Azure 自动化:Runbook、RunAs 帐户:如何允许访问 AAD(例如 Get-AzADUser)?
[英]Azure Automation: Runbook, RunAs Account: How to allow access to AAD (e.g. for Get-AzADUser)?
问题描述
Good afternoon
下午好
I have selected stackoverflow for this question because probably mainly programmers are confronted with this question:我为这个问题选择了stackoverflow,因为可能主要是程序员面临这个问题:
This is the issue:这是问题:
If we call Get-AzADUser to get all AAD Users in the Azure Automation Runbook, then we get: Error 'Insufficient privileges'如果我们调用Get-AzADUser来获取 Azure 自动化运行手册中的所有 AAD 用户,那么我们会得到: Error 'Insufficient privileges'
We do it like this:我们这样做:
- We have an Automation Account with an "Azure Run As Account"我们有一个带有“Azure 运行方式帐户”的自动化帐户
- In the PowerShell Runbook we call:在 PowerShell Runbook 中,我们调用:
# Connect to AAD
$Conn = Get-AutomationConnection -Name AzureRunAsConnection
$account = Connect-AzAccount -ServicePrincipal `
-TenantId $Conn.TenantID `
-ApplicationId $Conn.ApplicationID `
-CertificateThumbprint $Conn.CertificateThumbprint
# Get All AAD Users
$AllADUsers = Get-AzADUser
- If we start the Runbook, we get the Error:如果我们启动 Runbook,我们会得到错误:
> Get-AzADUser : Insufficient privileges to complete the operation.
> FullyQualifiedErrorId :
> Microsoft.Azure.Commands.ActiveDirectory.GetAzureADUserCommand
This is the permissions configuration:这是权限配置:
- The
Automation Accounthas setRun as accounts»Azure Run As Account(and not an Azure Classic Run As Account)Automation Account已设置Run as accounts»Azure Run As Account(而不是 Azure 经典运行方式帐户) - In fact,
Azure Run As Accountis misleading, it is a Registered App and can be found in AzureApp registrations事实上, Azure Run As Account具有误导性,它是一个注册应用程序,可以在 AzureApp registrations中找到 - The Registered App has these settings:注册的应用程序具有以下设置:
» A custom role with all permissions. » 具有所有权限的自定义角色。
» API Permissions: » API 权限:
Microsoft Graph (6)
Delegated Directory.AccessAsUser.All
Delegated Directory.ReadWrite.All
Delegated User.ReadWrite.All
Application Directory.ReadWrite.All
Application User.Export.All
Application User.ReadWrite.All
» All API Permissions are Granted for our Tenant » 所有 API 权限均授予我们的租户
Unfortunately, we still get the Error 'Insufficient privileges'不幸的是,我们仍然收到错误“权限不足”
Thanks a lot for any help!非常感谢您的帮助!
Kind regards, Thomas亲切的问候,托马斯
1 个解决方案
解决方案1
1 已采纳 2020-04-24 22:32:04
According to some test, you need to add the permissions of Azure AD but not Micorsoft Graph.根据一些测试,您需要添加 Azure AD 而不是 Micorsoft Graph 的权限。 It seems the Get-AzADUser command use Azure AD graph in the backend but not microsoft graph.似乎Get-AzADUser命令在后端使用 Azure AD 图,而不是微软图。 So we need to do the operations as below:所以我们需要进行如下操作:
After that we can use the command Get-AzADUser successfully( if you test the command in powershell, when you add the Azure AD permission, please close the powershell and reopen it and re-connect to avoid the impact of cache )之后我们就可以使用命令Get-AzADUser成功了(如果你在powershell中测试命令,当你添加Azure AD权限时,请关闭Z2F2D399F0EA8844859FE5514B30473的影响,避免重新打开缓存的影响)并重新连接B73
I test it in my side, it shows same error with yours' and it can get the users successful after adding this permission.我在我这边测试它,它显示与您相同的错误,并且在添加此权限后它可以让用户成功。 Hope it helps~希望有帮助~
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.