[英]Access Azure AD B2C with MS Graph API using User-Assigned Managed Identity
I currently use the Graph API to get user info from our AD B2C tenant using a client secret.我目前使用Graph API使用客户端密钥从我们的AD B2C租户获取用户信息。
I'd like to set up permissions for a user-assigned managed identity to use the Graph API instead of using a client secret.我想为用户分配的托管标识设置权限以使用图形 API 而不是使用客户端机密。
Examples I've come across use PowerShell to set up permissions for Apps--or system-assigned managed identities.我遇到的示例使用 PowerShell 来设置应用程序的权限——或系统分配的托管身份。
Is it possible to do this for user assigned managed identities?是否可以为用户分配的托管标识执行此操作? How?
如何?
The managed identities for Azure resources provide Azure services with an automatically managed identity in Azure AD. Azure 资源的托管标识在 Azure AD 中提供具有自动托管标识的 Azure 服务。 You can use the identity to authenticate to any service that supports Azure AD authentication, without any credentials in your code.
您可以使用该身份对支持 Azure AD 身份验证的任何服务进行身份验证,而无需代码中的任何凭据。 Azure Logic App has an option when connecting to an HTTP endpoint to use its managed identity for authentication:
Azure 连接到 HTTP 终结点时,逻辑应用程序可以选择使用其托管标识进行身份验证:
You can try with below PowerShell script您可以尝试使用以下 PowerShell 脚本
# Your tenant id (in Azure Portal, under Azure Active Directory -> Overview )
$TenantID=""
# Microsoft Graph App ID (DON'T CHANGE)
$GraphAppId = ""
# Name of the manage identity
$DisplayNameOfMSI=""
# Check the Microsoft Graph documentation for the permission you need for the operation
$PermissionName = ""
# Install the module (You need admin on the machine)
Install-Module AzureAD
Connect-AzureAD -TenantId $TenantID
$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")
Start-Sleep -Seconds 10
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole = $GraphServicePrincipal.AppRoles | `
Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
After executing the script, in the portal, the requested API permissions are assigned to the Managed Identity: , you can check the permission on azure portal.执行脚本后,在门户中,请求的 API 权限被分配给 Managed Identity: ,您可以在 azure 门户上查看权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.