使用 PowerShell 向应用程序角色分配托管标识访问权限Assign a managed identity access to an application role using PowerShell

Azure 资源的托管标识在 Azure Active Directory 中为 Azure 服务提供了一个标识。Managed identities for Azure resources provide Azure services with an identity in Azure Active Directory. 它们无需在代码中使用凭据即可工作。They work without needing credentials in your code. Azure 服务使用此标识向支持 Azure AD 身份验证的服务证明身份。Azure services use this identity to authenticate to services that support Azure AD authentication. 应用程序角色提供了一种基于角色的访问控制形式,并允许服务实现授权规则。Application roles provide a form of role-based access control, and allow a service to implement authorization rules.

本文介绍如何使用 Azure AD PowerShell 向另一应用程序公开的应用程序角色分配托管标识。In this article, you learn how to assign a managed identity to an application role exposed by another application using Azure AD PowerShell.

备注

本文已经过更新,以便使用 Azure Az PowerShell 模块。This article has been updated to use the Azure Az PowerShell module. 若要与 Azure 交互,建议使用的 PowerShell 模块是 Az PowerShell 模块。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要开始使用 Az PowerShell 模块,请参阅安装 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 AzTo learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

先决条件Prerequisites

将托管标识访问权限分配给另一应用程序的应用角色Assign a managed identity access to another application's app role

  1. 在 Azure 资源上启用托管标识,如 Azure VMEnable managed identity on an Azure resource, such as an Azure VM.

  2. 查找托管标识的服务主体的对象 ID。Find the object ID of the managed identity's service principal.

    对于系统分配的托管标识,可在 Azure 门户中资源的“标识”页上找到对象 ID 。For a system-assigned managed identity, you can find the object ID on the Azure portal on the resource's Identity page. 还可以使用以下 PowerShell 脚本来查找对象 ID。You can also use the following PowerShell script to find the object ID. 你将需要步骤 1 中所创建资源的资源 ID,可在 Azure 门户中资源的“属性”页上找到该 ID。You'll need the resource ID of the resource you created in step 1, which is available in the Azure portal on the resource's Properties page.

    $resourceIdWithManagedIdentity = '/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.Compute/virtualMachines/{my virtual machine name}'
    (Get-AzResource -ResourceId $resourceIdWithManagedIdentity).Identity.PrincipalId
    

    对于用户分配的托管标识,可在 Azure 门户中资源的“概述”页上找到托管标识的对象 ID 。For a user-assigned managed identity, you can find the managed identity's object ID on the Azure portal on the resource's Overview page. 还可以使用以下 PowerShell 脚本来查找对象 ID。You can also use the following PowerShell script to find the object ID. 你将需要用户分配的托管标识的资源 ID。You'll need the resource ID of the user-assigned managed identity.

    $userManagedIdentityResourceId = '/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{my managed identity name}'
    (Get-AzResource -ResourceId $userManagedIdentityResourceId).Properties.PrincipalId
    
  3. 创建新的应用程序注册,以表示托管标识要向其发送请求的服务。Create a new application registration to represent the service that your managed identity will send a request to. 如果公开向托管标识授予的应用角色的 API 或服务在 Azure AD 租户中已有服务主体,请跳过此步骤。If the API or service that exposes the app role grant to the managed identity already has a service principal in your Azure AD tenant, skip this step. 例如,如果要授予托管标识对 Microsoft Graph API 的访问权限,则可以跳过此步骤。For example, if you want to grant the managed identity access to the Microsoft Graph API, you can skip this step.

