【Azure 环境】Update-MgEntitlementManagementAccessPackageAssignmentPolicy 命令执行时候遇见的 No HTTP Resource was found 问题分析

简介: 【Azure 环境】Update-MgEntitlementManagementAccessPackageAssignmentPolicy 命令执行时候遇见的 No HTTP Resource was found 问题分析

Microsoft Graph PowerShell SDK: acts as an API wrapper for the Microsoft Graph APIs, exposing the entire API set for use in PowerShell. It contains a set of cmdlets that helps you manage identities at scale from automating tasks to managing users in bulk using Azure Active Directory (Azure AD). It will help administer every Azure AD feature that has an API in Microsoft Graph.

The Microsoft Graph PowerShell SDK is the replacement for the Azure AD PowerShell module and is recommended for interacting with Azure AD.

Microsoft Graph PowerShell SDK:作为微软 Graph APIs 的SDK工具,通过PowerShell指令可以调用全部的Graph API。 它包含一组 cmdlets 指令集,可以非常好的使用自动任务来管理在AAD中的用户。 Microsoft Graph PowerShell SDK是以前Azure AD模块的替代产品,用于和Azure AD交互。

问题描述

由于 Microsoft Graph PowerShell 还处于 Beta版本,所以在使用中会遇见 Unknow Issue,比如在使用 Update-MgEntitlementManagementAccessPackageAssignmentPolicy 命令从 IdentityGovernance 中更新 accessPackageAssignmentPolicies时候,就遇见了如下错误:

Update-MgEntitlementManagementAccessPackageAssignmentPolicy_UpdateExpanded: C:\Users\setupGovernance-v2.ps1:15:33
Line |
15 |  …             Update-MgEntitlementManagementAccessPackageAssignmentPoli …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | No HTTP resource was found that matches the request URI
     | 'https://igaelm-ecapi-cne2.chinacloudsites.cn/api/v1/accessPackageAssignmentPolicies('ee52b1d4-95f6-4532-9682-b94dc24783e3')?slice=PROD'.

所执行的Power Shell 脚本为:

$updatePolicy = Get-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $p.id
if ($updatePolicy.requestorSettings.acceptRequests) {
    $requestorSettings = $updatePolicy.requestorSettings
    $requestorSettings.acceptRequests = $false
    Update-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $p.id `
        -RequestorSettings $requestorSettings
}

 

问题分析

在 Update-MgEntitlementManagementAccessPackageAssignmentPolicy 指令中使用 -debug 输出调试信息中,发现出错在执行 PATCH  https://microsoftgraph.chinacloudapi.cn/beta/xxx 时出现的404 Not Found错误。

DEBUG: PATCH https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
HTTP/1.1 404 Not Found
Date: Sat, 18 Sep 2021 07:38:34 GMT
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
client-request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"China East","Slice":"E","Ring":"6","ScaleUnit":"001","RoleInstance":"SH1NEPF0000034A"}}
Content-Type: application/json
Content-Encoding: gzip
 
{"error":{"code":"",
"message":"No HTTP resource was found that matches the request URI 'https://igaelm-ecapi-cne2.chinacloudsites.cn/api/v1/accessPackageAssignmentPolicies('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx')?slice=PROD'.",
"innerError":{"date":"2021-09-18T07:38:35","request-id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","client-request-id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}}}
DEBUG: Finally: 
DEBUG: CmdletAfterAPICall:
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: CmdletEndProcessing:

 

所以问题就定位在 PATCH 请求这里,通过对比REST API, 使用GET, PUT都是成功的。所以这里就是 SDK 中 Microsoft.Graph.Identity.Governance 部分的一个Bug。 使用错误的HTTP Method。但是在版本没有发布前,如何来解决这个问题呢?

1) 使用 REST API 来代替 PowerShell Command 发送 https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx请求

 

2) 使用 Invoke-MgGraphRequest 并指定 Method 为 PUT 来完成 https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 请求

详细代码为:

## 连接到 MgGraph
if ($AzureEnvironment -eq "Global") {
    Connect-MgGraph -TenantId $config.tenantId `
        -Scopes "EntitlementManagement.ReadWrite.All"
}
else {
    Connect-MgGraph -Environment "China" `
        -TenantId $config.tenantId  `
        -ClientId $config.spClientId `
        -Scopes "EntitlementManagement.ReadWrite.All" `
        -UseDeviceAuthentication
}
Select-MgProfile -Name "beta"
           
if ($AzureEnvironment -eq "Global") {
    $baseGraphUri = 'https://graph.microsoft.com'
}
else {
    $baseGraphUri = 'https://microsoftgraph.chinacloudapi.cn'
}
$apiVersion = "beta"
 
