问题描述

在常规情况下，如果要从Azure中获取Authorization Token，需要在Azure AAD中注册一个应用主体，通过Client ID + Client Secret生成Token。但是，当需要直接使用Managed Identity(托管标识)的方式执行Microsoft Graph API来获取Token，如何来实现呢？

问题解答

因为Managed Identity不是一个AAD的注册应用，所以需要先通过Powershell命令来为他赋予相应的权限。所以需要对它赋予权限。

赋予权限的执行命令为：

# 登录Azure China
Connect-AzureAD -AzureEnvironmentName AzureChinaCloud 

# Get SPN based on MSI Display Name
$msiSpn = (Get-AzureADServicePrincipal -Filter "displayName eq 'managed identity名称'")

# Set well known Graph Application Id
$msGraphAppId = "00000003-0000-0000-c000-000000000000" # Get SPN for Microsoft Graph
$msGraphSpn = Get-AzureADServicePrincipal -Filter "appId eq '$msGraphAppId'" # Type Graph App Permissions needed
$msGraphPermission = "Directory.ReadWrite.All","Group.ReadWrite.All","GroupMember.ReadWrite.All" # Now get all Application Roles matching above Graph Permissions
$appRoles = $msGraphSpn.AppRoles | Where-Object {$_.Value -in $msGraphPermission -and $_.AllowedMemberTypes -contains "Application"}

# Add Application Roles to MSI SPN
$appRoles | % { New-AzureAdServiceAppRoleAssignment -ObjectId $msiSpn.ObjectId -PrincipalId $msiSpn.ObjectId -ResourceId $msGraphSpn.ObjectId  -Id $_.Id }

可以通过以下命令删除权限：

# Get all application permissions for the service principal
$spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $msiSpn.ObjectId -All $true | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }

# Remove all permissions
$spApplicationPermissions | ForEach-Object {
    Remove-AzureADServiceAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.objectId
}

在配置了Managed Identity的环境中（如Azure VM)中执行Powershell获取Token 示例：

# 使用Identity登录后，获取Context
 $AzureContext = (Connect-AzAccount -Identity -Environment AzureChinaCloud).context

# set and store context
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext

# Get MS Graph access token 
# Managed Identity
$url = $env:IDENTITY_ENDPOINT 
$headers = New-Object "System.Collections.Generic.Dictionary[String],[String](/LuBu0505/My-Code/wiki/String],[String)" $headers.Add("X-IDENTITY-HEADER", $env:IDENTITY_HEADER) 
$headers.Add("Metadata", "True") 
$body = @{"resource"=https://microsoftgraph.chinacloudapi.cn/} 
$accessToken = (Invoke-RestMethod $url -Method 'POST' -Headers $headers -ContentType 'application/x-www-form-urlencoded' -Body $body ).access_token
$authHeader = @{ "Authorization"= "Bearer " + $accessToken "Content-Type"="application/json" }

Write-Output "access token acquired successfully"

当在复杂的环境中面临问题，格物之道需：浊而静之徐清，安以动之徐生。 云中，恰是如此!

分类: 【Azure 环境】, 【Azure Developer】

标签: Azure Developer, Azure 环境, AAD Token Powershell, Managed Identity + Microsoft Graph API