Azure托管标识以使用User.Read.All访问Graph

huangapple go评论70阅读模式
英文:

Azure Managed Identity to access Graph with User.Read.All

问题

我正在尝试使用用户托管标识连接到MS Graph。我通过Azure门户中的"创建->托管标识"创建了托管标识。它尚未分配给Azure资源。我的目标是直接从客户端代码中使用它(以便无需区分开发和生产环境)。我使用PowerShell分配了User.Read.All权限,并且在通过企业应用程序视图查看时可以看到已授予该权限。

现在,在我的C#代码中,我想使用以下代码创建GraphServiceClient的实例:

var scopes = new[] { "https://graph.microsoft.com/.default" };
var clientCredential = new ManagedIdentityCredential(clientId);
GraphServiceClient graphClient = new GraphServiceClient(clientCredential, scopes);

当执行代码时,我收到以下错误:
Azure.Identity.CredentialUnavailableException: "ManagedIdentityCredential身份验证不可用。多次尝试从托管标识终结点获取令牌失败。"

我只能找到将托管标识添加到函数应用程序的示例中。据我理解,我设置的方式应该使其能够正常工作。或者由于一般情况下这些终结点受到保护,所以无法以这种方式进行操作吗?

希望有人能帮助我解决这个问题,谢谢!

英文:

I am trying to connect to MS Graph using a User Managed Identity. I create the managed identity in the azure portal via create-> managed identity. It is not assigned to azure ressource. My goal is to use it from the client code directly (to not have to distinguish between dev and live environment). I got User.Read.All assigned using PowerShell and I can see it is granted when I view it via enterprise applications view.

Now, in my C# code I would like to create an instance of GraphServiceClient using:
var scopes = new[] { "https://graph.microsoft.com/.default" };
var clientCredential = new ManagedIdentityCredential(clientId);
GraphServiceClient graphClient = new GraphServiceClient(clientCredential, scopes);

I am receiving the following error when the code is executed:
Azure.Identity.CredentialUnavailableException: "ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint."

I was only able to find examples where the managed identity is added to the function app it is run under. To my understanding the way I set it up should enable this to work? Or is it not possible to do it this way since the endpoints are protected in general?!

I hope somebody is able to help me out here,
Thanks!

答案1

得分: 0

托管标识本质上是 Azure 资源的身份标识。当您使用托管标识时,它需要与 Azure 资源(如 Azure VM、Azure Functions、Azure Logic Apps 等)关联。这是因为托管标识允许 Azure 服务在不将凭据存储在代码中的情况下对云服务进行身份验证。使用托管标识的代码必须在具有该托管标识的 Azure 计算资源中运行,然后才能请求 Azure AD 提供访问令牌。

在您的情况下,您正在尝试使用未与 Azure 资源关联的托管标识,这导致了错误。该错误实际上表示托管标识终结点不可用。此终结点在支持托管标识的 Azure 服务中自动可用。

要使其正常工作,您应该:

  • 将托管标识分配给 Azure 资源:您创建的托管标识应该与 Azure 服务关联。例如,如果您在 Azure VM 上运行代码,应将托管标识分配给该 VM。

  • 正确使用 Azure SDK:如果在启用托管标识的 Azure 服务内运行,创建 ManagedIdentityCredential 时不一定需要指定 clientId,如果使用的是系统托管标识,则不需要。如果使用的是用户分配的标识(似乎是您的情况),则需要指定 clientId(或 ManagedIdentityClientId)。确保此 clientId 设置正确。

  • 确保必要的权限:确保托管标识在 Microsoft Graph 上具有必要的权限。

  • 网络限制:确保没有网络限制阻止访问托管标识终结点。例如,如果在 Azure VM 上运行,请确保没有 NSG 或防火墙规则阻止访问。

  • 在 Azure 之外使用:如果您尝试在 Azure 之外使用托管标识(例如,在本地计算机上),它将无法工作。托管标识是 Azure 资源的特定功能。

  • 如果您在本地开发并希望使用托管标识,一种常见的模式是在本地使用自己的开发人员凭据,并在部署到 Azure 时使用托管标识。您可以使用 DefaultAzureCredential 类,该类将按照特定顺序尝试多种身份验证方法(托管标识、环境变量等),使本地开发和 Azure 部署之间无缝切换。

英文:

Managed identities are essentially an identity for Azure resources. When you use a Managed Identity, it needs to be associated with an Azure resource such as an Azure VM, Azure Functions, Azure Logic Apps, etc. This is because Managed Identity allows Azure services to authenticate to cloud services without storing credentials in code. The code using the managed identity must be running in an azure compute resource which has that mangaed identity assigned to it. Then only it can request Azure AD to provide tokens for access.

In your case, you're trying to use a Managed Identity without associating it with an Azure resource, which is causing the error. The error essentially says that the Managed Identity endpoint isn't available. This endpoint is automatically available within Azure services that support Managed Identity.

To make this work you should:

  • Assign the Managed Identity to an Azure Resource: The Managed Identity you've created should be associated with an Azure service. For example, if you're running your code on an Azure VM, you should assign the Managed Identity to the VM.

  • Use Azure SDK Correctly: If running inside an Azure service with Managed Identity enabled, you don't necessarily need to specify the clientId when creating the ManagedIdentityCredential if you are using system managed identity. If you're using a user-assigned identity (which seems to be the case), then specifying the clientId (or ManagedIdentityClientId) is necessary. Make sure this clientId is correctly set.

  • Ensure Necessary Permissions: Make sure the Managed Identity has the necessary permissions on Microsoft Graph.

  • Network Restrictions: Ensure that there are no network restrictions preventing access to the Managed Identity endpoint. For example, if you're running in an Azure VM, ensure that you don't have NSGs or firewall rules blocking access.

  • Using Outside Azure: If you're trying to use Managed Identity outside of Azure (e.g., on your local machine), it won't work. Managed Identity is specifically a feature of Azure resources

  • If you're developing locally and want to use Managed Identity, a common pattern is to use your own developer credentials locally and use Managed Identity when deployed to Azure. You can use the DefaultAzureCredential class, which will attempt several methods of authentication in a specific order (Managed Identity, environment variables, etc.), making it seamless between local development and Azure deployment.

huangapple
  • 本文由 发表于 2023年8月8日 23:56:58
  • 转载请务必保留本文链接:https://go.coder-hub.com/76861275.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定