问题描述
我正在为我的Service Fabric群集设置Azure AD应用程序,因此不需要依赖Cert Auth来连接到群集.
I am setting up Azure AD applications for my Service Fabric cluster, so I do not need to rely on Cert Auth to connect to the cluster.
我们使用来自应用程序注册的服务主体,该主体具有对订阅的提供者"访问权限,可以运行ARM模板来设置集群.有没有办法让我也可以使Service Principal成为群集AD应用程序的管理员?
We use a Service Principal from an App Registration that has Contributor access to the subscription to run the ARM template to set up the cluster. Is there a way that I can make the Service Principal an Admin on the Cluster AD Application as well?
我们的部署脚本在Powershell中,并且看到以下帖子:使用AzureAD身份验证部署ServiceFabric应用关于如何自动进行连接,但是我需要一种与服务主体连接的方法.
Our deployment script is in Powershell and saw this post: Deploying ServiceFabric apps using AzureAD Authentication on how to automate connecting, but I need a way to connect with a Service Principal.
推荐答案
我想出了如何使其工作的方法.
I figured out how to get it to work.
第一部分是赋予服务主体在客户端应用程序上的角色.
The first part is to give the service principal the role on the Client App.
- 转到Azure门户-> Azure Active Directory->应用程序注册,然后选择创建的客户端应用程序.
- 转到
Manifest
页面并找到Admin
应用角色,并将"Application"
的条目添加到allowedMemberTypes
属性.更新后保存. - 转到应用程序注册",然后选择要用于运行自动化的应用程序
- 转到"API权限",单击添加权限"按钮.转到我的组织使用的
APIs
标签,然后搜索SF Cluster Client Application. - 选择应用程序权限,然后选择
Admin
权限. - 点击
< Tenant Name>
的管理员同意书
- Go to Azure Portal -> Azure Active Directory -> App Registrations and select the Client app created.
- Go to the
Manifest
page and find theAdmin
app role and add an entry for"Application"
to theallowedMemberTypes
property. Save when updated. - Go to App Registrations and select the app you are using to run automation with
- Go to API Permissions, Click Add permission Button. Go to the
APIs my organization uses
tab and search for the SF Cluster Client Application. - Select Application Permissions and chose the
Admin
permission. - Hit the
Grant admin consent for <Tenant Name>
一旦授予权限,就可以运行PowerShell脚本:
Once permission is granted, you can run the PowerShell script:
Add-Type -Path "./Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$authority = "https://login.microsoftonline.com/$($tenantId)"
$credentials = [Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential]::new($AzureLogin, $AzurePassword)
$authContext = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext]::new($authority)
$authResult = $authContext.AcquireTokenAsync($clientAppId, $credentials)
$Token = $authResult.Result.AccessToken
Connect-ServiceFabricCluster -AzureActiveDirectory -SecurityToken $Token `
-ConnectionEndpoint $endpoint -ServerCertThumbprint $thumbprint
这篇关于在Service Fabric AD App上分配服务主体管理员角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!