Powershell &引用;意外错误“;使用Connect-MsolService-AccessToken连接到Azure AD
我正在使用Azure AD PS模块的新预览版本。我正在尝试通过新的AccessToken参数进行连接:Powershell &引用;意外错误“;使用Connect-MsolService-AccessToken连接到Azure AD,powershell,azure,azure-active-directory,azure-ad-graph-api,Powershell,Azure,Azure Active Directory,Azure Ad Graph Api,我正在使用Azure AD PS模块的新预览版本。我正在尝试通过新的AccessToken参数进行连接: Connect-MsolService - AccessToken ey... 但我得到了一个“意想不到的错误”回来 我知道我使用的访问令牌很好,因为我可以使用它从Postman调用Graph API。有人用过这个吗 编辑: 不确定否决投票的原因,但只是为了表明我做了功课,以下是PS模块在幕后发出的请求/响应,用Fiddler跟踪捕获。它包含有用的消息“用户标识标头无效” 请求 POST
Connect-MsolService - AccessToken ey...
但我得到了一个“意想不到的错误”回来
我知道我使用的访问令牌很好,因为我可以使用它从Postman调用Graph API。有人用过这个吗
编辑:
不确定否决投票的原因,但只是为了表明我做了功课,以下是PS模块在幕后发出的请求/响应,用Fiddler跟踪捕获。它包含有用的消息“用户标识标头无效”
请求
POST https://provisioningapi.microsoftonline.com/provisioningwebservice.svc HTTP/1.1
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">http://provisioning.microsoftonline.com/IProvisioningWebService/MsolConnect</a:Action>
<a:MessageID>urn:uuid:df0e35bd-ef05-48cd-a623-a1134b0b2ed6</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<UserIdentityHeader xmlns="http://provisioning.microsoftonline.com/" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<BearerToken xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService">Bearer ey...</BearerToken>
<LiveToken i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService"/>
</UserIdentityHeader>
<ClientVersionHeader xmlns="http://provisioning.microsoftonline.com/" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<ClientId xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService">50afce61-c917-435b-8c6d-60aa5a8b8aa7</ClientId>
<Version xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService">1.1.8806.11</Version>
</ClientVersionHeader>
<ContractVersionHeader xmlns="http://becwebservice.microsoftonline.com/" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<BecVersion xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService">Version32</BecVersion>
</ContractVersionHeader>
<TrackingHeader xmlns="http://becwebservice.microsoftonline.com/">bf71f0c6-add7-4046-9209-bfd584ca3c28</TrackingHeader>
<a:To s:mustUnderstand="1">https://provisioningapi.microsoftonline.com/provisioningwebservice.svc</a:To>
</s:Header>
<s:Body>
<MsolConnect xmlns="http://provisioning.microsoftonline.com/">
<request xmlns:b="http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:BecVersion>Version4</b:BecVersion>
<b:TenantId i:nil="true"/>
<b:VerifiedDomain i:nil="true"/>
</request>
</MsolConnect>
</s:Body>
</s:Envelope>
我无法复制您的问题。让我告诉你我做了什么让它工作: 我首先获得了一个针对Graph API的本机客户端应用程序的访问令牌:
$clientId = "<GUID>";
$tenantId = "<tenant>.onmicrosoft.com";
$resourceId = "https://graph.windows.net"
$redirectUri = new-object System.Uri("urn:ietf:wg:oauth:2.0:oob")
$login = "https://login.microsoftonline.com"
$authContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext("{0}/{1}" -f $login,$tenantId);
$authenticationResult = $authContext.AcquireToken($resourceId,$clientID,$redirectUri);
$token = $authenticationResult.AccessToken
您得到的是什么样的访问令牌?你介意和我分享一下吗?或者至少是没有签名的JWT反编译版本
如果你想把这个带到别处,请随时联系我们
AADPowerShellPreview@microsoft.com
请包括在此处找到的日志文件:
