[英]"Unary Operator Expected" error when deploying ps1 script using Azure Cloud Shell
I have a powershell script that creates an Azure App Registration and Service Principal and gives it permissions in a Management Group.我有一个 powershell 脚本,它创建一个 Azure 应用程序注册和服务主体,并在管理组中授予它权限。 A majority of it functions properly;
其中大部分功能正常; the issue i'm having with the script is granting admin consent to the permissions granted to the application registration.
我在脚本中遇到的问题是授予管理员同意授予应用程序注册的权限。
In the script below you'll notice i'll attempt by calling to the api via an az rest
command but this returns a unary operator expected '--'
.在下面的脚本中,您会注意到我将尝试通过
az rest
命令调用 api,但这会返回unary operator expected '--'
。 Has anyone had any luck with using the az cli in Azure Cloud Shell and programmatically granting admin consent on app registrations?有没有人在 Azure Cloud Shell 中使用 az cli 并以编程方式授予管理员对应用注册的同意?
#!/usr/local/bin/pwsh
# This powershell script creates an app registration and assigns it the owner role to a management group
# Command used to run script ./test-appregistration.ps1 -ManagementGroupName <Management Group Name> -AppRegistrationName <App Name> -ReplyURL <Redirect URL>
# Input Variable(s)
param(
[Parameter(Mandatory = $true)]
[string] $ManagementGroupName,
[Parameter(Mandatory = $true)]
[string] $AppRegistrationName,
[Parameter(Mandatory = $true)]
[string] $ReplyURL
)
### Permission endpoints in the $permissions array variable
# UserRead = "06da0dbc-49e2-44d2-8312-53f166ab848a=Scope"
# DirectoryReadAll = "e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope"
# UserReadAll = "62a82d76-70ea-41e2-9197-370581804d09=Role"
# GroupsReadWriteAll = "df021288-bdef-4463-88db-98f22de89214=Role"
# Variables
$MSGraphId = "00000003-0000-0000-c000-000000000000"
$permissions = @("06da0dbc-49e2-44d2-8312-53f166ab848a=Scope", "e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope", "62a82d76-70ea-41e2-9197-370581804d09=Role", "df021288-bdef-4463-88db-98f22de89214=Role")
# Confirming AZ CLI is installed on localhost
Write-Host "Verifying AZ CLI is installed..."
$azcli = az version --query '\"azure-cli\"'
if ($null -eq $azcli) {
throw "Azure CLI not installed. Please install the Azure CLI and try again"
Write-Host "AZ CLI not installed; aborting script execution."
Exit
}
else {
Write-Host "Azure CLI version $azcli is installed on localhost; moving forward with script execution"
}
Start-Sleep -s 3
# Check if logged into Azure
$azContext = az account show --query '[environmentName,tenantId,user.name]' -o tsv 2>&1
if ($azContext -match "ERROR: Please run 'az login' to setup account.") {
Write-Host "Logging into Azure"
az login
}
else {
Write-Host "You are already logged in, your current context is $azContext"
}
#Create Client Secret
$pwArr = "!?@#$%^&*0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz".tochararray()
$Password = ($pwArr | Get-Random -Count 20) -Join ''
# App Registration Creation
$appId = az ad app create --display-name $AppRegistrationName --reply-urls $ReplyURL --password $Password --credential-description "CT Secret" --end-date '2299-12-12' --query "appId" -o tsv
Write-Host "App Registration $AppRegistrationName created with Client Id $appId"
Start-Sleep -s 10
# Create a Service Principal for the App Registration
$appSP = az ad sp create --id $appId --query "objectId" -o tsv
Write-Host "Service principal for App Registration $AppRegistrationName created with ID $appSP."
