0

我正在使用 Azure DevOps 管道部署基于 Azure Function 的应用程序,作为部署的一部分,还预配了所需的基础架构(使用 ARM 模板)。Azure 功能需要访问 Microsoft Graph 和 SharePoint REST API,要实现这一点,需要执行以下步骤:

  1. Azure 函数是使用系统分配的标识 (MSI) 创建的。
  2. MSI(身份)被传递到下面的 PowerShell 脚本,以启用对 Graph 和 SharePoint API 的访问。
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
 
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id
 
$azureFunctionServicePrincipal = Get-AzureADServicePrincipal -Filter "ObjectId eq '$PrincipalId'"
#Graph service principal
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
$GraphFilesReadWriteAllAppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -in 'Files.ReadWrite.All' -and $_.AllowedMemberTypes -contains 'Application'}
New-AzureAdServiceAppRoleAssignment -ObjectId $EcaseServicePrincipal.ObjectId -PrincipalId $EcaseServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $GraphFilesReadWriteAllAppRole.Id

$SharePointOnlineServicePrinciple = Get-AzureADServicePrincipal -SearchString “Office 365 SharePoint”
$SharePointOnlineSitesReadWriteAllAppRole = $SharePointOnlineServicePrinciple.AppRoles | Where-Object {$_.Value -in 'Sites.ReadWrite.All' -and $_.AllowedMemberTypes -contains 'Application'}
New-AzureAdServiceAppRoleAssignment -ObjectId $EcaseServicePrincipal.ObjectId -PrincipalId $EcaseServicePrincipal.ObjectId -ResourceId $SharePointOnlineServicePrinciple.ObjectId -Id $SharePointOnlineSitesReadWriteAllAppRole.Id

由于权限不足,执行 Get-AzureADServicePrincipal 命令时的 PowerShell 脚本失败,此命令在 DevOps 的 ServiceConnection 身份下执行。ServiceConnection 被分配了以下额外的权限, 在此处输入图像描述

我无法弄清楚 GetServicePrincipal 需要哪些其他权限才能成功,以及执行 New-AzureAdServiceAppRoleAssignment cmdlet。

[2020 年 8 月 31 日更新] 感谢 AlleWu 的解决方案,解决了与 GetServicePrincipal 相关的权限问题。但是,尽管有以下权限,执行 NewServicePrincipalAppRoleAssignment 的权限问题仍然存在,我错过了一些步骤。我另外将 ServiceConnection 对象设置为 ResourceGroup 的所有者,但这也失败了。

服务连接权限

NewServicePrincipalAppRoleAssignment 执行错误日志:

