使用Azure PowerShell分配AD角色

huangapple go评论70阅读模式
英文:

Assign AD roles using Azure PowerShell

问题

我正在尝试通过Azure DevOps YAML管道,使用AzurePowerShell@5任务,将用户管理员AD角色分配给Azure函数应用的托管标识。这是我尝试过的内容,但它给我返回错误:##[error]Object reference not set to an instance of an object.

[CmdletBinding()]
param (
    $functionAppDeltaSyncName,
    $logicAppName_d365hrpublisher,
    $logicAppName_d365hrsubscriber,
    $resourceGroupName
)

Install-Module -Name AzureADPreview -Force

$appArray = $functionAppDeltaSyncName, $logicAppName_d365hrpublisher, $logicAppName_d365hrsubscriber

$aadAccessToken = Get-AzAccessToken -ResourceTypeName AadGraph
$context = Get-AzContext
Connect-AzureAD -AadAccessToken $aadAccessToken.Token -AccountId $context.Account.Id -TenantId $context.tenant.id

For ($x=0; $x -lt $appArray.Length; $x++)
{
    $managedIdentityObjectId = (Get-AzFunctionApp -Name $appArray[$x] -ResourceGroupName $resourceGroupName).IdentityPrincipalId

    $roleUserAdministrator = Get-AzureADMSRoleDefinition -Filter "displayName eq 'User Administrator'"

    $IsAppRoleAssigned_UserAdministrator = Get-AzureADMSRoleAssignment -Id $managedIdentityObjectId |
        Where-Object { $_.RoleDefinitionId -eq $roleUserAdministrator.Id }

    if ($null -eq $IsAppRoleAssigned) {
        New-AzureADMSRoleAssignment `
            -DirectoryScopeId '/' `
            -RoleDefinitionId $IsAppRoleAssigned_UserAdministrator.Id `
            -PrincipalId $managedIdentityObjectId
    }
}
英文:

I'm trying to assign User Administrator AD role to Azure Function App managed Identity through Azure DevOps YAML pipeline using AzurePowerShell@5 task.
Here is what I tried, but it gives me: ##[error]Object reference not set to an instance of an object.

[CmdletBinding()]
param (
    $functionAppDeltaSyncName,
    $logicAppName_d365hrpublisher,
    $logicAppName_d365hrsubscriber,
    $resourceGroupName
)

Install-Module -Name AzureADPreview -Force

$appArray = $functionAppDeltaSyncName, $logicAppName_d365hrpublisher, $logicAppName_d365hrsubscriber

$aadAccessToken = Get-AzAccessToken -ResourceTypeName AadGraph
$context = Get-AzContext
Connect-AzureAD -AadAccessToken $aadAccessToken.Token -AccountId $context.Account.Id -TenantId $context.tenant.id

For ($x=0; $x -lt $appArray.Length; $x++)
{
    $managedIdentityObjectId = (Get-AzFunctionApp -Name $appArray[$x] -ResourceGroupName $resourceGroupName).IdentityPrincipalId


    $roleUserAdministrator = Get-AzureADMSRoleDefinition -Filter "displayName eq 'User Administrator'"

    $IsAppRoleAssigned_UserAdministrator = Get-AzureADMSRoleAssignment -Id $managedIdentityObjectId |
        Where-Object { $_.RoleDefinitionId -eq $roleUserAdministrator.Id }

    if ($null -eq $IsAppRoleAssigned) {
        New-AzureADMSRoleAssignment `
            -DirectoryScopeId '/' `
            -RoleDefinitionId $IsAppRoleAssigned_UserAdministrator.Id `
            -PrincipalId $managedIdentityObjectId
    }
        
}

答案1

得分: 1

在您提供的代码中,请检查以下内容:

$IsAppRoleAssigned_UserAdministrator = Get-AzureADMSRoleAssignment -Filter "principalId eq '$managedIdentityObjectId'" |
    Where-Object { $_.RoleDefinitionId -eq $aadDirectoryRole.Id }

if ($null -eq $IsAppRoleAssigned) {
    New-AzureADMSRoleAssignment `
        -DirectoryScopeId '/' `
        -RoleDefinitionId   `
        -PrincipalId $managedIdentityObjectId
}

其中 $IsAppRoleAssigned 变量未在任何地方声明,但 $IsAppRoleAssigned_UserAdministrator 是已声明的变量。

可以通过以下方式进行修正以解决几乎所有错误:

$IsAppRoleAssigned_UserAdministratornull 且没有值时,$IsAppRoleAssigned_UserAdministrator.RoleDefinitionId 不包含任何值,在这种情况下,以下命令不起作用,因为 RoleDefinitionId 将为 null。

