Azure:GroupsClient.BaseClient.Get():意外状态 403,带有 OData 错误:Authorization_RequestDenied:权限不足
Kar*_*mar 3 azure azure-active-directory terraform-provider-azure azure-service-principal
I\xe2\x80\x99m 尝试使用以下 terraform 代码创建 Azure AD 组
\n# Required Provider\nterraform {\n required_providers {\n azurerm = {\n source = "hashicorp/azurerm"\n version = "~> 3.0.2"\n }\n }\n required_version = ">= 1.1.0"\n}\n\n# Configure the Microsoft Azure Provider\nprovider "azurerm" {\n features {}\n\n ....\n ....\n}\n\ndata "azuread_client_config" "current" {}\n\n# Variables\nvariable "ad_groups" {\n description = "Azure AD groups to be added"\n type = list(object({\n display_name = string,\n description = string \n }))\n default = [\n {\n display_name = "Group1"\n description = "some description"\n },\n {\n display_name = "Group2"\n description = "some description" \n }\n ]\n}\n\n# Create AD Groups and add the Current User\nresource "azuread_group" "this"{\n count = length(var.ad_groups)\n display_name = var.ad_groups[count.index].display_name\n description = var.ad_groups[count.index].description\n security_enabled = true\n prevent_duplicate_names = true \n owners = [data.azuread_client_config.current.object_id]\n}\n我收到以下错误
\n**Error:** could not check for existing group(s): unable to list Groups with filter "displayName eq \'Group1\'": GroupsClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.\n此服务主体在管理组级别具有以下角色
\n
它是否需要Directory.ReadWrite.All和Group.ReadWrite.All API 权限?如果没有,需要什么访问权限?
\n
注意:如果我禁用“prevent_duplicate_names = true”并应用 terraform,则会引发以下错误
\nGroupsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to\n\xe2\x94\x82 complete the operation.\n我尝试通过 Postman 在我的环境中重现相同的结果,并得到以下结果:
默认情况下,新创建的应用程序将已添加User.Read API 权限。
我注册了一个名为GroupSP并具有 API 权限的新 Azure AD 应用程序,如下所示:
在不添加任何额外 API 权限的情况下,我通过 Postman 使用客户端凭据流生成了一个访问令牌,如下所示:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:<appID>
grant_type:client_credentials
client_secret:<secret>
scope: https://graph.microsoft.com/.default
回复:
当我使用上述令牌创建具有所有者的 Azure AD 组时,出现与以下相同的错误:
POST https://graph.microsoft.com/v1.0/groups
Content-Type: application/json
{
"description": "Group with designated owner",
"displayName": "Group1",
"groupTypes": [ ],
"mailEnabled": false,
"mailNickname": "srigroup",
"securityEnabled": true,
"owners@odata.bind": [
"https://graph.microsoft.com/v1.0/users/<userID>"
]
}
回复:
为了解决该错误,我Directory.ReadWrite.All向服务主体添加了 API 权限,如下所示:
授予管理员同意上述权限后,我再次生成访问令牌并运行相同的查询并成功获得响应,如下所示:
POST https://graph.microsoft.com/v1.0/groups
Content-Type: application/json
{
"description": "Group with designated owner",
"displayName": "Group1",
"groupTypes": [ ],
"mailEnabled": false,
"mailNickname": "srigroup",
"securityEnabled": true,
"owners@odata.bind": [
"https://graph.microsoft.com/v1.0/users/<userID>"
]
}
回复:
为了确认这一点,我检查了创建 Azure AD 组的门户,并且所有者添加成功,如下所示:
您还可以检查创建的组的审核日志,如下所示:
对于您的情况,请确保向您的服务主体添加Directory.ReadWrite.AllAPI 权限以解决403 Forbidden错误。
如果将Directory.ReadWrite.All权限添加到服务主体,则不需要Group.ReadWrite.All权限。
| 归档时间: |
|
| 查看次数: |
9533 次 |
| 最近记录: |