[英]Can a service principal (Azure Application multi-tenant) grant admin consent to application in tenant using AZ CLI?
We are using multiple directories ( TENANT_A , TENANT_B ) on Azure.我们在 Azure 上使用多个目录( TENANT_A , TENANT_B )。 The goal is to create a service principal (Application), _SP_APP , inside TENANT_A which is granted access into TENANT_B .
目标是在TENANT_A内创建一个服务主体(应用程序) _SP_APP ,授予对TENANT_B的访问权限。 We want to use this service principal in script to manage both directory easily.
我们想在脚本中使用这个服务主体来轻松管理这两个目录。 One of the script is to make new Application Registration inside TENANT_B AND to grant ADMIN CONSENT for these applications.
其中一个脚本是在TENANT_B内进行新的应用程序注册,并为这些应用程序授予管理员同意。
# Login with service principal of multiple tenants application
az login --service-principal -u _SP_APP -p <PASSWORD> --tenant TENANT_B
# Creating application and fetching ID
_OBJECT_ID=`az ad app create ...`
# Granting Admin Consent
az ad app permission admin-consent --id $_OBJECT_ID
# ERROR
Bad Request({"ClassName":"Microsoft.Portal.Framework.Exceptions.ClientException","Message":"AADSTS50058: A silent sign-in request was sent but no user is signed in.\r\nTrace ID: 9c9bd004-a97a-4543-8ff0-e314de77a700\r\nCorrelation ID: 44c79409-2f3e-43de-a84b-1e5a42e382e7\r\nTimestamp: 2019-10-28 15:54:20Z" ...
What is strange is that when we az login
with a Global Admin User and execute the script, it works fine.奇怪的是,当我们使用全局管理员用户
az login
并执行脚本时,它工作正常。
Did we miss something to allow this service principal to be able to grant admin-consent or is it something only "user" can do?我们是否错过了允许此服务主体能够授予管理员同意的某些内容,还是只有“用户”才能做的事情? (I did not find any response in microsoft azure documentation).
(我在 microsoft azure 文档中没有找到任何响应)。
Thank you谢谢
I have confirmed with Azure support engineer.我已与 Azure 支持工程师确认。 We can not use service principal to grant admin-consent.
我们不能使用服务主体来授予管理员同意。
If you must use service principal to do this, you can use Microsoft Graph api.如果您必须使用服务主体来执行此操作,您可以使用 Microsoft Graph api。 It will consent permissions automatically.
它将自动同意权限。
POST https://graph.microsoft.com/beta/xx.onmicrosoft.com/oauth2PermissionGrants
{
"clientId": "clientId-value",
"consentType": "consentType-value",
"expiryTime": "2016-10-19T10:37:00Z",
"id": "id-value",
"principalId": "principalId-value",
"resourceId": "resourceId-value"
}
To call this api, you need to provide an access token, refer to this document for more details.要调用此 api,您需要提供访问令牌,有关详细信息,请参阅此文档。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.