使用PowerShell在服务主体中创建具有所有者的安全组不起作用。

huangapple
go评论85阅读模式
英文:

Creating a Security Group with Owner doesn't work using Service Principal in PowerShell

问题

我正在尝试通过PowerShell创建一个Azure安全组并连接到服务主体。

我的服务主体具有一个自定义角色,具有microsoft.directory/groups/create权限,允许我创建安全组和Microsoft 365组,但不包括可分配角色的组。

我正在使用PowerShell中的Microsoft.Graph.Groups模块,并为我的服务主体授予了使用Graph API的权利。

当我使用以下命令创建一个空安全组时:

New-MgGroup -BodyParameter $params

使用以下参数:

$params = @{
    description = "Group with designated owner DJER0105"
    displayName = "Group Test 20-07"
    mailEnabled = $false
    mailNickname = "GroupTest20-07"
    securityEnabled = $true
}

我的请求没有问题,但是当我尝试添加一个所有者时,我收到了403错误消息:"权限不足,无法完成操作。"

$params =  @{
    description = "Group with designated owner DJER0105"
    displayName = "Group Test 20-07"
    mailEnabled = $false
    mailNickname = "GroupTest20-07"
    securityEnabled = $true
    "owners@odata.bind" = @(
        "https://graph.microsoft.com/v1.0/users/47f89f36-2ad7-45ee-a1ac-3cd0b0e021df"
    )
}

是否有人知道为什么我无法使用服务主体执行此操作(创建带有所有者的安全组)?

我已经尝试使用具名帐户(用户帐户)执行相同的操作,两种情况都可以正常工作。

我尝试在创建后添加所有者,像这样:

$params = @{ "@odata.id" = "graph.microsoft.com/v1.0/users{id}" }
New-MgGroupOwnerByRef -GroupId $groupId -BodyParameter $params

但是我仍然收到相同的403错误消息:"权限不足,无法完成操作。"

供参考,我不需要成为安全组的所有者,我想要创建一个安全组,并将另一个用户指定为所有者。

英文:

I'm trying to create an Azure security group across PowerShell and connected with a service principal.

My service principal has a Custom Role with microsoft.directory/groups/create permission allowing me to create Security Groups and Microsoft 365 groups, excluding role-assignable groups.

I'm using Microsoft.Graph.Groups module in PowerShell and I gave my service principal good rights to use Graph API.

When I create an empty security group with the command

New-MgGroup -BodyParameter $params

with

$params = @{
>>         description = "Group with designated owner DJER0105"
>>         displayName = "Group Test 20-07"
>>         mailEnabled = $false
>>         mailNickname = "GroupTest20-07"
>>         securityEnabled = $true
>>     }

My request pass without problems, BUT when I try to put an Owner I got a 403 error "Insufficient privileges to complete the operation."

$params =  @{
>>         description = "Group with designated owner DJER0105"
>>         displayName = "Group Test 20-07"
>>         mailEnabled = $false
>>         mailNickname = "GroupTest20-07"
>>         securityEnabled = $true
>>         **"owners@odata.bind" = @(
>>             "https://graph.microsoft.com/v1.0/users/47f89f36-2ad7-45ee-a1ac-3cd0b0e021df"**
>>         )
>>     }

Does someone have any idea why I can't perform this action (security group creation with owner) using the service principal?

I already tried to do the same but with a nominative account (user account) which works well in both cases.

I tried to add the owner after creation like this:

$params = @{ "@odata.id" = "graph.microsoft.com/v1.0/users{id}" }

New-MgGroupOwnerByRef -GroupId $groupId -BodyParameter $params

And I got same error 403 "Insufficient privileges to complete the operation."

For information I don't need to be the owner of the security group, I want to create a security group and put another user as owner.

答案1

得分: 0

在PowerShell中使用服务主体创建具有所有者的安全组不起作用

我在我的环境中尝试并获得以下结果:

我创建了一个具有授予管理员同意的API权限**Directory.AccessAsUser.All**的应用程序。

使用PowerShell在服务主体中创建具有所有者的安全组不起作用。

现在,我使用以下命令尝试创建了具有所有者的组。

命令:

$tenantId = "你的租户ID"
$appId = "你的客户端ID"
$ownerObjectId = "用户对象ID"
$groupName = "Testvenkatgrp"
$groupDescription = "具有指定所有者DJER0105的组"

Connect-MgGraph -ClientId $appId -TenantId $tenantId -CertificateThumbprint "你的证书指纹"

# 创建安全组
$params = @{
    description = $groupDescription
    displayName = $groupName
    mailEnabled = $false
    mailNickname = $groupName.Replace(" ", "")
    securityEnabled = $true
}
$group = New-MgGroup -BodyParameter $params

# 分配所有者给安全组
$ownerUrl = "https://graph.microsoft.com/v1.0/users/$ownerObjectId"
$ownerRef = @{
    "@odata.id" = $ownerUrl
}
$ownerParams = @{
    "owners@odata.bind" = @($ownerRef["@odata.id"])
}
Invoke-MgGraphRequest -Method PATCH "https://graph.microsoft.com/v1.0/groups/$($group.Id)" -Body $ownerParams

输出:

使用PowerShell在服务主体中创建具有所有者的安全组不起作用。

参考:

使用Microsoft Graph PowerShell身份验证命令 | Microsoft Learn

英文:

> Creating a Security Group with Owner doesn't work using Service Principal in PowerShell

I tried in my environment and got the below results:

I created an application with API permission Directory.AccessAsUser.All with granted admin consent.

使用PowerShell在服务主体中创建具有所有者的安全组不起作用。

Now, I tried with the below command it created the group with the owner.

Command:

$tenantId ="your-tenant-id"
$appId = "your-client-id"
$ownerObjectId = "user object id"
$groupName = "Testvenkatgrp"
$groupDescription = "Group with designated owner DJER0105"

Connect-MgGraph -ClientId $appId -TenantId $tenantId -CertificateThumbprint "your certificate thumbprint"

# Create the security group
$params = @{
    description = $groupDescription
    displayName = $groupName
    mailEnabled = $false
    mailNickname = $groupName.Replace(" ", "")
    securityEnabled = $true
}
$group = New-MgGroup -BodyParameter $params

# Assign the owner to the security group
$ownerUrl = "https://graph.microsoft.com/v1.0/users/$ownerObjectId"
$ownerRef = @{
    "@odata.id" = $ownerUrl
}
$ownerParams = @{
    "owners@odata.bind" = @($ownerRef["@odata.id"])
}
Invoke-MgGraphRequest -Method PATCH "https://graph.microsoft.com/v1.0/groups/$($group.Id)" -Body $ownerParams

Output:

使用PowerShell在服务主体中创建具有所有者的安全组不起作用。

Reference:

Using Microsoft Graph PowerShell authentication commands | Microsoft Learn

huangapple
  • 本文由 发表于 2023年7月20日 18:09:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/76728804.html
  • azure-service-principal
  • powershell
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定