问题描述
我可以使用 Azure 或使用 az
cli 从门户控制台创建服务主体.
I'm able to create a service principal either using Azure or from the portal console with the az
cli.
az ad sp create-for-rbac --name "myspuser" --password "adfhrrreeuwrgwejdfgds"
然后我在订阅级别分配所有者角色并在 powershell 控制台中登录.
Then I assign the owner role at subscription level and log-in in a powershell console.
Login-AzureRmAccount -Credential (New-Object System.Management.Automation.PSCredential ('a92b2ea2-aaaa-0000-0a0a-1238ec953226', $(ConvertTo-SecureString 'abcewior23h23ius' -AsPlainText -Force))) -ServicePrincipal -TenantId 0cedca99-00f4-40d1-aa41-80d67ece2de8;
在这里我几乎可以做任何事情,比如部署机器,除了检查其他用户.
Here I can do almost anything like deploy machines except check for other users.
当我执行时
Get-AzureRmADServicePrincipal
我得到的只是 Get-AzureRmADServicePrincipal : 权限不足,无法完成操作.
这适用于我的标准用户登录.
All that I get is Get-AzureRmADServicePrincipal : Insufficient privileges to complete the operation.
This works with my standard user login.
我的目标是创建一种自动化,用户可以在其中使用 MSDN 订阅中的 jenkins 通过 ARM 模板部署完整的环境.由于powershell不支持某些登录名,我想让我的用户为此使用服务主体.我的自动化需要使用需要读取资源组机器属性的 jenkins 从 linux 机器上创建一个 SP.
My goal is to create an automation where users can deploy a full environment via ARM templates using jenkins in their MSDN subscription. As some logins a are not supported from powershell I would like to make my users use a service principal for that. My automation requires creating a SP that will be used from a linux machine using jenkins that needs to read resource group machines properties.
我在这里缺少什么?如何分配服务主体用户权限以管理其他服务主体帐户?
What I am missing here? How can I assign a service principal user rights to manage other service principal accounts?
推荐答案
所有者角色不适用于 Azure AD,目录角色仅适用于用户.Service Pricipal = 应用程序而不是用户.虽然用户可以链接到服务主体,但我个人还没有看到它的实际用途..
The owner role doesn't apply to Azure AD and the Directory Roles only apply to users.Service Pricipal = Application and not a user.Users can be linked to the service principal though, but I haven't seen an actual use for that personally..
要使用服务主体管理服务主体,您需要分配 API 权限.我不能告诉你如何使用 Powershell 来做到这一点,因为我还没有找到它的命令,很遗憾.提示提示 microsoft azure.您进入门户,从 AAD 打开应用程序并转到 API 权限.您将能够为旧版 Azure AD 和 MS Graph 分配权限.
To manage service principals with a service principal you need to assign API permissions.I can't tell you how to do this using Powershell as I have not found the commands for it, quite a shame. Hint hint microsoft azure.You go into the portal, open the application from AAD and go to API permissions. You will be able to assign permissions for both legacy Azure AD as well as MS Graph.
根据我的经验,旧版 AAD 权限在更多情况下有效,并且提供了更多粒度,但我确实将其报告为一个问题,并且可能会更改为 MS Graph 权限是前进的方向.
In my experience the legacy AAD permissions worked in more cases and offered more granularity, but I did report it as an issue and it may be changed that the MS Graph permissions are the way forward.
我知道这是一个老话题,但我仍然想回答,因为它在我自己搜索其他问题时突然出现.:)
I know it's an old topic, but still felt like answering as it popped up in my own search for some other issue. :)
edit:允许服务主体 API 权限管理应用程序,您将能够让应用程序管理其他应用程序.但是,您确定要让普通用户能够管理这些应用程序吗?它可能会产生深远的安全影响,具体取决于您授予该服务主体多少特权.
edit: Allowing a service principal API permissions to manage applications you will be able to let an application manage other applications.However, are you realy sure you want to give regular users the ability to manage these applications? It can have far going security implications depending on how much privileges you give this one service principal.
这篇关于Azure 服务主体权限不足,无法管理其他服务主体的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!