to

to

关注
发信
关注(28)粉丝(399)

在Service Fabric AD App上分配服务主体管理员角色

本文介绍了在Service Fabric AD App上分配服务主体管理员角色的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在为我的Service Fabric群集设置Azure AD应用程序,因此不需要依赖Cert Auth来连接到群集.

I am setting up Azure AD applications for my Service Fabric cluster, so I do not need to rely on Cert Auth to connect to the cluster.

我们使用来自应用程序注册的服务主体,该主体具有对订阅的提供者"访问权限,可以运行ARM模板来设置集群.有没有办法让我也可以使Service Principal成为群集AD应用程序的管理员?

We use a Service Principal from an App Registration that has Contributor access to the subscription to run the ARM template to set up the cluster. Is there a way that I can make the Service Principal an Admin on the Cluster AD Application as well?

我们的部署脚本在Powershell中,并且看到以下帖子:使用AzureAD身份验证部署ServiceFabric应用关于如何自动进行连接,但是我需要一种与服务主体连接的方法.

Our deployment script is in Powershell and saw this post: Deploying ServiceFabric apps using AzureAD Authentication on how to automate connecting, but I need a way to connect with a Service Principal.

推荐答案

我想出了如何使其工作的方法.

I figured out how to get it to work.

第一部分是赋予服务主体在客户端应用程序上的角色.

The first part is to give the service principal the role on the Client App.

  1. 转到Azure门户-> Azure Active Directory->应用程序注册,然后选择创建的客户端应用程序.
  2. 转到 Manifest 页面并找到 Admin 应用角色,并将"Application" 的条目添加到 allowedMemberTypes 属性.更新后保存.
  3. 转到应用程序注册",然后选择要用于运行自动化的应用程序
  4. 转到"API权限",单击添加权限"按钮.转到我的组织使用的 APIs 标签,然后搜索SF Cluster Client Application.
  5. 选择应用程序权限,然后选择 Admin 权限.
  6. 点击< Tenant Name>
    7. 的管理员同意书
  1. Go to Azure Portal -> Azure Active Directory -> App Registrations and select the Client app created.
  2. Go to the Manifest page and find the Admin app role and add an entry for "Application" to the allowedMemberTypes property. Save when updated.
  3. Go to App Registrations and select the app you are using to run automation with
  4. Go to API Permissions, Click Add permission Button. Go to the APIs my organization uses tab and search for the SF Cluster Client Application.
  5. Select Application Permissions and chose the Admin permission.
  6. Hit the Grant admin consent for <Tenant Name>

一旦授予权限,就可以运行PowerShell脚本:

Once permission is granted, you can run the PowerShell script:

Add-Type -Path "./Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$authority = "https://login.microsoftonline.com/$($tenantId)"
$credentials = [Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential]::new($AzureLogin, $AzurePassword)
$authContext = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext]::new($authority)

$authResult = $authContext.AcquireTokenAsync($clientAppId, $credentials) 
$Token = $authResult.Result.AccessToken
Connect-ServiceFabricCluster -AzureActiveDirectory -SecurityToken $Token `
        -ConnectionEndpoint $endpoint -ServerCertThumbprint $thumbprint

这篇关于在Service Fabric AD App上分配服务主体管理员角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-16 15:23
Powered by LMLPHP ©2024 to 0.007973