这可能导致出现“Object reference not set to an instance of an object”的错误:

请检查正确的代码:

而不是在 if 条件中创建新的角色分配时,使用以下命令获取用户管理员的角色定义 ID ($roledefId_UserAdmin) 以进行分配。

$functionApp = Get-AzFunctionApp -ResourceGroupName $resourceGroupName -Name $functionApp
$functionApp.IdentityPrincipalId
$managedIdentityObjectId = $functionApp.IdentityPrincipalId
Write-host "function App principal id is fetched"

$roleUserAdministrator = Get-AzureADMSRoleDefinition -Filter "displayName eq 'User Administrator'"
$roledefId_UserAdmin = Get-AzureADMSRoleAssignment | Where-Object {
    $_.RoleDefinitionId -eq $aadDirectoryRole.Id
}

$IsAppRoleAssigned_UserAdministrator = Get-AzureADMSRoleAssignment -Filter "principalId eq '$managedIdentityObjectId'" |
    Where-Object { $_.RoleDefinitionId -eq $roleUserAdministrator.Id }

if ($IsAppRoleAssigned_UserAdministrator -eq $null) {
    New-AzureADMSRoleAssignment `
        -DirectoryScopeId '/' `
        -RoleDefinitionId '$roledefId_UserAdmin.RoleDefinitionId' `
        -PrincipalId '$managedIdentityObjectId'
}

检查角色是否分配给服务主体:

Get-AzureADDirectoryRoleMember -ObjectId "942fxxx-xxx699449b8"

其中 ObjectId 是“User Administrator”角色的对象标识符。

英文:

In the code you have provided check the " if condition" > if ($null -eq $IsAppRoleAssigned)

powershell:

  $IsAppRoleAssigned_UserAdministrator = Get-AzureADMSRoleAssignment -Filter "principalId eq '$managedIdentityObjectId' " |
        Where-Object { $_.RoleDefinitionId -eq $aadDirectoryRole.Id }

    if ($null -eq $IsAppRoleAssigned) {
        New-AzureADMSRoleAssignment `
            -DirectoryScopeId '/' 
            -RoleDefinitionId   `
            -PrincipalId $managedIdentityObjectId
    }

where $IsAppRoleAssigned is declared nowhere , but $IsAppRoleAssigned_UserAdministrator is the declared variable.

It can be corrected it to resolve the error almost.

Also when $IsAppRoleAssigned_UserAdministrator is null and has no value $IsAppRoleAssigned_UserAdministrator.RoleDefinitionId does not contain any value, in that scenario following command does not work as RoleDefinitionId will be null.

使用Azure PowerShell分配AD角色

That is where you might have got “Object reference not set to an instance of an object”:

Check the correct code

Instead get role definitionId of User Administrator using below command ($roledefId_UserAdmin
) to assign while creating new role assignment in if condition.

    $functionApp = Get-AzFunctionApp -ResourceGroupName $resourceGroupName -Name $functionApp
       
 $functionApp.IdentityPrincipalId
        
        $managedIdentityObjectId=$functionApp.IdentityPrincipalId
        
Write-host “function App principal id is fetched"
  
  $roleUserAdministrator=Get-AzureADMSRoleDefinition -Filter "displayName eq 'User Administrator'" 
  
  $roledefId_UserAdmin=Get-AzureADMSRoleAssignment  |Where-Object { 
$_.RoleDefinitionId -eq $aadDirectoryRole.Id } 
    
     
   $IsAppRoleAssigned_UserAdministrator = Get-AzureADMSRoleAssignment -Filter "principalId eq '$managedIdentityObjectId' " |
      Where-Object { $_.RoleDefinitionId -eq $roleUserAdministrator.Id }
    
        if ($IsAppRoleAssigned_UserAdministrator -eq $null   ) {
            New-AzureADMSRoleAssignment `
                -DirectoryScopeId '/' `
                -RoleDefinitionId '$roledefId_UserAdmin.RoleDefinitionId'`
                -PrincipalId '$managedIdentityObjectId'`
        }

Check if the role is assigned to the service principal:

使用Azure PowerShell分配AD角色
Get-AzureADDirectoryRoleMember -ObjectId “942fxxx-xxx699449b8”

Here ObjectId is the objectId of the Role “User Administrator”

使用Azure PowerShell分配AD角色

Reference : Get-AzureADMSRoleAssignment (AzureAD) | Microsoft Learn

huangapple
  • 本文由 发表于 2023年6月2日 07:32:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/76386323.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定