简体繁体 English

Powershell - 无需硬编码密码即可自动连接到 Power BI 服务

[英]Powershell - automated connection to Power BI service without hardcoding password

原文 2020-05-07 16:27:42 1 2 powershell/ ssis/ powerbi

We have a PowerShell script to pull Power BI activity data (using Get-PowerBIActivityEvent), and I have been trying to automate it so that it can pull this data daily using an unattended account.我们有一个 PowerShell 脚本来提取 Power BI 活动数据（使用 Get-PowerBIActivityEvent），我一直在尝试自动化它，以便它可以每天使用无人值守的帐户提取这些数据。 The problem is the script must necessarily use the Connect-PowerBIServiceAccount cmdlet, which requires a credential.问题是脚本必须使用 Connect-PowerBIServiceAccount cmdlet，这需要凭据。 I don't want to have the passwords hard-coded anywhere (obviously) and ideally don't want to be passing it into the script as a plaintext parameter in case of memory leaks.我不想在任何地方（显然）对密码进行硬编码，理想情况下不想将其作为纯文本参数传递到脚本中，以防 memory 泄漏。

I've tried using SSIS as a scheduling mechanism since it allows for encrypted parameters in script tasks, but can't call the PS script with a SecureString parameter since the System.Management.Automation namespace isn't in the GAC (a commandline call wouldn't be possible).我尝试使用 SSIS 作为调度机制，因为它允许在脚本任务中使用加密参数，但由于 System.Management.Automation 命名空间不在 GAC 中，因此无法使用 SecureString 参数调用 PS 脚本（命令行调用不可能）。 I don't believe task scheduler would offer the functionality needed.我不相信任务调度程序会提供所需的功能。

Does anyone know of any elegant ways to connect to the power BI service using encrypted credentials?有谁知道使用加密凭据连接到 Power BI 服务的任何优雅方法？

2 个解决方案

In the docs of Connect-PowerBIServiceAccount there are 2 options for unattended sign-in:在Connect-PowerBIServiceAccount的文档中，有 2 个无人值守登录选项：

Using -Credential , where you pass AAD client ID as username and application secret key as password使用-Credential ，您将 AAD 客户端 ID 作为用户名和应用程序密钥作为密码传递
Using -CertificateThumbprint and -ApplicationId使用-CertificateThumbprint和-ApplicationId

For both options you need to configure service pricipal and add proper permissions.对于这两个选项，您需要配置服务主体并添加适当的权限。 I'm not going into details how to configure that, but most probably you'd need (at least) the following application permissions:我不会详细介绍如何配置它，但很可能您需要（至少）以下应用程序权限：

I'm not really sure what functionalities you need in the script, but in my experience, majority of the cases can be covered by scheduled task, so the explanation below will apply to that solution.我不太确定脚本中需要哪些功能，但根据我的经验，计划任务可以涵盖大多数情况，因此下面的说明将适用于该解决方案。

How you can secure the credentials?如何保护凭据？

There are variuos possible solutions, depending on your preferences.根据您的喜好，有多种可能的解决方案。 I'd consider certificate-based authentication as more secure (certificate is available only to current user/all users of the machine).我认为基于证书的身份验证更安全（证书仅适用于当前用户/机器的所有用户）。

What's important in certificate-based authentication - make sure that the certificate is available for the account running the script (in many cases it's service account, not your user account).在基于证书的身份验证中重要的是 - 确保证书可用于运行脚本的帐户（在许多情况下，它是服务帐户，而不是您的用户帐户）。

How can I secure more?我怎样才能获得更多保障？

If you want, you can store application ID as secure string (I don't have SSIS to test, so I'm not sure if there's any workaround to make it working in there) or use Export-CliXml .如果需要，您可以将应用程序 ID 存储为安全字符串（我没有要测试的 SSIS，所以我不确定是否有任何解决方法可以让它在那里工作）或使用Export-CliXml 。 They use Windows Data Protection API (DPAPI), so the file can be decrypted only by the account which was used to encrypt.他们使用 Windows 数据保护 API (DPAPI)，因此文件只能由用于加密的帐户解密。

To add one more level of security (I'm not even mentioning setting correct access rights to the files as it's obvious) you might put the file in the folder encrypted (you might already have a solution for disk encryption, so use it if you wish).为了增加一个安全级别（我什至没有提到对文件设置正确的访问权限，因为这很明显）你可以将文件放在加密的文件夹中（你可能已经有了磁盘加密的解决方案，所以如果你使用它希望）。

There are probably some solutions to secure the keys even better, but these ones should do the job.可能有一些解决方案可以更好地保护密钥，但这些解决方案应该可以完成这项工作。 I'm using other Microsoft 365 modules with similar approach (Outlook, SharePoint PnP) and it works quite well.我正在使用具有类似方法的其他 Microsoft 365 模块（Outlook、SharePoint PnP）并且效果很好。

NOTE: If you need to use user account, instead of service principal, make sure that you have MultiFactor Authentication disabled on that account for that specific application.注意：如果您需要使用用户帐户而不是服务主体，请确保在该帐户上为该特定应用程序禁用了 MultiFactor Authentication。

The relevant documentation to this ( https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal ) states that admin APIs (ie those served via Get-PowerBiActivityEvent) do not currently support service principals.与此相关的文档（ https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal ）指出管理 API（即通过 Get-PowerBiActivityEvent 提供的 API）目前不支持服务负责人。 This means it's not currently possible to use a registered app to run these cmdlets unattended.这意味着目前无法使用已注册的应用程序在无人参与的情况下运行这些 cmdlet。

There is a feature request open to provide this at the moment: https://ideas.powerbi.com/forums/265200-power-bi-ideas/suggestions/39641572-need-service-principle-support-for-admin-api目前有一个功能请求可供提供： https://ideas.powerbi.com/forums/265200-power-bi-ideas/suggestions/39641572-need-service-principle-support-api