service-principal

问题 After my azure pipeline has create an azure sql db I'd like execute some sql. The sql in question must be executed by an AAD authenticated user. The service connection for the pipeline is an AAD authenticated user of the database. If Im willing for the script to consume the service principals secret, then I can construct an OAuth call to retrieve a bearer token and use that to connect to the database. However since the powershell script is running in the context of the service principal I

问题 After my azure pipeline has create an azure sql db I'd like execute some sql. The sql in question must be executed by an AAD authenticated user. The service connection for the pipeline is an AAD authenticated user of the database. If Im willing for the script to consume the service principals secret, then I can construct an OAuth call to retrieve a bearer token and use that to connect to the database. However since the powershell script is running in the context of the service principal I

来源： https://stackoverflow.com/questions/62677458/azure-sql-grant-access-for-ad-user-using-powershell-and-serviceprincipal

来源： https://stackoverflow.com/questions/62677458/azure-sql-grant-access-for-ad-user-using-powershell-and-serviceprincipal

问题 I have a certificate associated with a service principal in Azure AD. How can I get the certificate name or thumbprint associated with it using powershell? I have tried Get-AzureRmADServicePrincipalCredential , Get-AzureRmADSpCredential and Get-AzureADServicePrincipalKeyCredential commands but they return Key Identifier not thumbprint. Basically I want to recognize which certificate is associated with the principal before revoking it. 回答1: As @Stanley Gong mentioned, you can use MS Graph to

问题 I have created AAD application from gallery. There is one in app registrations section and one in enterprise applications. App registrations application points to the enterprise app (managed application in local directory). I want to configure SAML SSO for the enterprise app. There are a few required properties which have to be set. I am able to set Sign on URL (using graph api), but I cannot set Identifier (Entity ID) and Reply URL . I thought that this will do the job: Set

问题 I have an Azure function which I'm using to fetch data from Azure AD, but I want to limit who can use the Function as it will be using a HTTP trigger so that I will be able to call the function from a Logic App later down the road. So as HTTP triggered Azure Functions have a public endpoint, I want to improve security by setting the authorization level to Function, or even more preferable to use an Azure AD service principal (pre-created). Upon making this change though I can make the call by

问题 To run applications in Azure, I need to create an Application in Azure AD and a corresponding Service Principal. Then my application authenticates against this App/Principal pair. To authenticate, I can create an application key in the App registration, or I can create a password in the Service Principal (among other options). What's the difference from a practial standpoint? For example, this code runs exactly the same (from the outside) whether the $key is the App's key or the Service

问题 I have a Function in Azure, which has MSI (Managed Service Identity) enabled which I am trying to use to access an Azure based WebAPI (App Service WebApp) which in turn has Azure AD Authentication enabled (all same Azure Directory). My WebAPI has an Azure App registered so it can use AAD Authentication. This app also has the necessary AppRoles configured in its Manifest (for types 'User' and for 'Application'). I have also verified that the Functions Identity (app) was successfully created in

问题 How can I, using the Azure Python API, create a full set of credentials that can later be used to start and deallocate all VMs in a named resource group, without any other permissions? I have thoroughly researched the example code and both official and unofficial documentation, but I don't even know where to start... I know I will need a tenant ID, client ID, client secret and subscription ID. Which of those can I make using an API, and how would I go about assigning roles to allow for