自动化帐户中获取权限问题
我正在尝试获取 7 天内过期的应用程序注册列表。在本地,它工作正常,但我在自动化帐户中面临权限不足的问题。我是该帐户的全局管理员,并提供了服务连接api的权限,以下是权限 
我确实授予了所有许可,但不知道我缺少什么。下面是错误
Get-AzureADApplication : Error occurred while executing GetApplications Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. RequestId: a83caa17-1c58-433a-b0ea-f4a3f8a43d7f DateTimeStamp: Mon, 14 Feb 2022 04:56:58 GMT HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed At line:11 char:17 + $Applications = Get-AzureADApplication -all $true + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-AzureADApplication], ApiException + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetApplication
,下面是脚本,
#Connect-AzureAD
$Applications = Get-AzureADApplication -all $true
$Logs = @()
$Days = 7
$AlreadyExpired = "YES"
$now = get-date
foreach ($app in $Applications) {
$AppName = $app.DisplayName
$AppID = $app.objectid
$ApplID = $app.AppId
$AppCreds = Get-AzureADApplication -ObjectId $AppID | select PasswordCredentials, KeyCredentials
$secret = $AppCreds.PasswordCredentials
$cert = $AppCreds.KeyCredentials
foreach ($s in $secret) {
$StartDate = $s.StartDate
$EndDate = $s.EndDate
$operation = $EndDate - $now
$ODays = $operation.Days
if ($AlreadyExpired -eq "No") {
if ($ODays -le $Days -and $ODays -ge 0) {
$Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
$Username = $Owner.UserPrincipalName -join ";"
$OwnerID = $Owner.ObjectID -join ";"
if ($owner.UserPrincipalName -eq $Null) {
$Username = $Owner.DisplayName + " **<This is an Application>**"
}
if ($Owner.DisplayName -eq $null) {
$Username = "<<No Owner>>"
}
$Log = New-Object System.Object
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
$Log | Add-Member -MemberType NoteProperty -Name "Secret Start Date" -Value $StartDate
$Log | Add-Member -MemberType NoteProperty -Name "Secret End Date" -value $EndDate
$Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $Null
$Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $Null
$Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
$Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID
$Logs += $Log
}
}
elseif ($AlreadyExpired -eq "Yes") {
if ($ODays -le $Days) {
$Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
$Username = $Owner.UserPrincipalName -join ";"
$OwnerID = $Owner.ObjectID -join ";"
if ($owner.UserPrincipalName -eq $Null) {
$Username = $Owner.DisplayName + " **<This is an Application>**"
}
if ($Owner.DisplayName -eq $null) {
$Username = "<<No Owner>>"
}
$Log = New-Object System.Object
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
$Log | Add-Member -MemberType NoteProperty -Name "Secret Start Date" -Value $StartDate
$Log | Add-Member -MemberType NoteProperty -Name "Secret End Date" -value $EndDate
$Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $Null
$Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $Null
$Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
$Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID
$Logs += $Log
}
}
}
foreach ($c in $cert) {
$CStartDate = $c.StartDate
$CEndDate = $c.EndDate
$COperation = $CEndDate - $now
$CODays = $COperation.Days
if ($AlreadyExpired -eq "No") {
if ($CODays -le $Days -and $CODays -ge 0) {
$Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
$Username = $Owner.UserPrincipalName -join ";"
$OwnerID = $Owner.ObjectID -join ";"
if ($owner.UserPrincipalName -eq $Null) {
$Username = $Owner.DisplayName + " **<This is an Application>**"
}
if ($Owner.DisplayName -eq $null) {
$Username = "<<No Owner>>"
}
$Log = New-Object System.Object
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
$Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $CStartDate
$Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $CEndDate
$Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
$Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID
$Logs += $Log
}
}
elseif ($AlreadyExpired -eq "Yes") {
if ($CODays -le $Days) {
$Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
$Username = $Owner.UserPrincipalName -join ";"
$OwnerID = $Owner.ObjectID -join ";"
if ($owner.UserPrincipalName -eq $Null) {
$Username = $Owner.DisplayName + " **<This is an Application>**"
}
if ($Owner.DisplayName -eq $null) {
$Username = "<<No Owner>>"
}
$Log = New-Object System.Object
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
$Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $CStartDate
$Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $CEndDate
$Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
$Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID
$Logs += $Log
}
}
}
}
$p = Write-Output $Logs | Format-Table -Property "ApplicationName","Secret End Date","Certificate End Date","Owner" | Out-String
Write-host $p
#Write-host "Add the Path you'd like us to export the CSV file to, in the format of <C:\Users\<USER>\Desktop\Users.csv>" -ForegroundColor Green
#$Path = Read-Host
#$Logs | Export-CSV $Path -NoTypeInformation -Encoding UTF8
Install-Module -Name PSSendGrid
Import-Module -Name PSSendGrid
$Parameters = @{
FromAddress = "kk****@abc.com"
ToAddress = "k********[email protected]", "[email protected]", "[email protected]"
Subject = "List of Expiring/Expired App registration keys/secrets Report - Ariqt & Ariqt-Dev/Test"
Body = "Below is list of Expiring/Expired App registration keys/secrets in 7 days $p"
Token = "SG.m1z9e*******************324w9hlTMb779xEvqIUjv0"
#FromName = "Barbara"
#ToName = "Barbara"
}
Send-PSSendGridMail @Parameters
请帮助我缺少什么。
I am trying to get list of expiring App registrations in 7 days. In local it is working perfectly but I facing Insufficient privileges issue in automation account. I am the global administrator of the account and provided permission to service connection api below are the permissions
