问题
I want to set my Azure Active Directory as an identity provider for SharePoint 2013 Foundation. I activated Azure trial from account that is a part of another infrastructure (my company's infrastructure). So what i have now:
- Azure VM with SharePoint 2013 Foundation installed. Created by me for testing purposes
- Azure Active Directory that is a part of my company's infrastructure. I don't have any permissions even to view it. But I see it since my company uses it
- Azure Active Directory with me as Global Admin (my-ad-name). Created by me for testing purposes
- Access Control Services. Created by me for testing purposes
So following the article Using Microsoft Azure Active Directory for SharePoint 2013 authentication i get error
PS C:\Users\tu1> New-MsolServicePrincipal -ServicePrincipalNames @("https://my-ad-name.accesscontrol.windo
ws.net/") -DisplayName "Test ACS Namespace" -Addresses $replyUrl
The following symmetric key was created as one was not supplied m2XQJAeUKEQztjn/sEDJwy8TbG8jPxpw6cemkm8Fnkw=
New-MsolServicePrincipal : Access Denied. You do not have permissions to call this cmdlet.
At line:1 char:1
+ New-MsolServicePrincipal -ServicePrincipalNames @("https://my-ad-name.accesscon ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [New-MsolServicePrincipal], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.AccessDeniedException,Microsoft.Online.Admini
stration.Automation.NewServicePrincipal
May that be because of the Azure AD that I don't have rights on? Are there ways to connect Access Control Service only with the AD i need?
回答1:
When you connect to Azure AD PowerShell using Connect-MsolService, the username you use to sign in will define which directory you are working in. External users (users originally from one directory present in a second directory) cannot be used.
Say, for instance, you have user bob@contoso.com, in a directory which we'll identify by the verified domain name contoso.com. If bob@contoso.com uses the Azure portal to create a new directory (identified here by it's initial domain name fabrikam.onmicrosoft.com), the first user (and admin) will be an external user bob@contoso.com.
In order to connect to Azure AD PowerShell in the context of fabrikam.onmicrosoft.com, a new "native" user needs to be created in that directory. So, for instance, if admin@fabrikam.onmicrosoft.com is created as an admin in fabrikam.onmicrosoft.com, that new user account would be able to sign in to Azure AD PowerShell and create a new service principal.
Note: You can always confirm which directory you're working in by using Get-MsolCompanyInformation.
来源:https://stackoverflow.com/questions/34044861/several-azure-ad-new-msolserviceprincipal-access-denied