Azure Runbook可以';t修改Azure广告应用程序
我正试图在Azure自动化运行手册中执行此操作Azure Runbook可以';t修改Azure广告应用程序,azure,azure-active-directory,azure-runbook,Azure,Azure Active Directory,Azure Runbook,我正试图在Azure自动化运行手册中执行此操作 $app = Get-AzureADApplication -ObjectId $ApplicationId $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string] $appRole.AllowedMemberTypes.Add
$app = Get-AzureADApplication -ObjectId $ApplicationId
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $TenantName + " Users"
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = "Users of the tenant"
$appRole.Value = $TenantName
$app.AppRoles.Add($appRole)
Set-AzureADApplication -ObjectId $ApplicationId -AppRoles $app.AppRoles
读取应用程序工作正常,当我打印应用程序变量时,我可以看到它是正确的应用程序。从我自己的机器上执行脚本也不会出错。然而,通过runbook执行它给了我:
Set-AzureADApplication : Error occurred while executing SetApplication
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
到目前为止,我已授予Azure AD中的自动化应用程序注册Active Directory API的所有权利。我还单击了“授予权限”。我知道这是正确的应用程序注册,因为当我在开始工作的“Graph Api”上授予正确的权限时,脚本还会邀请外部用户
我在一本运行手册中试用了您的确切脚本,为了使其正常工作,我必须在您的PowerShell脚本之前添加“作为服务主体登录”的代码。您可以在此处查看更多详细信息: 在权限方面,我只授予了1个应用程序权限(即“读写所有应用程序”),然后单击“授予权限”,因为它确实需要管理员同意。步骤由my Azure AD中具有“全局管理员”目录角色的用户完成 以下是我的最后一个工作PowerShell脚本(从编辑runbook复制):
下面是我遵循的其他一些重要步骤的截图,您可能已经完成了,也可能尚未完成
在你对我的另一篇文章发表评论后,我自己也试了一本跑步手册。详情请参阅答案。我希望它能解决你的问题。我发誓我昨天做了这一切。今天我撤销了所有权限,只添加了您指定的权限。它开始起作用了。
# Get Azure Run As Connection Name
$connectionName = "AzureRunAsConnection"
# Get the Service Principal connection details for the Connection name
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
# Logging in to Azure AD with Service Principal
"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
$ApplicationId = "redacted-xxxx-xxxx-xxxx-xxxxxxxe3"
$TenantName = "RohitTenant"
$app = Get-AzureADApplication -ObjectId $ApplicationId
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $TenantName + " Users"
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = "Users of the tenant"
$appRole.Value = $TenantName
$app.AppRoles.Add($appRole)
Set-AzureADApplication -ObjectId $ApplicationId -AppRoles $app.AppRoles