[英]Azure Automation: Runbook, RunAs Account: How to allow access to AAD (e.g. for Get-AzADUser)?
Good afternoon下午好
I have selected stackoverflow for this question because probably mainly programmers are confronted with this question:我为这个问题选择了stackoverflow,因为可能主要是程序员面临这个问题:
If we call Get-AzADUser
to get all AAD Users in the Azure Automation Runbook, then we get: Error 'Insufficient privileges'
如果我们调用
Get-AzADUser
来获取 Azure 自动化运行手册中的所有 AAD 用户,那么我们会得到: Error 'Insufficient privileges'
# Connect to AAD
$Conn = Get-AutomationConnection -Name AzureRunAsConnection
$account = Connect-AzAccount -ServicePrincipal `
-TenantId $Conn.TenantID `
-ApplicationId $Conn.ApplicationID `
-CertificateThumbprint $Conn.CertificateThumbprint
# Get All AAD Users
$AllADUsers = Get-AzADUser
> Get-AzADUser : Insufficient privileges to complete the operation.
> FullyQualifiedErrorId :
> Microsoft.Azure.Commands.ActiveDirectory.GetAzureADUserCommand
Automation Account
has set Run as accounts
» Azure Run As Account
(and not an Azure Classic Run As Account) Automation Account
已设置Run as accounts
» Azure Run As Account
(而不是 Azure 经典运行方式帐户)Azure Run As Account
is misleading, it is a Registered App and can be found in Azure App registrations
Azure Run As Account
具有误导性,它是一个注册应用程序,可以在 Azure App registrations
中找到 » A custom role with all permissions. » 具有所有权限的自定义角色。
» API Permissions: » API 权限:
Microsoft Graph (6)
Delegated Directory.AccessAsUser.All
Delegated Directory.ReadWrite.All
Delegated User.ReadWrite.All
Application Directory.ReadWrite.All
Application User.Export.All
Application User.ReadWrite.All
» All API Permissions are Granted for our Tenant » 所有 API 权限均授予我们的租户
Unfortunately, we still get the Error 'Insufficient privileges'不幸的是,我们仍然收到错误“权限不足”
Thanks a lot for any help!非常感谢您的帮助!
Kind regards, Thomas亲切的问候,托马斯
According to some test, you need to add the permissions of Azure AD but not Micorsoft Graph.根据一些测试,您需要添加 Azure AD 而不是 Micorsoft Graph 的权限。 It seems the
Get-AzADUser
command use Azure AD graph in the backend but not microsoft graph.似乎
Get-AzADUser
命令在后端使用 Azure AD 图,而不是微软图。 So we need to do the operations as below:所以我们需要进行如下操作:
After that we can use the command Get-AzADUser successfully( if you test the command in powershell, when you add the Azure AD permission, please close the powershell and reopen it and re-connect to avoid the impact of cache )之后我们就可以使用命令Get-AzADUser成功了(如果你在powershell中测试命令,当你添加Azure AD权限时,请关闭Z2F2D399F0EA8844859FE5514B30473的影响,避免重新打开缓存的影响)并重新连接B73
I test it in my side, it shows same error with yours' and it can get the users successful after adding this permission.我在我这边测试它,它显示与您相同的错误,并且在添加此权限后它可以让用户成功。 Hope it helps~
希望有帮助~
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.