使用服务主体进行自动化Automation with service principals

服务主体是在租户中创建的 Azure Active Directory 应用程序资源,用于执行无人参与的资源和服务级别操作。Service principals are an Azure Active Directory application resource you create within your tenant to perform unattended resource and service level operations. 服务主体是特殊类型的用户标识,具有应用程序 ID 和密码或证书。They're a unique type of user identity with an application ID and password or certificate. 服务主体只具有特定任务所需的权限,这些任务是按分配的角色和权限来定义的。A service principal has only those permissions necessary to perform tasks defined by the roles and permissions for which it's assigned.

在 Analysis Services 中,服务主体可以与 Azure 自动化、PowerShell 无人参与模式、自定义客户端应用程序和 Web 应用配合使用,以便自动完成常见的任务。In Analysis Services, service principals are used with Azure Automation, PowerShell unattended mode, custom client applications, and web apps to automate common tasks. 例如,预配服务器、部署模型、数据刷新、垂直缩放、暂停/恢复等操作均可使用服务主体自动完成。For example, provisioning servers, deploying models, data refresh, scale up/down, and pause/resume can all be automated by using service principals. 权限通过角色成员身份分配给服务主体,十分类似于常规的 Azure AD UPN 帐户。Permissions are assigned to service principals through role membership, much like regular Azure AD UPN accounts.

Analysis Services 还支持由托管标识使用服务主体执行的操作。Analysis Services also supports operations performed by managed identities using service principals. 若要了解详细信息,请参阅 Azure 资源的托管标识支持 Azure AD 身份验证的 Azure 服务To learn more, see Managed identities for Azure resources and Azure services that support Azure AD authentication.

创建服务主体Create service principals

可以通过 Azure 门户或 PowerShell 创建服务主体。Service principals can be created in the Azure portal or by using PowerShell. 若要了解更多信息,请参阅以下文章:To learn more, see:

创建服务主体 - Azure 门户 Create service principal - Azure portal
创建服务主体 - PowerShellCreate service principal - PowerShell

在 Azure 自动化中存储凭据和证书资产Store credential and certificate assets in Azure Automation

服务主体凭据和证书可以安全地存储在 Azure 自动化中进行 Runbook 操作。Service principal credentials and certificates can be stored securely in Azure Automation for runbook operations. 若要了解更多信息,请参阅以下文章:To learn more, see:

Azure 自动化中的凭据资产 Credential assets in Azure Automation
Azure 自动化中的证书资产Certificate assets in Azure Automation

将服务主体添加到服务器管理员角色Add service principals to server admin role

在使用服务主体进行 Analysis Services 服务器管理操作之前,必须将其添加到服务器管理员角色。Before you can use a service principal for Analysis Services server management operations, you must add it to the server administrators role. 必须直接将服务主体添加到服务器管理员角色。Service principals must be added directly to the server administrator role. 不支持先将服务主体添加到安全组,然后再将该安全组添加到服务器管理员角色。Adding a service principal to a security group, and then adding that security group to the server administrator role is not supported. 有关详细信息,请参阅将服务主体添加到服务器管理员角色To learn more, see Add a service principal to the server administrator role.

连接字符串中的服务主体Service principals in connection strings

服务主体 appID 和密码或证书可以在连接字符串中使用,与 UPN 很类似。Service principal appID and password or certificate can be used in connection strings much the same as a UPN.

PowerShellPowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

使用 Az.AnalysisServices 模块Using Az.AnalysisServices module

将服务主体与 Az.AnalysisServices 模块配合使用以进行资源管理操作时,请使用 Connect-AzAccount -Environment AzureChinaCloud cmdlet。When using a service principal for resource management operations with the Az.AnalysisServices module, use Connect-AzAccount -Environment AzureChinaCloud cmdlet.

以下示例使用 appID 和密码执行控制平面操作,以便与只读副本同步并进行纵向/横向扩展:In the following example, appID and a password are used to perform control plane operations for synchronization to read-only replicas and scale up/out:

Param (
        [Parameter(Mandatory=$true)] [String] $AppId,
        [Parameter(Mandatory=$true)] [String] $PlainPWord,
        [Parameter(Mandatory=$true)] [String] $TenantId
       )
$PWord = ConvertTo-SecureString -String $PlainPWord -AsPlainText -Force
$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $AppId, $PWord

# Connect using Az module
Connect-AzAccount -Environment AzureChinaCloud -Credential $Credential -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"

# Syncronize a database for query scale out
Sync-AzAnalysisServicesInstance -Instance "asazure://chinanorth.asazure.chinacloudapi.cn/testsvr" -Database "testdb"

# Scale up the server to an S1, set 2 read-only replicas, and remove the primary from the query pool. The new replicas will hydrate from the synchronized data.
Set-AzAnalysisServicesServer -Name "testsvr" -ResourceGroupName "testRG" -Sku "S1" -ReadonlyReplicaCount 2 -DefaultConnectionMode Readonly

使用 SQLServer 模块Using SQLServer module

以下示例使用 appID 和密码执行模型数据库刷新操作:In the following example, appID and a password are used to perform a model database refresh operation:

Param (
        [Parameter(Mandatory=$true)] [String] $AppId,
        [Parameter(Mandatory=$true)] [String] $PlainPWord,
        [Parameter(Mandatory=$true)] [String] $TenantId
       )
$PWord = ConvertTo-SecureString -String $PlainPWord -AsPlainText -Force

$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $AppId, $PWord

Invoke-ProcessTable -Server "asazure://chinanorth.asazure.chinacloudapi.cn/myserver" -TableName "MyTable" -Database "MyDb" -RefreshType "Full" -ServicePrincipal -ApplicationId $AppId -TenantId $TenantId -Credential $Credential

AMO 和 ADOMDAMO and ADOMD

通过客户端应用程序和 Web 应用进行连接时,由 NuGet 提供的 AMO 和 ADOMD 客户端库 15.0.2 及更高版本的可安装包支持在连接字符串中使用服务主体,可以使用 app:AppID 语法以及密码或 cert:thumbprintWhen connecting with client applications and web apps, AMO and ADOMD client libraries version 15.0.2 and higher installable packages from NuGet support service principals in connection strings using the following syntax: app:AppID and password or cert:thumbprint.

以下示例使用 appIDpassword 执行模型数据库刷新操作:In the following example, appID and a password are used to perform a model database refresh operation:

string appId = "xxx";
string authKey = "yyy";
string connString = $"Provider=MSOLAP;Data Source=asazure://chinanorth.asazure.chinacloudapi.cn/<servername>;User ID=app:{appId};Password={authKey};";
Server server = new Server();
server.Connect(connString);
Database db = server.Databases.FindByName("adventureworks");
Table tbl = db.Model.Tables.Find("DimDate");
tbl.RequestRefresh(RefreshType.Full);
db.Model.SaveChanges();

后续步骤Next steps

使用 Azure PowerShell 进行登录 Sign in with Azure PowerShell
使用逻辑应用进行刷新Refresh with Logic Apps

将服务主体添加到服务器管理员角色Add a service principal to the server administrator role
使用服务主体自动完成 Power BI Premium 工作区和数据集任务Automate Power BI Premium workspace and dataset tasks with service principals