以下脚本应在 Azure 中创建服务主体并为其分配给定的 Azure AD 角色,但在最后一步中失败,正是在将角色分配给服务主体时。
Connect-AzureAD -TenantId $tenantId
# Create the Azure AD Application Registration
$appRegistration = New-AzureADApplication -DisplayName $spName
# Create the Service Principal
New-AzureADServicePrincipal -AppId $appRegistration.AppId
# Get the role object from the given role name
$AdminRoleObject = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq $role}
# Assign the role to the app registration
Add-AzureADDirectoryRoleMember -ObjectId $AdminRoleObject.ObjectId -RefObjectId $appRegistration.ObjectId
服务主体确实是在 Azure AD 中创建的,但该脚本未能分配 Azure AD 角色。通过观察错误消息,似乎/在 URL 中添加了额外内容,如下所示:https://graph.windows.net//
错误如下:
Add-AzureADDirectoryRoleMember: Error occurred while executing AddDirectoryRoleMember Code: Request_BadRequest Message: The URI 'https://graph.windows.net//xxx-xxx-xxx-xxx-xxx/directoryObjects/xxx-xxx-xxx-xxx-xxx' is not valid since it is not based on 'https://graph.windows.net/xxx-xxx-xxx-xxx-xxx/'. RequestId: ce7e548a-642a-4998-a153-910671c812ee DateTimeStamp: Tue, 18 Jan 2022 15:01:40 GMT HttpStatusCode: BadRequest HttpStatusDescription: Bad Request HttpResponseStatus: Completed
我正在使用powershell 7.2. 以下是有关环境的更多信息:
Name Value
---- -----
PSVersion 7.2.1
PSEdition Core
GitCommitId 7.2.1
OS Darwin 21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:29:10 PST 2021; root:xnu-8019.61.5~1/RELEASE_ARM64_T8101
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
知道这是一个错误,还是我做错了什么?还是有人以不同的方式完成这项任务?
