MSI Permissions for Graph API

会有一股神秘感。 提交于 2019-12-17 07:40:34

问题


My question is, do we have any documented method of granting a Manage Service Identity permissions to the Graph API as we would with an Azure App Registration in the portal? I was unable to find any Powershell options or ability to manage permissions for the MSI service principal in the Azure Portal or documentation. I found a similar question on MSDN forums, but wanted to make sure there were not any further updates or workarounds that anybody knew of?

MSDN Forum Post: https://social.msdn.microsoft.com/Forums/azure/en-US/dae34534-f193-4444-b52e-ba9cfa4a1fda/does-azure-msi-support-accessing-graph-api?forum=WindowsAzureAD


回答1:


Disclaimer - I'm not overly familiar with MSIs, but as they are modeled as service principals, this should work. Also I'm not able to validate these steps.

These steps require that you use Azure AD PowerShell (v2) to assign application permissions to your MSI (to access Microsoft Graph), and that you are an administrator or app admin in your tenant. For Microsoft Graph, the documented permissions can be found here. The same instructions could be used for other resources secured by Azure AD too. I'll assume that you've already installed the PowerShell module.

  1. Connect-AzureAD to connect PS to Azure Ad. Enter your admin creds.
  2. $graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" to find the service principal representing Microsoft Graph and assign it to a variable. The service principal for Microsoft Graph is currently created just in time on first access, so there is a possibility it doesn't exist. It can be created by calling New-AzureADServicePrincipal -AppId "00000003-0000-0000-c000-000000000000".
  3. $graph.AppRoles - this will show you all the available application permissions that you can choose from that are exposed by Microsoft Graph. For example if your MSI needs to read group information, find the "Group.Read.All" permission from the list, and make a note of its permission Id (it's a GUID). For example here's one of the records from the AppRoles list: AllowedMemberTypes : {Application} Description : Allows the app to read events of all calendars without a signed-in user. DisplayName : Read calendars in all mailboxes Id : 798ee544-9d2d-430c-a058-570e29e34338 IsEnabled : True Value : Calendars.Read
  4. Find your MSI's objectId (assuming you don't know it, but that you do know its clientId/appId): $msi = Get-AzureADServicePrincipal -Filter "AppId eq '{Your_MSI_appId}'"
  5. For each of the permissions your MSI needs, run the following PS cmdlet to assign the permission to your MSI: New-AzureADServiceAppRoleAssignment -Id {permissionId} -PrincipalId $msi.ObjectId -ResourceId $graph.ObjectId

And that should do it. You should now be able to acquire an access token for your MSI to call Microsoft Graph, and the access token should contain a roles claim that matches the permissions (ids) that you've assigned above. You can then use that access token to call Microsoft Graph. This is similar to steps 6 and 7 in https://docs.microsoft.com/en-us/azure/active-directory/msi-overview.

Hope this helps,




回答2:


The RequestDenied message is expected. There was a change to this that updating the System MSI SP is now blocked.



来源:https://stackoverflow.com/questions/48013011/msi-permissions-for-graph-api

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!