[英]Unable to add Credential to a Service Principal in Azure AD
I am trying to add a credential to a Service Principal (Azure AD application) using the following powershell script 我正在尝试使用以下powershell脚本向服务主体(Azure AD应用程序)添加证书
connect-msolservice
$cer = New-ObjectSystem.Security.Cryptography.X509Certificates.X509Certificate
$cer.Import($location)
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert);
New-MsolServicePrincipalCredential -AppPrincipalId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -Type asymmetric -Value $credValue -Usage verify
However I am getting the following error: Access Denied. 但是,我收到以下错误:访问被拒绝。 You do not have permissions to call this application.
您没有调用此应用程序的权限。
I was not the owner of this application, but the actual owner had made me one of the owners. 我不是此应用程序的所有者,但实际的所有者使我成为其中一位所有者。
For a different application, which I had created, the above code is running without a hitch. 对于我创建的其他应用程序,上面的代码运行顺利。 Am I missing something?
我想念什么吗? Do I require any other Auth mechanism?
我是否需要其他任何Auth机制?
Only a global administrator of the tenant has the permissions to create or update service principals in that tenant. 只有租户的全局管理员才有权在该租户中创建或更新服务主体。
What you want to do, as an owner of this application, to add a new credential is to update the Application Object via the Application Manifest. 作为此应用程序的所有者,您想要添加新的凭据是通过Application Manifest更新Application Object。
There are instructions here about adding an X509 to your application object (in the section Configuring a X.509 public cert for your application): http://blogs.msdn.com/b/exchangedev/archive/2015/01/21/building-demon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow.aspx 这里有关于向您的应用程序对象添加X509的说明(在为您的应用程序配置X.509公共证书部分中): http : //blogs.msdn.com/b/exchangedev/archive/2015/01/21/与办公室365的日历一起构建恶魔或服务应用程序日历和联系人APIs oauth2-client-credential-flow.aspx
You should have the permissions to access and update this part of your application if you were marked as an owner. 如果您被标记为所有者,则您应该有权访问和更新应用程序的这一部分。
Note that the certificate here is a Global Cert, which can be used to authenticate in the context of any tenant, rather than a tenant specific cert on the service principal. 请注意,此处的证书是全局证书,可用于在任何租户的上下文中进行身份验证,而不是服务主体上特定于租户的证书。
I hope this helps! 我希望这有帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.