准它,还是在进一步的步骤中,现在不是我关心的问题?

4

1 回答 1

0

不确定 TLS 错误,但这绝对是不对的:

"resource" = "https://management.core.windows.net/"

将此替换为https://graph.microsoft.com以获取 Microsoft Graph API 的令牌。

此外,应用程序管理员/云应用程序管理员/全局管理员需要在 API 权限选项卡中同意您的权限才能工作。应用程序级权限始终需要管理员同意。

于 2020-03-31T07:39:05.187 回答