有一种方法可以将该应用程序角色权限添加到托管身份。使用 Azure 门户无法做到这一点。您可以在 Azure 门户中验证以下步骤是否有效。此方法无需您自己创建委托人,并且无需保存客户 ID/秘密簿记。
当您使用 Powershell 时,可以将 Mail.Read 应用程序角色权限添加到托管身份,无论是系统托管身份还是用户托管身份。还有其他方法可以执行相同的步骤,例如Azure CLI。但以下是我所知道的有效并使用过的。
这些步骤可用于具有可分配应用角色的任何身份和应用程序。因此,您还可以添加 Sharepoint 权限以列出站点,打开 Excel 工作表。但请记住,Microsoft 应用程序角色大多是全有或全无。它违反了最低权限原则。
我很想知道一种避免违反原则的通用方法。
要将应用角色权限分配给托管身份,我们需要了解以下几点:
...的ID
- ...托管身份(例如“logic-app-identity”)
- ...具有应用程序角色的应用程序(例如“Microsoft Graph”)
- ...分配给托管标识的应用程序角色的 ID(例如“Mail.Read”)
然后我们可以将应用角色分配给托管标识。
为可读性设置一些变量
$managed_identity_name = "logic-app-identity"
$application_with_the_required_role_name = "Microsoft Graph"
$application_role_to_assign_name = "Mail.Read"
使用 AzureAD 模块并登录。
使用来自 here 的 AzureAd 模块
Import-Module AzureAd
Connect-AzureAd #shows popup to login
1。获取托管标识 id
# filter first server side, and in case of multiple results, the where ensures a single result
# -All is necessary because a managed identity is a sort of service principal
$managed_identity_id = (Get-AzureADServicePrincipal -All $true -SearchString $managed_identity_name | where DisplayName -eq $managed_identity_name).ObjectId
2。获取具有请求的应用程序角色的应用程序
# -SearchString on "Microsoft Graph" returns two results, therefore the where clause to ensure a single result
# storing the returned object, because it contains the approles array
$application_with_the_required_role = (Get-AzureADServicePrincipal -SearchString "Microsoft Graph" | where DisplayName -eq "Microsoft Graph")
# fun fact: the ObjectId of the "Microsoft Graph" application is always: 94d0e336-e38a-4bfc-9b21-8fbb74b6b835
$application_with_the_required_role_id = $application_with_the_required_role.ObjectId
3。获取要分配给托管标识的应用程序角色 ID
# the required id is now simply called Id
# fun fact: the ObjectId of the "Mail.Read" app role is always: 810c84a8-4a9e-49e6-bf7d-12d183f40d01
$application_role_to_assign_id = ($application_with_the_required_role.AppRoles | where Value -eq $application_role_to_assign_name).Id
将应用角色分配给托管标识
New-AzureADServiceAppRoleAssignment -ObjectId $managed_identity_id -PrincipalId $managed_identity_id -ResourceId $application_with_the_required_role_id -Id $application_role_to_assign_id
奖励:验证作业
# should list the assigned application to the identity, dig further for the specific app role
# (I don't know how :S)
Get-AzureADServiceAppRoleAssignedTo -ObjectId $managed_identity_id | fl
# and the other way around to list the identities assigned to the application
Get-AzureADServiceAppRoleAssignment -ObjectId $application_with_the_required_role_id | fl