## 调用 Invoke-MgGraphRequest -Method PUT -Uri policyUri−BodyupdatedPolicy 更新Policy
policyUri=(https://0/1/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/2−fbaseGraphUri, apiVersion,p.id)
currentPolicy=Invoke−MgGraphRequest−MethodGET−UripolicyUri -OutputType Json | ConvertFrom-Json -Depth 10
if ($currentPolicy.RequestorSettings.acceptRequests) {
    Write-Host "disable assignment policy" p.id"withactiveassignmentsfor"accessPackage.displayName
    newPolicy=currentPolicy
    newPolicy.RequestorSettings.acceptRequests=false
    updatedPolicy=newPolicy | ConvertTo-Json -Depth 10
    Invoke-MgGraphRequest -Method PUT -Uri policyUri−BodyupdatedPolicy
}

注意:如果在执行命令时候遇见了 “ generalException Message: Unexpected exception returned from MSAL.” 错误,则是认证问题,可以在调用 Invoke-MgGraphRequest 前,Connect-MgGraph  一次。

 

 

参考资料

Update-EMAccessPackagePolicy.ps1:  https://github.com/JefTek/AzureADSamples/blob/main/PowerShell/IdentityGovernance/Update-EMAccessPackagePolicy.ps1

Update accessPackageAssignmentPolicy:https://docs.microsoft.com/en-us/graph/api/accesspackageassignmentpolicy-update?view=graph-rest-beta&tabs=java

Overview of Microsoft Graph:https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-beta

Microsoft Graph PowerShell SDK: https://docs.microsoft.com/en-us/graph/powershell/installation?view=graph-rest-beta

相关文章
|
4月前
|
API C#
【Azure App Service】验证App Service接受HTTP 2.0请求
【Azure App Service】验证App Service接受HTTP 2.0请求
|
4月前
|
消息中间件 Kafka 网络安全
【Azure 应用服务】本地创建Azure Function Kafka Trigger 函数和Kafka output的HTTP Trigger函数实验
【Azure 应用服务】本地创建Azure Function Kafka Trigger 函数和Kafka output的HTTP Trigger函数实验
|
4月前
|
Python
【Azure 应用服务】Azure Function HTTP Trigger 遇见奇妙的500 Internal Server Error: Failed to forward request to http://169.254.130.x
【Azure 应用服务】Azure Function HTTP Trigger 遇见奇妙的500 Internal Server Error: Failed to forward request to http://169.254.130.x
|
4月前
|
Linux Python
【Azure 应用服务】Azure App Service For Linux 上实现 Python Flask Web Socket 项目 Http/Https
【Azure 应用服务】Azure App Service For Linux 上实现 Python Flask Web Socket 项目 Http/Https
|
4月前
【Azure 云服务】Azure Cloud Service 为 Web Role(IIS Host)增加自定义字段 (把HTTP Request Header中的User-Agent字段增加到IIS输出日志中)
【Azure 云服务】Azure Cloud Service 为 Web Role(IIS Host)增加自定义字段 (把HTTP Request Header中的User-Agent字段增加到IIS输出日志中)
|
4月前
|
JavaScript 前端开发 API
【Azure 应用服务】Azure Function HTTP 触发后, 230秒就超时。而其他方式触发的Function, 执行5分钟后也超时,如何调整超时时间?
【Azure 应用服务】Azure Function HTTP 触发后, 230秒就超时。而其他方式触发的Function, 执行5分钟后也超时,如何调整超时时间?
|
4月前
|
JavaScript 前端开发 Java
【Azure 环境】各种语言版本或命令,发送HTTP/HTTPS的请求合集
【Azure 环境】各种语言版本或命令,发送HTTP/HTTPS的请求合集
|
6月前
|
小程序
Failed to load local image resource Xx the server responded with a status of of 500 (HTTP/1.1 500)
Failed to load local image resource Xx the server responded with a status of of 500 (HTTP/1.1 500)
149 4
|
6月前
|
Kubernetes 容器 Perl
k8s部署seata 报错 没有提供足够的身份验证信息 [ http-nio-7091-exec-2] [ty.JwtAuthenticationEntryPoint] [ commence] [] : Responding with unauthorized error. Message - Full authentication is required to access this resource
Kubernetes pod 在16:12时出现两次错误,错误信息显示需要完整认证才能访问资源。尽管有此错误,但页面可正常访问。附有yaml配置文件的图片。
467 2
|
7月前
|
JavaScript 前端开发
基于 Node.js 环境,使用内置 http 模块,创建 Web 服务程序
基于 Node.js 环境,使用内置 http 模块,创建 Web 服务程序