az role assignment create --role "User Access Administrator" --assignee-object-id $appSP
az ad app permission grant --id $appId --api $MSGraphId --debug
# Add API Permissions to App Registration
foreach ($permission in $permissions) {
az ad app permission add --id $appId --api $MSGraphId --api-permissions $permission
}
Write-Host "Microsoft Graph Permissions with Id $MSGraphId added to App Registration"
Start-Sleep -s 10
foreach($permission in $permissions){
az rest --method POST --uri https://graph.microsoft.com/beta/servicePrincipals/$MSGraphId/appRoleAssignments --header Content-Type=application/json --body '{
"principalId": $appSP,
"resourceId": $MSGraphId,
"appRoleId": $permissions
}'
}
# Retrieve Object Id from Service Principal
$spId = az ad sp show --id $appId --query "objectId" -o tsv
Write-Host "$AppRegistrationName Service Principal Object Id is $spId"
Start-Sleep -s 5
# Gets Management Group and assigns the Service Principal the Owner role on Management Group
az role assignment create --role "Owner" --assignee-object-id $spId --scope "/providers/Microsoft.Management/managementGroups/$ManagementGroupName"
Write-Host "$AppRegistrationName assigned Owner permissions to Management Group $ManagementGroupName"
Start-Sleep -s 5
# Gets Required Output from Script
Write-Output `n "Domain name(s) for Azure AD Tenant is/are $domain"
Write-Output `n "App Registration Client Id = $appId"
Write-Output `n "Client Secret of App Registration = $Password"
If you want to complete Azure AD admin consent with Azure CLI, you can use the command az ad app permission admin-consent
.如果要使用 Azure CLI 完成 Azure AD 管理员同意,可以使用命令
az ad app permission admin-consent
。 For more details, please refer to here .更多详情,请参阅此处。
For example例如
# Variables
$MSGraphId = "00000003-0000-0000-c000-000000000000"
$permissions = @("06da0dbc-49e2-44d2-8312-53f166ab848a=Scope", "e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope", "62a82d76-70ea-41e2-9197-370581804d09=Role", "df021288-bdef-4463-88db-98f22de89214=Role")
# Confirming AZ CLI is installed on localhost
Write-Host "Verifying AZ CLI is installed..."
$azcli = az version --query '\"azure-cli\"'
if ($null -eq $azcli) {
throw "Azure CLI not installed. Please install the Azure CLI and try again"
Write-Host "AZ CLI not installed; aborting script execution."
Exit
}
else {
Write-Host "Azure CLI version $azcli is installed on localhost; moving forward with script execution"
}
Start-Sleep -s 3
# Check if logged into Azure
$azContext = az account show --query '[environmentName,tenantId,user.name]' -o tsv 2>&1
if ($azContext -match "ERROR: Please run 'az login' to setup account.") {
Write-Host "Logging into Azure"
az login
}
else {
Write-Host "You are already logged in, your current context is $azContext"
}
#Create Client Secret
$pwArr = "!?@#$%^&*0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz".tochararray()
$Password = ($pwArr | Get-Random -Count 20) -Join ''
$AppRegistrationName="testapp458"
$ReplyURL="http://localhost"
# App Registration Creation
$appId = az ad app create --display-name $AppRegistrationName --reply-urls $ReplyURL --password $Password --credential-description "CT Secret" --end-date '2299-12-12' --query "appId" -o tsv
Write-Host "App Registration $AppRegistrationName created with Client Id $appId"
Start-Sleep -s 10
# Create a Service Principal for the App Registration
$appSP = az ad sp create --id $appId --query "objectId" -o tsv
Write-Host "Service principal for App Registration $AppRegistrationName created with ID $appSP."
az role assignment create --role "User Access Administrator" --assignee-object-id $appSP
az ad app permission grant --id $appId --api $MSGraphId
# Add API Permissions to App Registration
foreach ($permission in $permissions) {
az ad app permission add --id $appId --api $MSGraphId --api-permissions $permission
}
Write-Host "Microsoft Graph Permissions with Id $MSGraphId added to App Registration"
Start-Sleep -s 10
az ad app permission admin-consent --id $appId
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.