问题描述

• 在VSTS中的自托管代理上运行时，Azure PowerShell任务中的命令(Get-AzureRmADUser -Mail $user).Id返回null
• 问题是服务主体需要具有从Active Directory读取的权限

• The command (Get-AzureRmADUser -Mail $user).Id in a Azure PowerShell Task returned null when running on a self-hosted agent in VSTS
• The problem was that the Service Principal needs to have the permission to read from the Active Directory

如何为服务主体授予从Azure Active Directory读取的正确权限?

How can I give the the Service Principal the correct permissions to read from the Azure Active Directory?

推荐答案

先决条件

• 检查您是否具有从服务主体获取对象ID的适当权限
• 检查您是否具有将服务主体添加到Azure Active Directory租户(->管理员)中的目录读取器"角色的适当权限

• 通过Install-Module AzureAD [1]

连接到Azure Active Directory

Connect to the Azure Active Directory

• Connect-AzureAD

获取目录读者"角色的ID

Get the Id of the "Directory Readers" role

• $roleId = (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Directory Readers"}).Objectid

获取服务主体对象ID

Get the Service Principal Object ID

• $spObjectId = (Get-AzureADServicePrincipal -SearchString "spName").ObjectId
  • 这当然仅在结果仅包含一个ObjectId时有效
  • 这不是在Azure Active Directory中注册的应用程序的ObjectId

  将服务主体添加到目录读取器"角色

  Add service principal to the "Directory Readers" role

  • Add-AzureADDirectoryRoleMember -ObjectId $roleId -RefObjectId $spObjectId

  检查是否已将SP分配给目录读取者角色

  Check if SP is assigned to the Directory Readers role

  • Get-AzureADDirectoryRoleMember -ObjectId $roleId | Where-Object {$_.ObjectId -eq $spObjectId}

  如果您想在以后从角色中删除服务主体

  If you want to remove the Service Principal from the role at a later stage

  • Remove-AzureADDirectoryRoleMember -ObjectId $roleId -MemberId $spObjectId

  另请参阅[2]
  
  

  See also [2]
  
  

  [1] 安装Azure AD模块

  [2] 使用服务主体连接到PowerShell中的目录

  这篇关于Azure Active Directory:使用PowerShell将服务主体添加到目录读取器角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！