服务主体(Azure 应用程序多租户)是否可以使用 AZ CLI 向租户中的应用程序授予管理员许可?
[英]Can a service principal (Azure Application multi-tenant) grant admin consent to application in tenant using AZ CLI?
问题描述
Context
语境
We are using multiple directories ( TENANT_A , TENANT_B ) on Azure.我们在 Azure 上使用多个目录( TENANT_A , TENANT_B )。 The goal is to create a service principal (Application), _SP_APP , inside TENANT_A which is granted access into TENANT_B .目标是在TENANT_A内创建一个服务主体(应用程序) _SP_APP ,授予对TENANT_B的访问权限。 We want to use this service principal in script to manage both directory easily.我们想在脚本中使用这个服务主体来轻松管理这两个目录。 One of the script is to make new Application Registration inside TENANT_B AND to grant ADMIN CONSENT for these applications.其中一个脚本是在TENANT_B内进行新的应用程序注册,并为这些应用程序授予管理员同意。
What is done做了什么
_SP_APP _SP_APP
- Global Admin on both Directory两个目录上的全局管理员
- Granted Access to TENANT_B (Visible in Enterprise Application)授予对TENANT_B的访问权限(在企业应用程序中可见)
- Api Permissions were granted Admin Consent ( TENANT_A and TENANT_B ) Api 权限已授予管理员同意( TENANT_A和TENANT_B )
- Microsoft Graph (Delegated and Application Full Access) Microsoft Graph(委托和应用程序完全访问)
- Azure Active Directory Graph (Delegated and Application Full Access) Azure Active Directory 图(委托和应用程序完全访问)
- Microsoft Graph (Delegated and Application Full Access)
Steps脚步
Working correctly正常工作
# Login with service principal of multiple tenants application
az login --service-principal -u _SP_APP -p <PASSWORD> --tenant TENANT_B
# Creating application and fetching ID
_OBJECT_ID=`az ad app create ...`
Not Working不工作
# Granting Admin Consent
az ad app permission admin-consent --id $_OBJECT_ID
# ERROR
Bad Request({"ClassName":"Microsoft.Portal.Framework.Exceptions.ClientException","Message":"AADSTS50058: A silent sign-in request was sent but no user is signed in.\r\nTrace ID: 9c9bd004-a97a-4543-8ff0-e314de77a700\r\nCorrelation ID: 44c79409-2f3e-43de-a84b-1e5a42e382e7\r\nTimestamp: 2019-10-28 15:54:20Z" ...
What is strange is that when we az login with a Global Admin User and execute the script, it works fine.奇怪的是,当我们使用全局管理员用户az login并执行脚本时,它工作正常。
Question问题
Did we miss something to allow this service principal to be able to grant admin-consent or is it something only "user" can do?我们是否错过了允许此服务主体能够授予管理员同意的某些内容,还是只有“用户”才能做的事情? (I did not find any response in microsoft azure documentation). (我在 microsoft azure 文档中没有找到任何响应)。
Thank you谢谢
1 个解决方案
解决方案1
1 已采纳 2019-10-30 08:30:09
I have confirmed with Azure support engineer.我已与 Azure 支持工程师确认。 We can not use service principal to grant admin-consent.我们不能使用服务主体来授予管理员同意。
If you must use service principal to do this, you can use Microsoft Graph api.如果您必须使用服务主体来执行此操作,您可以使用 Microsoft Graph api。 It will consent permissions automatically.它将自动同意权限。
POST https://graph.microsoft.com/beta/xx.onmicrosoft.com/oauth2PermissionGrants
{
"clientId": "clientId-value",
"consentType": "consentType-value",
"expiryTime": "2016-10-19T10:37:00Z",
"id": "id-value",
"principalId": "principalId-value",
"resourceId": "resourceId-value"
}
To call this api, you need to provide an access token, refer to this document for more details.要调用此 api,您需要提供访问令牌,有关详细信息,请参阅此文档。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.