C:\Users[youralias]\AppData\Local\Microsoft\Office365\PowershellHmm,我认为我的应用程序被定义为web应用程序而不是本机应用程序。那会有区别吗?我将尝试使用本机应用程序。我正在开发一个脚本,该脚本将从Azure Automation运行,因此我将使用客户端凭据流来获取访问令牌。本机应用程序没有密钥,无法执行客户端凭据流,因此我需要坚持AAD中的web应用程序设置。我用我用来获取令牌的命令更新了问题。我还尝试通过电子邮件发送答案中的地址,但它一直在跳转。我不相信您将能够使用客户端凭据流以这种方式登录。我认为您必须具有用户上下文,更具体地说,因为AAD PowerShell是一个本机客户端,所以您需要使用本机客户端令牌来完成此操作。电子邮件现在应该更新了。好的,那么我不能像使用ARM那样使用服务主体连接到AAD?这意味着我必须创建一个没有MFA的AAD用户帐户,并授予其全局管理权限,以便编写任何自动管理活动的脚本。
HTTP/1.1 500 Internal Server Error
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">http://provisioning.microsoftonline.com/IProvisioningWebService/MsolConnectInvalidHeaderExceptionFault</a:Action>
<a:RelatesTo>urn:uuid:df0e35bd-ef05-48cd-a623-a1134b0b2ed6</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<s:Code>
<s:Value>s:Sender</s:Value>
</s:Code>
<s:Reason>
<s:Text xml:lang="en-US">The creator of this fault did not specify a Reason.</s:Text>
</s:Reason>
<s:Detail>
<InvalidHeaderException xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<HelpLink i:nil="true"/>
<Message>The user identity header is invalid.</Message>
<OperationId i:nil="true"/>
<Source>Microsoft.Online.Administration.PublicBecWebService</Source>
<StackTrace> at Microsoft.Online.Administration.WebService.BecWebServiceAuthenticationManager.ValidateJwtTokenV2(String bearerToken) in x:\bt\533229\repo\src\dev\om\administration\publicbecwebservice\BecWebServiceAuthenticationManager.cs:line 371
at Microsoft.Online.Administration.WebService.BecWebServiceAuthenticationManager.CheckAccessCore(OperationContext operationContext) in x:\bt\533229\repo\src\dev\om\administration\publicbecwebservice\BecWebServiceAuthenticationManager.cs:line 723</StackTrace>
</InvalidHeaderException>
</s:Detail>
</s:Fault>
</s:Body>
</s:Envelope>
$clientId = "20bc779d-0edb-4a00-becf-xxx"
$redirectUri = new-object System.Uri("urn:ietf:wg:oauth:2.0:oob")
$resourceId = "https://graph.windows.net"
$authority = "https://login.windows.net/mydirectory.onmicrosoft.com"
$key = ConvertTo-SecureString $keyFromAzurePortal -AsPlainText -Force
$cred = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential ($clientId, $key)
$authContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext($authority)
$authResult = $authContext.AcquireToken($resourceId, $cred)
$clientId = "<GUID>";
$tenantId = "<tenant>.onmicrosoft.com";
$resourceId = "https://graph.windows.net"
$redirectUri = new-object System.Uri("urn:ietf:wg:oauth:2.0:oob")
$login = "https://login.microsoftonline.com"
$authContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext("{0}/{1}" -f $login,$tenantId);
$authenticationResult = $authContext.AcquireToken($resourceId,$clientID,$redirectUri);
$token = $authenticationResult.AccessToken
PS C:\Users\shtabriz> Connect-MsolService -AccessToken eyJ0eXAiOiJKV1QiLCJ...
PS C:\Users\shtabriz> Get-MsolUser
UserPrincipalName DisplayName isLicensed
----------------- ----------- ----------
test@shawntest.onmicrosoft.com TestMe False
shtabriz_microsoft.com#EXT#@shawntest.onmicrosoft.com Shawn Tabrizi False
admin@shawntest.onmicrosoft.com ShawnTabriziAdmin False
Alex@shawntest.onmicrosoft.com Alex Wu False
language@shawntest.onmicrosoft.com Language False
languageportal@shawntest.onmicrosoft.com Language Portal False