英文:
Creating a Security Group with Owner doesn't work using Service Principal in PowerShell
问题
我正在尝试通过PowerShell创建一个Azure安全组并连接到服务主体。
我的服务主体具有一个自定义角色,具有microsoft.directory/groups/create权限,允许我创建安全组和Microsoft 365组,但不包括可分配角色的组。
我正在使用PowerShell中的Microsoft.Graph.Groups模块,并为我的服务主体授予了使用Graph API的权利。
当我使用以下命令创建一个空安全组时:
New-MgGroup -BodyParameter $params
使用以下参数:
$params = @{description = "Group with designated owner DJER0105"displayName = "Group Test 20-07"mailEnabled = $falsemailNickname = "GroupTest20-07"securityEnabled = $true}
我的请求没有问题,但是当我尝试添加一个所有者时,我收到了403错误消息:"权限不足,无法完成操作。"
$params = @{description = "Group with designated owner DJER0105"displayName = "Group Test 20-07"mailEnabled = $falsemailNickname = "GroupTest20-07"securityEnabled = $true"owners@odata.bind" = @("https://graph.microsoft.com/v1.0/users/47f89f36-2ad7-45ee-a1ac-3cd0b0e021df")}
是否有人知道为什么我无法使用服务主体执行此操作(创建带有所有者的安全组)?
我已经尝试使用具名帐户(用户帐户)执行相同的操作,两种情况都可以正常工作。
我尝试在创建后添加所有者,像这样:
$params = @{ "@odata.id" = "graph.microsoft.com/v1.0/users{id}" }New-MgGroupOwnerByRef -GroupId $groupId -BodyParameter $params
但是我仍然收到相同的403错误消息:"权限不足,无法完成操作。"
供参考,我不需要成为安全组的所有者,我想要创建一个安全组,并将另一个用户指定为所有者。
英文:
I'm trying to create an Azure security group across PowerShell and connected with a service principal.
My service principal has a Custom Role with microsoft.directory/groups/create permission allowing me to create Security Groups and Microsoft 365 groups, excluding role-assignable groups.
I'm using Microsoft.Graph.Groups module in PowerShell and I gave my service principal good rights to use Graph API.
When I create an empty security group with the command
New-MgGroup -BodyParameter $params
with
$params = @{>> description = "Group with designated owner DJER0105">> displayName = "Group Test 20-07">> mailEnabled = $false>> mailNickname = "GroupTest20-07">> securityEnabled = $true>> }
My request pass without problems, BUT when I try to put an Owner I got a 403 error "Insufficient privileges to complete the operation."
$params = @{>> description = "Group with designated owner DJER0105">> displayName = "Group Test 20-07">> mailEnabled = $false>> mailNickname = "GroupTest20-07">> securityEnabled = $true>> **"owners@odata.bind" = @(>> "https://graph.microsoft.com/v1.0/users/47f89f36-2ad7-45ee-a1ac-3cd0b0e021df"**>> )>> }
Does someone have any idea why I can't perform this action (security group creation with owner) using the service principal?
I already tried to do the same but with a nominative account (user account) which works well in both cases.
I tried to add the owner after creation like this:
$params = @{ "@odata.id" = "graph.microsoft.com/v1.0/users{id}" }
New-MgGroupOwnerByRef -GroupId $groupId -BodyParameter $params
And I got same error 403 "Insufficient privileges to complete the operation."
For information I don't need to be the owner of the security group, I want to create a security group and put another user as owner.
答案1
得分: 0
在PowerShell中使用服务主体创建具有所有者的安全组不起作用
我在我的环境中尝试并获得以下结果:
我创建了一个具有授予管理员同意的API权限**Directory.AccessAsUser.All**的应用程序。
现在,我使用以下命令尝试创建了具有所有者的组。
命令:
$tenantId = "你的租户ID"$appId = "你的客户端ID"$ownerObjectId = "用户对象ID"$groupName = "Testvenkatgrp"$groupDescription = "具有指定所有者DJER0105的组"Connect-MgGraph -ClientId $appId -TenantId $tenantId -CertificateThumbprint "你的证书指纹"# 创建安全组$params = @{description = $groupDescriptiondisplayName = $groupNamemailEnabled = $falsemailNickname = $groupName.Replace(" ", "")securityEnabled = $true}$group = New-MgGroup -BodyParameter $params# 分配所有者给安全组$ownerUrl = "https://graph.microsoft.com/v1.0/users/$ownerObjectId"$ownerRef = @{"@odata.id" = $ownerUrl}$ownerParams = @{"owners@odata.bind" = @($ownerRef["@odata.id"])}Invoke-MgGraphRequest -Method PATCH "https://graph.microsoft.com/v1.0/groups/$($group.Id)" -Body $ownerParams
输出:
参考:
使用Microsoft Graph PowerShell身份验证命令 | Microsoft Learn
英文:
> Creating a Security Group with Owner doesn't work using Service Principal in PowerShell
I tried in my environment and got the below results:
I created an application with API permission Directory.AccessAsUser.All with granted admin consent.
Now, I tried with the below command it created the group with the owner.
Command:
$tenantId ="your-tenant-id"$appId = "your-client-id"$ownerObjectId = "user object id"$groupName = "Testvenkatgrp"$groupDescription = "Group with designated owner DJER0105"Connect-MgGraph -ClientId $appId -TenantId $tenantId -CertificateThumbprint "your certificate thumbprint"# Create the security group$params = @{description = $groupDescriptiondisplayName = $groupNamemailEnabled = $falsemailNickname = $groupName.Replace(" ", "")securityEnabled = $true}$group = New-MgGroup -BodyParameter $params# Assign the owner to the security group$ownerUrl = "https://graph.microsoft.com/v1.0/users/$ownerObjectId"$ownerRef = @{"@odata.id" = $ownerUrl}$ownerParams = @{"owners@odata.bind" = @($ownerRef["@odata.id"])}Invoke-MgGraphRequest -Method PATCH "https://graph.microsoft.com/v1.0/groups/$($group.Id)" -Body $ownerParams
Output:
Reference:
Using Microsoft Graph PowerShell authentication commands | Microsoft Learn
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论