将事件发布到受 Azure Active Directory 保护的终结点Publish events to Azure Active Directory protected endpoints

本文介绍如何利用 Azure Active Directory 来保护事件订阅和 Webhook 终结点之间的连接。This article describes how to take advantage of Azure Active Directory to secure the connection between your Event Subscription and your webhook endpoint. 有关 Azure AD 应用程序和服务主体的概述,请参阅 Microsoft 标识平台 (v2.0) 概述For an overview of Azure AD Applications and service principals, see Microsoft identity platform (v2.0) overview.

本文使用 Azure 门户进行演示,但也可通过 CLI、PowerShell 或 SDK 来启用此功能。This article uses the Azure portal for demonstration, however the feature can also be enabled using CLI, PowerShell, or the SDKs.

此功能为预览版。This feature is in preview. 若要使用它,必须安装预览扩展或模块。To use it, you must install a preview extension or module.

安装适用于 Azure CLI 的扩展Install extension for Azure CLI

对于 Azure CLI,需要事件网格扩展For Azure CLI, you need the Event Grid extension.

对于本地安装:For a local installation:

  1. 在本地卸载 Azure CLI。Uninstall Azure CLI locally.
  2. 安装最新版本的 Azure CLI。Install the latest version of Azure CLI.
  3. 启动命令窗口。Launch command window.
  4. 卸载早期版本的扩展 az extension remove -n eventgridUninstall previous versions of the extension az extension remove -n eventgrid
  5. 安装扩展 az extension add -n eventgridInstall the extension az extension add -n eventgrid

安装适用于 PowerShell 的模块Install module for PowerShell

对于 PowerShell,需要 AzureRM.EventGrid 模块For PowerShell, you need the AzureRM.EventGrid module.

对于本地安装:For a local installation:

  1. 以管理员身份打开 PowerShell 控制台Open PowerShell console as administrator
  2. 安装模块 Install-Module -Name AzureRM.EventGrid -AllowPrerelease -Force -Repository PSGalleryInstall the module Install-Module -Name AzureRM.EventGrid -AllowPrerelease -Force -Repository PSGallery

如果 -AllowPrerelease 参数不可用,请使用以下步骤:If the -AllowPrerelease parameter isn't available, use the following steps:

  1. 运行 Install-Module PowerShellGet -ForceRun Install-Module PowerShellGet -Force
  2. 运行 Update-Module PowerShellGetRun Update-Module PowerShellGet
  3. 关闭 PowerShell 控制台Close the PowerShell console
  4. 以管理员身份重启 PowerShellRestart PowerShell as administrator
  5. 安装模块 Install-Module -Name AzureRM.EventGrid -AllowPrerelease -Force -Repository PSGalleryInstall the module Install-Module -Name AzureRM.EventGrid -AllowPrerelease -Force -Repository PSGallery

创建 Azure AD 应用程序Create an Azure AD Application

从为受保护的终结点创建 Azure AD 应用程序着手。Begin by creating an Azure AD Application for your protected endpoint. 请参阅 /active-directory/develop/scenario-protected-web-api-overview。See /active-directory/develop/scenario-protected-web-api-overview. - 将受保护的 API 配置为通过守护程序应用进行调用。Configure your protected API to be called by a daemon app.

允许事件网格使用 Azure AD 应用程序Enable Event Grid to use your Azure AD Application

使用下面的 PowerShell 脚本在 Azure AD 应用程序中创建角色和服务主体。Use the PowerShell script below in order to create a role and service principle in your Azure AD Application. 需要来自 Azure AD 应用程序的租户 ID 和对象 ID:You will need the Tenant ID and Object ID from your Azure AD Application:

Note

你必须是 Azure AD 应用程序管理员角色的成员才能执行此脚本。You must be a member of the Azure AD Application Administrator role to execute this script.