  4. 查找服务应用程序的服务主体的对象 ID。Find the object ID of the service application's service principal. 可以使用 Azure 门户来查找此 ID。You can find this using the Azure portal. 转到 Azure Active Directory 并打开“企业应用程序”页,然后找到应用程序并查找“对象 ID” 。Go to Azure Active Directory and open the Enterprise applications page, then find the application and look for the Object ID. 还可以使用以下 PowerShell 脚本,按照服务主体的对象 ID 的显示名称找到此 ID:You can also find the service principal's object ID by its display name using the following PowerShell script:

    $serverServicePrincipalObjectId = (Get-AzureADServicePrincipal -Filter "DisplayName eq '$applicationName'").ObjectId
    

    备注

    应用程序的显示名称不是唯一的,因此,应验证是否获取了正确的应用程序服务主体。Display names for applications are not unique, so you should verify that you obtain the correct application's service principal.

  5. 应用角色添加到步骤 3 中创建的应用程序。Add an app role to the application you created in step 3. 可以使用 Azure 门户或使用 Microsoft Graph 来创建角色。You can create the role using the Azure portal or using Microsoft Graph. 例如,可以添加如下应用角色:For example, you could add an app role like this:

    {
        "allowedMemberTypes": [
            "Application"
        ],
        "displayName": "Read data from MyApi",
        "id": "0566419e-bb95-4d9d-a4f8-ed9a0f147fa6",
        "isEnabled": true,
        "description": "Allow the application to read data as itself.",
        "value": "MyApi.Read.All"
    }
    
  6. 将应用角色分配给托管标识。Assign the app role to the managed identity. 你将需要以下信息来分配应用角色:You'll need the following information to assign the app role:

    • managedIdentityObjectId:在步骤 2 中找到的托管标识服务主体的对象 ID。managedIdentityObjectId: the object ID of the managed identity's service principal, which you found in step 2.
    • serverServicePrincipalObjectId:在步骤 4 中找到的服务器应用程序服务主体的对象 ID。serverServicePrincipalObjectId: the object ID of the server application's service principal, which you found in step 4.
    • appRoleId:在步骤 5 中生成的服务器应用公开的应用角色 ID,此示例中的应用角色 ID 为 0566419e-bb95-4d9d-a4f8-ed9a0f147fa6appRoleId: the ID of the app role exposed by the server app, which you generated in step 5 - in the example, the app role ID is 0566419e-bb95-4d9d-a4f8-ed9a0f147fa6.

    执行以下 PowerShell 脚本以添加角色分配:Execute the following PowerShell script to add the role assignment:

    New-AzureADServiceAppRoleAssignment -ObjectId $managedIdentityObjectId -Id $appRoleId -PrincipalId $managedIdentityObjectId -ResourceId $serverServicePrincipalObjectId
    

完整脚本Complete script

此示例脚本演示如何将 Azure Web 应用的托管标识分配给应用角色。This example script shows how to assign an Azure web app's managed identity to an app role.

# Install the module. (You need admin on the machine.)
# Install-Module AzureAD

# Your tenant ID (in the Azure portal, under Azure Active Directory > Overview).
$tenantID = '<tenant-id>'

# The name of your web app, which has a managed identity that should be assigned to the server app's app role.
$webAppName = '<web-app-name>'
$resourceGroupName = '<resource-group-name-containing-web-app>'

# The name of the server app that exposes the app role.
$serverApplicationName = '<server-application-name>' # For example, MyApi

# The name of the app role that the managed identity should be assigned to.
$appRoleName = '<app-role-name>' # For example, MyApi.Read.All

# Look up the web app's managed identity's object ID.
$managedIdentityObjectId = (Get-AzWebApp -ResourceGroupName $resourceGroupName -Name $webAppName).identity.principalid

Connect-AzureAD -AzureEnvironmentName AzureChinaCloud -TenantId $tenantID

# Look up the details about the server app's service principal and app role.
$serverServicePrincipal = (Get-AzureADServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
$serverServicePrincipalObjectId = $serverServicePrincipal.ObjectId
$appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id

# Assign the managed identity access to the app role.
New-AzureADServiceAppRoleAssignment `
    -ObjectId $managedIdentityObjectId `
    -Id $appRoleId `
    -PrincipalId $managedIdentityObjectId `
    -ResourceId $serverServicePrincipalObjectId

后续步骤Next steps