隨着MSDN論壇帕特里克·梁help,我終於想出了一個解決方案:啓用對合作夥伴的AAD應用Pre-consent
功能訪問權限授予客戶訂閱。讓我來形容它:
1.合作伙伴中心資源管理項目
https://github.com/Microsoft/Partner-Center-Explorer/
它類似於partnercenter.microsoft.com Web應用程序和它的各種微軟的API使用的一個很好的例子。最重要的是,該項目是訪問合作伙伴AAD應用程序的客戶訂閱的完整示例。但是,它建議用戶交互(作爲合作伙伴將login.live.com OAuth認證),並且在嘗試避免它時遇到了一些問題。下面我介紹如何使用代碼中的所有憑證連接到客戶的訂閱。
2。合作伙伴AAD應用
創建本地 AAD應用,而網絡AAD應用程序,但它的配置「權限其他應用程序」的方法相同。 跳過不適用於本機應用程序的步驟(例如,跳過client_secret
獲取並跳過清單更新)。
3 PowerShell腳本
應用配置的最後一步是運行此腳本:
Connect-MsolService
$g = Get-MsolGroup | ? {$_.DisplayName -eq 'AdminAgents'}
$s = Get-MsolServicePrincipal | ? {$_.AppPrincipalId -eq 'INSERT-CLIENT-ID-HERE'}
Add-MsolGroupMember -GroupObjectId $g.ObjectId -GroupMemberType ServicePrincipal -GroupMemberObjectId $s.ObjectId
它安裝幾個模塊來執行這些comandlets需要。如果在得到一個錯誤「微軟在線服務登錄助手爲IT專業人員」安裝,嘗試安裝BETA模塊:
Microsoft Online Services Sign-In Assistant for IT Professionals BETA
,你可能會需要它:
Microsoft Online Services Module for Windows PowerShell 64-bit
4.代碼
最後,我們已經準備好進行身份驗證和create a role assignment:
public async void AssignRoleAsync()
{
var token = await GetTokenAsync();
var response = await AssignRoleAsync(token.AccessToken);
}
public async Task<AuthenticationResult> GetTokenAsync()
{
var authContext = new AuthenticationContext($"https://login.windows.net/{CustomerId}");
return await authContext.AcquireTokenAsync(
"https://management.core.windows.net/"
, ApplicationId
, new UserCredential(PartnerUserName, PartnerPassword));
}
public async Task<HttpResponseMessage> AssignRoleAsync(string accessToken)
{
string newAssignmentId = Guid.NewGuid().ToString();
string subSegment = $"subscriptions/{CustomerSubscriptionId}/providers/Microsoft.Authorization";
string requestUri = $"https://management.azure.com/{subSegment}/roleAssignments/{newAssignmentId}?api-version=2015-07-01";
string roleDefinitionId = "INSERT_ROLE_GUID_HERE";
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Add("Authorization", "Bearer " + accessToken);
var body = new AssignRoleRequestBody();
body.properties.principalId = UserToAssignId;
body.properties.roleDefinitionId = $"/{subSegment}/roleDefinitions/{roleDefinitionId}";
var httpRequest = HttpHelper.CreateJsonRequest(body, HttpMethod.Put, requestUri);
return await client.SendAsync(httpRequest);
}
}
要獲取角色定義ID,只需向每個訂閱範圍提出get all roles的請求。
相關鏈接:
MSDN: How to manage customer's usage-based subscription programmatically?
MSDN: When will auto-stamping/implicit consent be available for CREST customers?
Managing Role-Based Access Control with the REST API