  1. 修改 PowerShell 脚本的 $myTenantId,以便使用 Azure AD 租户 ID。Modify the PowerShell script's $myTenantId to use your Azure AD Tenant ID.
  2. 修改 PowerShell 脚本的 $myAzureADApplicationObjectId,以便使用 Azure AD 应用程序的对象 ID。Modify the PowerShell script's $myAzureADApplicationObjectId to use the Object ID of your Azure AD Application
  3. 运行修改的脚本。Run the modified script.
# This is your Tenant Id. 
$myTenantId = "<the Tenant Id of your Azure AD Application>"

Connect-AzureAD -TenantId $myTenantId
    
# This is your Azure AD Application's ObjectId. 
$myAzureADApplicationObjectId = "<the Object Id of your Azure AD Application>"
    
# This is the "Azure Event Grid" Azure Active Directory AppId
$eventGridAppId = "4962773b-9cdb-44cf-a8bf-237846a00ab7"
    
# This is the name of the new role we will add to your Azure AD Application
$eventGridRoleName = "AzureEventGridSecureWebhook"
    
# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
    $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
    $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
    $appRole.AllowedMemberTypes.Add("Application");
    $appRole.DisplayName = $Name
    $appRole.Id = New-Guid
    $appRole.IsEnabled = $true
    $appRole.Description = $Description
    $appRole.Value = $Name;
    return $appRole
}
    
# Get my Azure AD Application, it's roles and service principal
$myApp = Get-AzureADApplication -ObjectId $myAzureADApplicationObjectId
$myAppRoles = $myApp.AppRoles
$eventGridSP = Get-AzureADServicePrincipal -Filter ("appId eq '" + $eventGridAppId + "'")

Write-Host "App Roles before addition of new role.."
Write-Host $myAppRoles
    
# Create the role if it doesn't exist
if ($myAppRoles -match $eventGridRoleName)
{
    Write-Host "The Azure Event Grid role is already defined.`n"
}
else
{
    $myServicePrincipal = Get-AzureADServicePrincipal -Filter ("appId eq '" + $myApp.AppId + "'")
    
    # Add our new role to the Azure AD Application
    $newRole = CreateAppRole -Name $eventGridRoleName -Description "Azure Event Grid Role"
    $myAppRoles.Add($newRole)
    Set-AzureADApplication -ObjectId $myApp.ObjectId -AppRoles $myAppRoles
}
    
# Create the service principal if it doesn't exist
if ($eventGridSP -match "Microsoft.EventGrid")
{
    Write-Host "The Service principal is already defined.`n"
}
else
{
    # Create a service principal for the "Azure Event Grid" Azure AD Application and add it to the role
    $eventGridSP = New-AzureADServicePrincipal -AppId $eventGridAppId
}
    
New-AzureADServiceAppRoleAssignment -Id $myApp.AppRoles[0].Id -ResourceId $myServicePrincipal.ObjectId -ObjectId $eventGridSP.ObjectId -PrincipalId $eventGridSP.ObjectId
    
Write-Host "My Azure AD Tenant Id: $myTenantId"
Write-Host "My Azure AD Application Id: $($myApp.AppId)"
Write-Host "My Azure AD Application ObjectId: $($myApp.ObjectId)"
Write-Host "My Azure AD Application's Roles: "
Write-Host $myApp.AppRoles

配置事件订阅Configure the event subscription

在事件订阅的创建流中,选择终结点类型“Web Hook”。In the creation flow for your event subscription, select endpoint type 'Web Hook'. 给出终结点 URI 以后,请单击“创建事件订阅”边栏选项卡顶部的“其他功能”选项卡。Once you've given your endpoint URI, click on the additional features tab at the top of the create event subscriptions blade.

选择终结点类型 webhook

在“其他功能”选项卡中,勾选“使用 AAD 身份验证”框并配置租户 ID 和应用程序 ID:In the additional features tab, check the box for 'Use AAD authentication' and configure the Tenant ID and Application ID:

  • 从脚本输出中复制 Azure AD 租户 ID,将其输入 AAD 租户 ID 字段中。Copy the Azure AD Tenant ID from the output of the script and enter it in the AAD Tenant ID field.

  • 从脚本输出中复制 Azure AD 应用程序 ID,将其输入 AAD 应用程序 ID 字段中。Copy the Azure AD Application ID from the output of the script and enter it in the AAD Application ID field.

    保护 Webhook 操作

后续步骤Next steps