0

我无法弄清楚这一点。我需要一种使用Microsoft GraphPowerShell将Endpoint Manager 的 Scope 标记分配给 Azure AD 组的方法。

在门户下,这是在Endpoint Manager\Tenant Administration\Roles\Scope (Tags)下完成的。然后单击标记并转到分配并浏览到 Azure AD 组。

由于它在 Roles 下,我假设它属于roleAssignmentroleScopeTag资源类型?

我已经彻底阅读了 REST api 的所有文档,并且我还尝试通过 Microsoft.Graph.Intune 模块执行此操作,但仍然找不到合适的 cmdlet 来执行此操作。我错过了什么吗?

这是我在本文档之后构建的当前代码

首先让我们假设我有正确的标签 ID 和天蓝色的广告组对象 ID。

$ScopeTagId = 2
$TargetGroupIds = @()
$TargetGroupIds += '687c08f1-e78f-4506-b4a6-dfe35a05d138'

$graphApiVersion = "beta"
$Resource = "deviceManagement/roleScopeTags"

$object = New-Object -TypeName PSObject
$object | Add-Member -MemberType NoteProperty -Name 'assignments' -Value @($TargetGroupIds)
$JSON = $object | ConvertTo-Json

$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)/$ScopeTagId/assign"
Invoke-RestMethod -Method Post -Uri $uri -Headers $global:authToken -Body $JSON

没有成功。然后我认为由于create roleScopeTag API 在请求正文中没有分配属性,因此必须使用update方法来完成,但那里也没有。我读到的唯一一个是使用分配操作,在文档示例中它显示了roleScopeTagAutoAssignment URI,所以我去了那个兔子洞:

$ScopeTagId = 2
$TargetGroupIds = @()
$TargetGroupIds += '687c08f1-e78f-4506-b4a6-dfe35a05d138'

$graphApiVersion = "beta"
$Resource = "deviceManagement/roleScopeTags"

$AutoTagObject = @()
foreach ($TargetGroupId in $TargetGroupIds) {
    #Build custom object for assignment
    $AssignmentProperties = "" | Select '@odata.type',id,target
    $AssignmentProperties.'@odata.type' = '#microsoft.graph.roleScopeTagAutoAssignment'
    $AssignmentProperties.id = $TargetGroupId

    #Build custom object for target
    $targetProperties = "" | Select "@odata.type",deviceAndAppManagementAssignmentFilterId,deviceAndAppManagementAssignmentFilterType
    $targetProperties."@odata.type" = "microsoft.graph.deviceAndAppManagementAssignmentTarget"
    $targetProperties.deviceAndAppManagementAssignmentFilterId = $TargetGroupId
    $targetProperties.deviceAndAppManagementAssignmentFilterType = 'include'

    #add target object to assignment
    $AssignmentProperties.target = $targetProperties

    $AutoTagObject += $AssignmentProperties

}
#build body object
$object = New-Object -TypeName PSObject
$object | Add-Member -MemberType NoteProperty -Name 'assignments' -Value @($AutoTagObject)
$JSON = $object | ConvertTo-Json

$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)/$ScopeTagId/assign"
Invoke-RestMethod -Method Post -Uri $uri -Headers $global:authToken -Body $JSON

我得到的错误类似于:“有效负载中的属性目标的值与架构不匹配。”,“innerError”:{“date”:“2022-01-27T16:28:34”,“request-id” ":"75626c4d-f09b-438e-8b0f-0b2928ac23ce","client-request-id":"75626c4d-f09b-438e-8b0f-0b2928ac23ce"我假设是我调用的 odata.type 对象"microsoft.graph .deviceAndAppManagementAssignmentTarget"

通过roledefinition URI在文档中有第二种发布方法,这似乎是一个不必要的步骤,但我也尝试过,但没有成功。

我不知道这是否正确。我非常了解其他人的 API 调用,并且我已经能够使用图表成功地为自定义角色及其分配添加标签;我似乎无法为范围标签本身找到 URI 和 JSON 主体的正确组合……如果它甚至存在的话。:(

任何想法,如果可以的话,请分享一些代码片段。谢谢!

4

1 回答 1

1

我找到了正确的 URI 和请求正文

如果可以像这样生成:

$ScopeTagId = 2
$TargetGroupIds = @()
$TargetGroupIds += '687c08f1-e78f-4506-b4a6-dfe35a05d138'

$graphApiVersion = "beta"
$Resource = "deviceManagement/roleScopeTags"

$AutoTagObject = @()
#TEST $TargetGroupId = $TargetGroupIds[0]
foreach ($TargetGroupId in $TargetGroupIds) {
    #Build custom object for assignment
    $AssignmentProperties = "" | Select id,target
    $AssignmentProperties.id = ($TargetGroupId + '_' + $ScopeTagId)


    #Build custom object for target
    $targetProperties = "" | Select "@odata.type",deviceAndAppManagementAssignmentFilterId,deviceAndAppManagementAssignmentFilterType,groupId
    $targetProperties."@odata.type" = "microsoft.graph.groupAssignmentTarget"
    $targetProperties.deviceAndAppManagementAssignmentFilterId = $null
    $targetProperties.deviceAndAppManagementAssignmentFilterType = 'none'
    $targetProperties.groupId = $TargetGroupId

    #add target object to assignment
    $AssignmentProperties.target = $targetProperties

    $AutoTagObject += $AssignmentProperties

}
#build body object
$object = New-Object -TypeName PSObject
$object | Add-Member -MemberType NoteProperty -Name 'assignments' -Value @($AutoTagObject)
$JSON = $object | ConvertTo-Json -Depth 10

$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)/$ScopeTagId/assign"
Invoke-RestMethod -Method Post -Uri $uri -Headers $global:authToken -Body $JSON -ErrorAction Stop

Json 请求正文如下所示:

{
"assignments": [
    {
        "id": "b25c80e3-78cc-4b7c-888e-fc50dcc6b582_2",
        "target": {
            "@odata.type": "microsoft.graph.groupAssignmentTarget",
            "deviceAndAppManagementAssignmentFilterId": null,
            "deviceAndAppManagementAssignmentFilterType": "none",
            "groupId": "b25c80e3-78cc-4b7c-888e-fc50dcc6b582"
        }
    }
]
}

这在任何地方都没有记录...

于 2022-01-28T01:45:43.300 回答