2020-08-31T05:24:55.5613075Z ##[debug]+ New-AzureAdServiceAppRoleAssignment -ObjectId $EcaseServicePrincipal. ...
2020-08-31T05:24:55.5639370Z ##[debug]+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2020-08-31T05:24:55.5721318Z ##[debug]    + CategoryInfo          : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException
2020-08-31T05:24:55.5744883Z ##[debug]    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewServ    icePrincipalAppRoleAssignment
2020-08-31T05:24:55.5765560Z ##[debug] 
2020-08-31T05:24:55.5834409Z ##[debug]Script stack trace:
2020-08-31T05:24:55.5976760Z ##[debug]at <ScriptBlock>, D:\a\1\s\azure.pipelines\pwsh\provision_service_principle_for_sharepoint_graph.ps1: line 23
2020-08-31T05:24:55.6006045Z ##[debug]at <ScriptBlock>, <No file>: line 1
2020-08-31T05:24:55.6029248Z ##[debug]at <ScriptBlock>, D:\a\_tasks\AzurePowerShell_72a1931b-effb-4d2e-8fd8-f8472a07cb62\4.173.1\azurepowershell.ps1: line 229
2020-08-31T05:24:55.6188575Z ##[debug]at <ScriptBlock>, D:\a\_tasks\AzurePowerShell_72a1931b-effb-4d2e-8fd8-f8472a07cb62\4.173.1\azurepowershell.ps1: line 225
2020-08-31T05:24:55.6219503Z ##[debug]at <ScriptBlock>, <No file>: line 1
2020-08-31T05:24:55.6243577Z ##[debug]at <ScriptBlock>, <No file>: line 22
2020-08-31T05:24:55.6281986Z ##[debug]at <ScriptBlock>, <No file>: line 18
2020-08-31T05:24:55.6331521Z ##[debug]at <ScriptBlock>, <No file>: line 1
2020-08-31T05:24:55.6497107Z ##[debug]Exception:
2020-08-31T05:24:55.6577566Z ##[debug]Microsoft.Open.AzureAD16.Client.ApiException: Error occurred while executing NewServicePrincipalAppRoleAssignment 
2020-08-31T05:24:55.6607345Z ##[debug]Code: Authorization_RequestDenied
2020-08-31T05:24:55.6683059Z ##[debug]Message: Insufficient privileges to complete the operation.
2020-08-31T05:24:55.6712669Z ##[debug]RequestId: 14e5694e-bfde-404f-a441-4543871b1e56
2020-08-31T05:24:55.6760142Z ##[debug]DateTimeStamp: Mon, 31 Aug 2020 05:24:53 GMT
2020-08-31T05:24:55.6794376Z ##[debug]HttpStatusCode: Forbidden
2020-08-31T05:24:55.6818439Z ##[debug]HttpStatusDescription: Forbidden
2020-08-31T05:24:55.6842869Z ##[debug]HttpResponseStatus: Completed
2020-08-31T05:24:55.6890342Z ##[debug]
2020-08-31T05:24:55.6915727Z ##[debug]   at Microsoft.Open.AzureAD16.Client.Configuration.<>c.<.cctor>b__47_0(String methodName, IRestResponse response) in X:\bt\1137570\repo\src\dev\PowerShell.V2\AzureAD16.Client\Client\Configuration.cs:line 188
2020-08-31T05:24:55.6947059Z ##[debug]   at Microsoft.Open.AzureAD16.Api.ServicePrincipalApi.NewServicePrincipalAppRoleAssignmentWithHttpInfo(String tenantId, String objectId, String authorization, String cmdletName, String clientRequestId, String apiVersion, AppRoleAssignment appRoleAssignment) in X:\bt\1137570\repo\src\dev\PowerShell.V2\AzureAD16.Client\Api\ServicePrincipalApi.cs:line 4006
2020-08-31T05:24:55.6977721Z ##[debug]   at Microsoft.Open.AzureAD16.PowerShell.NewServicePrincipalAppRoleAssignment.ProcessRecord() in X:\bt\1137570\repo\src\dev\PowerShell.V2\AzureAD16.PowerShell\AzureAD16.PowerShell.AutoGen\API\ServicePrincipalApi.cs:line 2019
2020-08-31T05:24:55.7008421Z ##[debug]   at System.Management.Automation.CommandProcessor.ProcessRecord()
2020-08-31T05:24:55.7366976Z ##[error]Error occurred while executing NewServicePrincipalAppRoleAssignment 
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: 14e5694e-bfde-404f-a441-4543871b1e56
DateTimeStamp: Mon, 31 Aug 2020 05:24:53 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden

2020 年第一组更新:上面建议的替代解决方案有效,下面我更新了用于提供所需权限的脚本,

$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken

Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id
 
$webAppServicePrincipal = Get-AzureADServicePrincipal -Filter "ObjectId eq '$PrincipalId'" #$PrincipalId is the ObjectId of the webApp instance
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
$GraphFilesReadWriteAllAppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -in 'Files.ReadWrite.All' -and $_.AllowedMemberTypes -contains 'Application'}

#It appears that the Azure DevOps's service connection need to have Global Administrator permissions to successfully execute the below statement; which is not recommended, hence, this is implemented calling Graph API 
#New-AzureAdServiceAppRoleAssignment -ObjectId $EcaseServicePrincipal.ObjectId -PrincipalId $EcaseServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $GraphFilesReadWriteAllAppRole.Id

$resourceId = $GraphServicePrincipal.ObjectId
$body = @{
  "principalId"= $webAppServicePrincipal.ObjectId
  "resourceId"= $resourceId
  "appRoleId"= $GraphFilesReadWriteAllAppRole.Id
}

$apiUrl = "https://graph.microsoft.com/v1.0/servicePrincipals/$resourceId/appRoleAssignedTo"
Invoke-RestMethod -Uri $apiUrl -Headers @{Authorization = "Bearer $($graphToken)" }  -Method POST -Body $($body | convertto-json) -ContentType "application/json"
4

1 回答 1

1

Get-AzureADServicePrincipal命令调用 Azure AD Graph 而不是 Microsoft Graph。

GET https://graph.windows.net/{tenant id}/servicePrincipals?api-version=1.6 HTTP/1.1

因此,您应该授予 Azure AD Graph 权限:

在此处输入图像描述

在此处输入图像描述

更新:

发现了一些有趣的东西:

尽管我将所有 AAD Graph 应用程序权限分配给了服务主体,但它仍然显示“权限不足,无法完成操作”。

所以我使用了另一种方法:将全局管理员角色分配给这个服务主体。但它有大约10-15分钟的延迟。然后服务主体可以New-AzureAdServiceAppRoleAssignment成功执行。

我也使用应用程序管理员角色进行测试,但它不起作用。我认为 AAD Graph 有一些变化,不会被维护。所以不推荐使用。

作为一种解决方法,您可以调用 Microsoft Graph API:在您的 Powershell 脚本中为服务主体授予 appRoleAssignment 。

于 2020-08-28T01:08:14.853 回答