英文:
Creating a Security Group with Owner doesn't work using Service Principal in PowerShell
问题
我正在尝试通过PowerShell创建一个Azure安全组并连接到服务主体。
我的服务主体具有一个自定义角色,具有microsoft.directory/groups/create权限,允许我创建安全组和Microsoft 365组,但不包括可分配角色的组。
我正在使用PowerShell中的Microsoft.Graph.Groups模块,并为我的服务主体授予了使用Graph API的权利。
当我使用以下命令创建一个空安全组时:
New-MgGroup -BodyParameter $params
使用以下参数:
$params = @{
description = "Group with designated owner DJER0105"
displayName = "Group Test 20-07"
mailEnabled = $false
mailNickname = "GroupTest20-07"
securityEnabled = $true
}
我的请求没有问题,但是当我尝试添加一个所有者时,我收到了403错误消息:"权限不足,无法完成操作。"
$params = @{
description = "Group with designated owner DJER0105"
displayName = "Group Test 20-07"
mailEnabled = $false
mailNickname = "GroupTest20-07"
securityEnabled = $true
"owners@odata.bind" = @(
"https://graph.microsoft.com/v1.0/users/47f89f36-2ad7-45ee-a1ac-3cd0b0e021df"
)
}
是否有人知道为什么我无法使用服务主体执行此操作(创建带有所有者的安全组)?
我已经尝试使用具名帐户(用户帐户)执行相同的操作,两种情况都可以正常工作。
我尝试在创建后添加所有者,像这样:
$params = @{ "@odata.id" = "graph.microsoft.com/v1.0/users{id}" }
New-MgGroupOwnerByRef -GroupId $groupId -BodyParameter $params
但是我仍然收到相同的403错误消息:"权限不足,无法完成操作。"
供参考,我不需要成为安全组的所有者,我想要创建一个安全组,并将另一个用户指定为所有者。
英文:
I'm trying to create an Azure security group across PowerShell and connected with a service principal.
My service principal has a Custom Role with microsoft.directory/groups/create permission allowing me to create Security Groups and Microsoft 365 groups, excluding role-assignable groups.
I'm using Microsoft.Graph.Groups module in PowerShell and I gave my service principal good rights to use Graph API.
When I create an empty security group with the command
New-MgGroup -BodyParameter $params
with
$params = @{
>> description = "Group with designated owner DJER0105"
>> displayName = "Group Test 20-07"
>> mailEnabled = $false
>> mailNickname = "GroupTest20-07"
>> securityEnabled = $true
>> }
My request pass without problems, BUT when I try to put an Owner I got a 403 error "Insufficient privileges to complete the operation."
$params = @{
>> description = "Group with designated owner DJER0105"
>> displayName = "Group Test 20-07"
>> mailEnabled = $false
>> mailNickname = "GroupTest20-07"
>> securityEnabled = $true
>> **"owners@odata.bind" = @(
>> "https://graph.microsoft.com/v1.0/users/47f89f36-2ad7-45ee-a1ac-3cd0b0e021df"**
>> )
>> }
Does someone have any idea why I can't perform this action (security group creation with owner) using the service principal?
I already tried to do the same but with a nominative account (user account) which works well in both cases.
I tried to add the owner after creation like this:
$params = @{ "@odata.id" = "graph.microsoft.com/v1.0/users{id}" }
New-MgGroupOwnerByRef -GroupId $groupId -BodyParameter $params
And I got same error 403 "Insufficient privileges to complete the operation."
For information I don't need to be the owner of the security group, I want to create a security group and put another user as owner.
答案1
得分: 0
在PowerShell中使用服务主体创建具有所有者的安全组不起作用
我在我的环境中尝试并获得以下结果:
我创建了一个具有授予管理员同意的API权限**Directory.AccessAsUser.All
**的应用程序。
现在,我使用以下命令尝试创建了具有所有者的组。
命令:
$tenantId = "你的租户ID"
$appId = "你的客户端ID"
$ownerObjectId = "用户对象ID"
$groupName = "Testvenkatgrp"
$groupDescription = "具有指定所有者DJER0105的组"
Connect-MgGraph -ClientId $appId -TenantId $tenantId -CertificateThumbprint "你的证书指纹"
# 创建安全组
$params = @{
description = $groupDescription
displayName = $groupName
mailEnabled = $false
mailNickname = $groupName.Replace(" ", "")
securityEnabled = $true
}
$group = New-MgGroup -BodyParameter $params
# 分配所有者给安全组
$ownerUrl = "https://graph.microsoft.com/v1.0/users/$ownerObjectId"
$ownerRef = @{
"@odata.id" = $ownerUrl
}
$ownerParams = @{
"owners@odata.bind" = @($ownerRef["@odata.id"])
}
Invoke-MgGraphRequest -Method PATCH "https://graph.microsoft.com/v1.0/groups/$($group.Id)" -Body $ownerParams
输出:
参考:
使用Microsoft Graph PowerShell身份验证命令 | Microsoft Learn
英文:
> Creating a Security Group with Owner doesn't work using Service Principal in PowerShell
I tried in my environment and got the below results:
I created an application with API permission Directory.AccessAsUser.All
with granted admin consent.
Now, I tried with the below command it created the group with the owner.
Command:
$tenantId ="your-tenant-id"
$appId = "your-client-id"
$ownerObjectId = "user object id"
$groupName = "Testvenkatgrp"
$groupDescription = "Group with designated owner DJER0105"
Connect-MgGraph -ClientId $appId -TenantId $tenantId -CertificateThumbprint "your certificate thumbprint"
# Create the security group
$params = @{
description = $groupDescription
displayName = $groupName
mailEnabled = $false
mailNickname = $groupName.Replace(" ", "")
securityEnabled = $true
}
$group = New-MgGroup -BodyParameter $params
# Assign the owner to the security group
$ownerUrl = "https://graph.microsoft.com/v1.0/users/$ownerObjectId"
$ownerRef = @{
"@odata.id" = $ownerUrl
}
$ownerParams = @{
"owners@odata.bind" = @($ownerRef["@odata.id"])
}
Invoke-MgGraphRequest -Method PATCH "https://graph.microsoft.com/v1.0/groups/$($group.Id)" -Body $ownerParams
Output:
Reference:
Using Microsoft Graph PowerShell authentication commands | Microsoft Learn
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论