爱站程序员基地Microsoft Graph PowerShell SDK:acts as an API wrapper for the Microsoft Graph APIs, exposing the entire API set for use in PowerShell. It contains a set of cmdlets that helps you manage identities at scale from automating tasks to managing users in bulk using Azure Active Directory (Azure AD). It will help administer every Azure AD feature that has an API in Microsoft Graph.
The Microsoft Graph PowerShell SDK is the replacement for the Azure AD PowerShell module and is recommended for interacting with Azure AD.
Microsoft Graph PowerShell SDK:作为微软 Graph APIs 的SDK工具,通过PowerShell指令可以调用全部的Graph API。 它包含一组 cmdlets 指令集,可以非常好的使用自动任务来管理在AAD中的用户。 Microsoft Graph PowerShell SDK是以前Azure AD模块的替代产品,用于和Azure AD交互。
问题描述
由于Microsoft Graph PowerShell 还处于 Beta版本,所以在使用中会遇见 Unknow Issue,比如在使用Update-MgEntitlementManagementAccessPackageAssignmentPolicy 命令从 IdentityGovernance 中更新accessPackageAssignmentPolicies时候,就遇见了如下错误:
Update-MgEntitlementManagementAccessPackageAssignmentPolicy_UpdateExpanded: C:\\Users\\setupGovernance-v2.ps1:15:33Line |15 | … Update-MgEntitlementManagementAccessPackageAssignmentPoli …| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| No HTTP resource was found that matches the request URI| \'https://igaelm-ecapi-cne2.chinacloudsites.cn/api/v1/accessPackageAssignmentPolicies(\'ee52b1d4-95f6-4532-9682-b94dc24783e3\')?slice=PROD\'.
所执行的Power Shell 脚本为:
$updatePolicy = Get-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $p.idif ($updatePolicy.requestorSettings.acceptRequests) {$requestorSettings = $updatePolicy.requestorSettings$requestorSettings.acceptRequests = $falseUpdate-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $p.id `-RequestorSettings $requestorSettings}
问题分析
在Update-MgEntitlementManagementAccessPackageAssignmentPolicy 指令中使用 -debug 输出调试信息中,发现出错在执行 PATCHhttps://microsoftgraph.chinacloudapi.cn/beta/xxx 时出现的404 Not Found错误。
DEBUG: PATCH https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxHTTP/1.1 404 Not FoundDate: Sat, 18 Sep 2021 07:38:34 GMTTransfer-Encoding: chunkedVary: Accept-EncodingStrict-Transport-Security: max-age=31536000request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxclient-request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx-ms-ags-diagnostic: {\"ServerInfo\":{\"DataCenter\":\"China East\",\"Slice\":\"E\",\"Ring\":\"6\",\"ScaleUnit\":\"001\",\"RoleInstance\":\"SH1NEPF0000034A\"}}Content-Type: application/jsonContent-Encoding: gzip{\"error\":{\"code\":\"\",
\"message\":\"No HTTP resource was found that matches the request URI \'https://igaelm-ecapi-cne2.chinacloudsites.cn/api/v1/accessPackageAssignmentPolicies(\'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\')?slice=PROD\'.\",
\"innerError\":{\"date\":\"2021-09-18T07:38:35\",\"request-id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"client-request-id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\"}}}
DEBUG: Finally:DEBUG: CmdletAfterAPICall:DEBUG: CmdletProcessRecordAsyncEnd:DEBUG: CmdletProcessRecordEnd:DEBUG: CmdletEndProcessing:
所以问题就定位在 PATCH 请求这里,通过对比REST API, 使用GET, PUT都是成功的。所以这里就是 SDK 中Microsoft.Graph.Identity.Governance 部分的一个Bug。 使用错误的HTTP Method。但是在版本没有发布前,如何来解决这个问题呢?
1) 使用 REST API 来代替 PowerShell Command 发送https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx请求
|
If send a put request https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxx by the postman tool, It returned 200 Success. If send a patch request https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxx and it returned a 404 error code. Source :https://docs.microsoft.com/en-us/graph/api/accesspackageassignmentpolicy-update?view=graph-rest-beta&tabs=java |
2) 使用Invoke-MgGraphRequest 并指定Method 为 PUT 来完成https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 请求
详细代码为:
## 连接到 MgGraphif($AzureEnvironment-eq\”Global\”){Connect-MgGraph-TenantId$config.tenantId`-Scopes\”EntitlementManagement.ReadWrite.All\”}else{Connect-MgGraph-Environment\”China\”`-TenantId$config.tenantId`-ClientId$config.spClientId`-Scopes\”EntitlementManagement.ReadWrite.All\”`-UseDeviceAuthentication}Select-MgProfile-Name\”beta\”if($AzureEnvironment-eq\”Global\”){$baseGraphUri=\’https://graph.microsoft.com\’}else{$baseGraphUri=\’https://microsoftgraph.chinacloudapi.cn\’}$apiVersion=\”beta\”## 调用 Invoke-MgGraphRequest-MethodPUT-Uri$policyUri-Body$updatedPolicy 更新Policy
$policyUri=(https://{0}/{1}/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/{2}-f$baseGraphUri,$apiVersion,$p.id)$currentPolicy=Invoke-MgGraphRequest-MethodGET-Uri$policyUri-OutputTypeJson|ConvertFrom-Json-Depth10
if($currentPolicy.RequestorSettings.acceptRequests){Write-Host\”disableassignmentpolicy\”$p.id\”withactiveassignmentsfor\”$accessPackage.displayName$newPolicy=$currentPolicy$newPolicy.RequestorSettings.acceptRequests=$false$updatedPolicy=$newPolicy|ConvertTo-Json-Depth10Invoke-MgGraphRequest-MethodPUT-Uri$policyUri-Body$updatedPolicy}
注意:如果在执行命令时候遇见了 “generalException Message: Unexpected exception returned from MSAL.” 错误,则是认证问题,可以在调用 Invoke-MgGraphRequest 前,Connect-MgGraph 一次。
参考资料
Update-EMAccessPackagePolicy.ps1:https://github.com/JefTek/AzureADSamples/blob/main/PowerShell/IdentityGovernance/Update-EMAccessPackagePolicy.ps1
Update accessPackageAssignmentPolicy:https://docs.microsoft.com/en-us/graph/api/accesspackageassignmentpolicy-update?view=graph-rest-beta&tabs=java
Overview of Microsoft Graph:https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-beta
Microsoft Graph PowerShell SDK:https://docs.microsoft.com/en-us/graph/powershell/installation?view=graph-rest-beta
