将事件发布到受 Azure Active Directory 保护的终结点Publish events to Azure Active Directory protected endpoints

本文介绍如何利用 Azure Active Directory 来保护事件订阅和 Webhook 终结点之间的连接。This article describes how to take advantage of Azure Active Directory to secure the connection between your Event Subscription and your webhook endpoint. 有关 Azure AD 应用程序和服务主体的概述,请参阅 Microsoft 标识平台 (v2.0) 概述For an overview of Azure AD Applications and service principals, see Microsoft identity platform (v2.0) overview.

本文使用 Azure 门户进行演示,但也可通过 CLI、PowerShell 或 SDK 来启用此功能。This article uses the Azure portal for demonstration, however the feature can also be enabled using CLI, PowerShell, or the SDKs.

创建 Azure AD 应用程序Create an Azure AD Application

从为受保护的终结点创建 Azure AD 应用程序着手。Begin by creating an Azure AD Application for your protected endpoint. 请参阅 /active-directory/develop/scenario-protected-web-api-overview。See /active-directory/develop/scenario-protected-web-api-overview. - 将受保护的 API 配置为通过守护程序应用进行调用。Configure your protected API to be called by a daemon app.

允许事件网格使用 Azure AD 应用程序Enable Event Grid to use your Azure AD Application

本部分说明如何启用事件网格来使用 Azure AD 应用程序。This section shows you how to enable Event Grid to use your Azure AD application.

备注

你必须是 Azure AD 应用程序管理员角色的成员才能执行此脚本。You must be a member of the Azure AD Application Administrator role to execute this script.

连接到 Azure 租户Connect to your Azure tenant

首先,使用 Connect-AzureAD 命令连接到 Azure 租户。First, connect to your Azure tenant using the Connect-AzureAD command.

# This is your Tenant Id. 
$myTenantId = "<the Tenant Id of your Azure AD Application>"
Connect-AzureAD -AzureEnvironmentName AzureChinaCloud -TenantId $myTenantId

创建 Microsoft.EventGrid 服务主体Create Microsoft.EventGrid service principal

运行以下脚本,为 Microsoft.EventGrid 创建服务主体(如果尚不存在)。Run the following script to create the service principal for Microsoft.EventGrid if it doesn't already exist.

# This is the "Azure Event Grid" Azure Active Directory AppId
$eventGridAppId = "4962773b-9cdb-44cf-a8bf-237846a00ab7"
    
$eventGridSP = Get-AzureADServicePrincipal -Filter ("appId eq '" + $eventGridAppId + "'")

# Create the service principal if it doesn't exist
if ($eventGridSP -match "Microsoft.EventGrid")
{
    Write-Host "The Service principal is already defined.`n"
} else
{
    # Create a service principal for the "Azure Event Grid" Azure AD Application and add it to the role
    $eventGridSP = New-AzureADServicePrincipal -AppId $eventGridAppId
}

为应用程序创建角色Create a role for your application

运行以下脚本,为你的 Azure AD 应用程序创建角色。Run the following script to create a role for your Azure AD application. 在此示例中,角色名称为:AzureEventGridSecureWebhook。In this example, the role name is: AzureEventGridSecureWebhook. 修改 PowerShell 脚本的 $myTenantId 以使用 Azure AD 租户 ID,并使用 Azure AD 应用程序的对象 ID 修改 $myAzureADApplicationObjectIdModify the PowerShell script's $myTenantId to use your Azure AD Tenant ID, and $myAzureADApplicationObjectId with the Object ID of your Azure AD Application

# This is your Azure AD Application's ObjectId. 
$myAzureADApplicationObjectId = "<the Object Id of your Azure AD Application>"
    
# This is the name of the new role we will add to your Azure AD Application
$eventGridRoleName = "AzureEventGridSecureWebhook"
    
# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
    $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
    $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
    $appRole.AllowedMemberTypes.Add("Application");
    $appRole.DisplayName = $Name
    $appRole.Id = New-Guid
    $appRole.IsEnabled = $true
    $appRole.Description = $Description
    $appRole.Value = $Name;
    return $appRole
}

# Get my Azure AD Application, it's roles and service principal
$myApp = Get-AzureADApplication -ObjectId $myAzureADApplicationObjectId
$myAppRoles = $myApp.AppRoles

Write-Host "App Roles before addition of new role.."
Write-Host $myAppRoles
    
# Create the role if it doesn't exist
if ($myAppRoles -match $eventGridRoleName)
{
    Write-Host "The Azure Event Grid role is already defined.`n"
} else
{
    $myServicePrincipal = Get-AzureADServicePrincipal -Filter ("appId eq '" + $myApp.AppId + "'")
    
    # Add our new role to the Azure AD Application
    $newRole = CreateAppRole -Name $eventGridRoleName -Description "Azure Event Grid Role"
    $myAppRoles.Add($newRole)
    Set-AzureADApplication -ObjectId $myApp.ObjectId -AppRoles $myAppRoles
}

# print application's roles
Write-Host "My Azure AD Application's Roles: "
Write-Host $myAppRoles

将事件网格服务主体添加到角色Add Event Grid service principal to the role

现在,运行 New-AzureADServiceAppRoleAssignment 命令,将事件网格服务主体分配给你在上一步中创建的角色。Now, run the New-AzureADServiceAppRoleAssignment command to assign Event Grid service principal to the role you created in the previous step.

New-AzureADServiceAppRoleAssignment -Id $myApp.AppRoles[0].Id -ResourceId $myServicePrincipal.ObjectId -ObjectId $eventGridSP.ObjectId -PrincipalId $eventGridSP.ObjectId

运行以下命令以输出将使用后续步骤的信息。Run the following commands to output information that you will use the next steps.

Write-Host "My Azure AD Tenant Id: $myTenantId"
Write-Host "My Azure AD Application Id: $($myApp.AppId)"
Write-Host "My Azure AD Application ObjectId: $($myApp.ObjectId)"

配置事件订阅Configure the event subscription

在事件订阅的创建流中,选择终结点类型“Web Hook”。In the creation flow for your event subscription, select endpoint type 'Web Hook'. 给出终结点 URI 以后,请单击“创建事件订阅”边栏选项卡顶部的“其他功能”选项卡。Once you've given your endpoint URI, click on the additional features tab at the top of the create event subscriptions blade.

选择终结点类型 webhook

在“其他功能”选项卡中,勾选“使用 AAD 身份验证”框并配置租户 ID 和应用程序 ID:In the additional features tab, check the box for 'Use AAD authentication' and configure the Tenant ID and Application ID:

  • 从脚本输出中复制 Azure AD 租户 ID,将其输入 AAD 租户 ID 字段中。Copy the Azure AD Tenant ID from the output of the script and enter it in the AAD Tenant ID field.

  • 从脚本输出中复制 Azure AD 应用程序 ID,将其输入 AAD 应用程序 ID 字段中。Copy the Azure AD Application ID from the output of the script and enter it in the AAD Application ID field.

    保护 Webhook 操作

后续步骤Next steps