使用应用注册更改 Azure VM 本地管理员密码的权限

Question

我找到了这个答案，作者在其中展示了如何更改 VM 上的本地管理员密码。 我想知道如何使用 Active Directory 中的应用注册帐户发出此请求调用。 我需要（以及如何）授予此应用注册什么权限？

我正在使用 MSAL 来获取这样的访问令牌（在 Python 中）：

def az_get_access_token(client_id, authority, secret, default_scope):
    # Create a preferably long-lived app instance which maintains a token cache.
    app = msal.ConfidentialClientApplication(
        client_id,
        authority=authority,
        client_credential=secret,
        # token_cache=...  # Default cache is in memory only.
        # To learn how to use SerializableTokenCache from
        #   https://msal-python.rtfd.io/en/latest/#msal.SerializableTokenCache
    )

    # Get access token
    result = app.acquire_token_silent(scopes=[default_scope], account=None)

    if not result:
        logging.debug("No suitable token exists in cache. Let's get a new one from AAD.")
        result = app.acquire_token_for_client(scopes=[default_scope])

    if 'access_token' not in result:
        logging.error('Azure error: %s, description: %s' % (result['error'], result['error_description']))
        raise Exception

    access_token = result['access_token'] # JWT access token

    return access_token

然后像这样调用 rest：

access_token = az_get_access_token(client_id, authority, app_secret, default_scope)

vm_pwd_change_payload = {
    'properties': {
        'publisher': 'Microsoft.Compute',
        'type': 'VMAccessAgent',
        'typeHandlerVersion': '2.0',
        'autoUpgradeMinorVersion': True,
        'settings': {
            'UserName': local_admin_user_name
        },
        'protectedSettings': {
            'Password': local_admin_new_password
        }
    },
    'location': "West US"
}

vm_pwd_update_change_resp = requests.put(
    'https://management.azure.com/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Compute/virtualMachines/%s?api-version=2020-12-01' % (subscriptionId, resourceGroupName, vmName),
    headers={
        'Authorization': 'Bearer ' + access_token,
        'Content-Type': 'application/json'
    },

    data=json.dumps(vm_pwd_change_payload)
)

if not vm_pwd_update_change_resp.ok:
    print("Reason: %s" % vm_pwd_update_change_resp.reason)
    print("\t%s" % vm_pwd_update_change_resp.text)
else:
    print("CHANGED!!!!!!")

（另外，不确定在scope中authority什么）

Answer 1

Set https://login.microsoftonline.com/{teannt id} as the authority and https://management.azure.com/.default as the scope .

对于权限，由于应用注册中Azure rest API的应用权限不可用（它是灰色的），我们可以为应用注册帐户分配RBAC角色。 详细步骤在这里。

找到 VM -> Access Control -> Add -> Add role assignment -> select 一个角色（例如Contributor ）并输入您的 App Registration 的名称。

As you found, after that you have to change URL to the following: https://management.azure.com/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Compute/virtualMachines/%s/extensions/enablevmaccess?api-version=2020-12-01 。