2

精简版:

如何正确设置应用程序权限和/或角色分配和/或我缺少的其他内容,以便可以使用应用程序 id/secret(OAuth 客户端凭据)创建共享邮箱?

到目前为止,我已经尝试了几种权限/角色的组合,例如Exchange.ManageAsApp用户管理员 ( fe930be7-5e62-47db-91af-98c3a49a38b1)、Exchange 管理员 ( 29232cdf-9323-42fd-ade2-1d097af3e4de) 和其他一些。

细节:

我有一堆用于自动执行 Exchange Online 上的各种任务的 powershell 脚本。到目前为止,我一直在使用基本身份验证,我能够成功地将其转换为 OAuth 密码流。

但要完全摆脱对服务帐户的依赖,我更喜欢使用凭证流。在后台我试图做这样的事情:

var authenticationContext = new AuthenticationContext($"https://login.microsoftonline.com/{TenantId}", false, _tokenCache);
var clientCredential = new ClientCredential(ClientId, ClientSecret);
var authenticationResult = await authenticationContext.AcquireTokenAsync(Resource, clientCredential);
var username = "OAuthUser@" + TenantId;
var password = authenticationResult.CreateAuthorizationHeader();
var executor = new ExolExecutor(username, password);
await executor.Execute(Script, cancellationToken);

执行者在哪里做常规的事情:

  1. 创建 PSSession 到https://outlook.office365.com/powershell-liveid?BasicAuthToOAuthConversion=true
  2. 使用执行 powershell 脚本
    using PowerShell powershell = PowerShell.Create();
    powershell.Runspace = runspace;
    powershell.AddScript(script);
    ...
    await Task.Factory.FromAsync(powershell.BeginInvoke(input, output), powershell.EndInvoke);
    
  3. 删除 PSSession

到目前为止,一切都很好。与Get-Mailbox -ResultSize 1. 但是当尝试创建新的共享邮箱New-Mailbox -Name "pko222" -DisplayName "pko222" -Alias "pko222" -Shared时,我得到了

CategoryInfo.Activity: New-Mailbox
CategoryInfo.Category: 1001
CategoryInfo.Reason: ADOperationException
CategoryInfo.TargetName: 
CategoryInfo.TargetType: 
ErrorDetails.Message: 
ErrorDetails.RecommendedAction: 
Exception.Message: Active Directory operation failed on DB7PR01A03DC005.EURPR01A003.prod.outlook.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152612, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

FullyQualifiedErrorId: [Server=BEXP281MB0087,RequestId=88419a8e-78a4-4967-9bca-71d40feb5150,TimeStamp=10/6/2020 11:57:38 AM] [FailureCategory=Cmdlet-ADOperationException] 2C0312E5,Microsoft.Exchange.Management.RecipientTasks.NewMailbox

JWT 令牌看起来像这样:

{
    "aud": "https://outlook.office365.com",
    "iss": "https://sts.windows.net/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/",
    "iat": 1601985127,
    "nbf": 1601985127,
    "exp": 1601989027,
    "aio": "E2RgYFCOsw1iZj34elV49CH5zyd5AQ==",
    "app_displayname": "XXXXXXXXXXX",
    "appid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "appidacr": "1",
    "idp": "https://sts.windows.net/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/",
    "oid": "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz",
    "rh": "0.AAAAv9y4fwZQ_0G6_d1kLKJ_sarAXb_REQFHhc2EM1FNn9tIAAA.",
    "roles": ["User.Read.All", "full_access_as_app", "Mail.ReadWrite", "MailboxSettings.ReadWrite", "User.ReadBasic.All", "Mailbox.Migration", "Mail.Read", "Mail.Send", "MailboxSettings.Read", "Exchange.ManageAsApp"],
    "sid": "qqqqqqqq-qqqq-qqqq-qqqq-qqqqqqqqqqqq",
    "sub": "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz",
    "tid": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
    "uti": "CRytfXbD80y3ATmQvd-VAQ",
    "ver": "1.0",
    "wids": ["29232cdf-9323-42fd-ade2-1d097af3e4de", "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "fe930be7-5e62-47db-91af-98c3a49a38b1", "9360feb5-f418-4baa-8175-e2a00bac4301", "62e90394-69f5-4237-9190-012177145e10", "0997a1d0-0d1d-4acb-b408-d5ca73121e90"]
}
4

1 回答 1

0

仅供参考,我设法让它在我身边工作。您只需要在连接 uri 中添加以下参数

&email=SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@yourtenantname.onmicrosoft.com

所以连接uri看起来像:

https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true&email=SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@yourtenantname.onmicrosoft.com

只需将后缀从“yourtenantname”更改为...您的租户名称!不要放租户指南!

https://docs.microsoft.com/en-us/answers/questions/451006/pssession-and-modern-auth.html

于 2021-06-25T08:35:39.573 回答