I literally given all the permission but don't know what i am missing. Below is the error
Get-AzureADApplication : Error occurred while executing GetApplications Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. RequestId: a83caa17-1c58-433a-b0ea-f4a3f8a43d7f DateTimeStamp: Mon, 14 Feb 2022 04:56:58 GMT HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed At line:11 char:17 + $Applications = Get-AzureADApplication -all $true + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-AzureADApplication], ApiException + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetApplication
And below is the script
#Connect-AzureAD
$Applications = Get-AzureADApplication -all $true
$Logs = @()
$Days = 7
$AlreadyExpired = "YES"
$now = get-date
foreach ($app in $Applications) {
$AppName = $app.DisplayName
$AppID = $app.objectid
$ApplID = $app.AppId
$AppCreds = Get-AzureADApplication -ObjectId $AppID | select PasswordCredentials, KeyCredentials
$secret = $AppCreds.PasswordCredentials
$cert = $AppCreds.KeyCredentials
foreach ($s in $secret) {
$StartDate = $s.StartDate
$EndDate = $s.EndDate
$operation = $EndDate - $now
$ODays = $operation.Days
if ($AlreadyExpired -eq "No") {
if ($ODays -le $Days -and $ODays -ge 0) {
$Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
$Username = $Owner.UserPrincipalName -join ";"
$OwnerID = $Owner.ObjectID -join ";"
if ($owner.UserPrincipalName -eq $Null) {
$Username = $Owner.DisplayName + " **<This is an Application>**"
}
if ($Owner.DisplayName -eq $null) {
$Username = "<<No Owner>>"
}
$Log = New-Object System.Object
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
$Log | Add-Member -MemberType NoteProperty -Name "Secret Start Date" -Value $StartDate
$Log | Add-Member -MemberType NoteProperty -Name "Secret End Date" -value $EndDate
$Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $Null
$Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $Null
$Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
$Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID
$Logs += $Log
}
}
elseif ($AlreadyExpired -eq "Yes") {
if ($ODays -le $Days) {
$Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
$Username = $Owner.UserPrincipalName -join ";"
$OwnerID = $Owner.ObjectID -join ";"
if ($owner.UserPrincipalName -eq $Null) {
$Username = $Owner.DisplayName + " **<This is an Application>**"
}
if ($Owner.DisplayName -eq $null) {
$Username = "<<No Owner>>"
}
$Log = New-Object System.Object
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
$Log | Add-Member -MemberType NoteProperty -Name "Secret Start Date" -Value $StartDate
$Log | Add-Member -MemberType NoteProperty -Name "Secret End Date" -value $EndDate
$Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $Null
$Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $Null
$Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
$Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID
$Logs += $Log
}
}
}
foreach ($c in $cert) {
$CStartDate = $c.StartDate
$CEndDate = $c.EndDate
$COperation = $CEndDate - $now
$CODays = $COperation.Days
if ($AlreadyExpired -eq "No") {
if ($CODays -le $Days -and $CODays -ge 0) {
$Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
$Username = $Owner.UserPrincipalName -join ";"
$OwnerID = $Owner.ObjectID -join ";"
if ($owner.UserPrincipalName -eq $Null) {
$Username = $Owner.DisplayName + " **<This is an Application>**"
}
if ($Owner.DisplayName -eq $null) {
$Username = "<<No Owner>>"
}
$Log = New-Object System.Object
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
$Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $CStartDate
$Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $CEndDate
$Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
$Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID
$Logs += $Log
}
}
elseif ($AlreadyExpired -eq "Yes") {
if ($CODays -le $Days) {
$Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
$Username = $Owner.UserPrincipalName -join ";"
$OwnerID = $Owner.ObjectID -join ";"
if ($owner.UserPrincipalName -eq $Null) {
$Username = $Owner.DisplayName + " **<This is an Application>**"
}
if ($Owner.DisplayName -eq $null) {
$Username = "<<No Owner>>"
}
$Log = New-Object System.Object
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
$Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $CStartDate
$Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $CEndDate
$Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
$Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID
$Logs += $Log
}
}
}
}
$p = Write-Output $Logs | Format-Table -Property "ApplicationName","Secret End Date","Certificate End Date","Owner" | Out-String
Write-host $p
#Write-host "Add the Path you'd like us to export the CSV file to, in the format of <C:\Users\<USER>\Desktop\Users.csv>" -ForegroundColor Green
#$Path = Read-Host
#$Logs | Export-CSV $Path -NoTypeInformation -Encoding UTF8
Install-Module -Name PSSendGrid
Import-Module -Name PSSendGrid
$Parameters = @{
FromAddress = "kk****@abc.com"
ToAddress = "k********[email protected]", "[email protected]", "[email protected]"
Subject = "List of Expiring/Expired App registration keys/secrets Report - Ariqt & Ariqt-Dev/Test"
Body = "Below is list of Expiring/Expired App registration keys/secrets in 7 days $p"
Token = "SG.m1z9e*******************324w9hlTMb779xEvqIUjv0"
#FromName = "Barbara"
#ToName = "Barbara"
}
Send-PSSendGridMail @Parameters
Please help me what I am missing.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您的权限不正确。您拥有的用于 PIM(特权身份管理)。要读取有关应用程序注册的数据,您需要其中之一,例如
You have incorrect permissions. The ones you have are for PIM (Privileged Identity Management). To read data about App Regs you need one of these e.g.