Microsoft Graph PowerShell SDK: acts as an API wrapper for the Microsoft Graph APIs, exposing the entire API set for use in PowerShell. It contains a set of cmdlets that helps you manage identities at scale from automating tasks to managing users in bulk using Azure Active Directory (Azure AD). It will help administer every Azure AD feature that has an API in Microsoft Graph.
The Microsoft Graph PowerShell SDK is the replacement for the Azure AD PowerShell module and is recommended for interacting with Azure AD.
Microsoft Graph PowerShell SDK:作为微软 Graph APIs 的SDK工具,通过PowerShell指令可以调用全部的Graph API。 它包含一组 cmdlets 指令集,可以非常好的使用自动任务来管理在AAD中的用户。 Microsoft Graph PowerShell SDK是以前Azure AD模块的替代产品,用于和Azure AD交互。
问题描述
由于 Microsoft Graph PowerShell 还处于 Beta版本,所以在使用中会遇见 Unknow Issue,比如在使用 Update-MgEntitlementManagementAccessPackageAssignmentPolicy 命令从 IdentityGovernance 中更新 accessPackageAssignmentPolicies时候,就遇见了如下错误:
Update-MgEntitlementManagementAccessPackageAssignmentPolicy_UpdateExpanded: C:\Users\setupGovernance-v2.ps1:15:33 Line | 15 | … Update-MgEntitlementManagementAccessPackageAssignmentPoli … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | No HTTP resource was found that matches the request URI | 'https://igaelm-ecapi-cne2.chinacloudsites.cn/api/v1/accessPackageAssignmentPolicies('ee52b1d4-95f6-4532-9682-b94dc24783e3')?slice=PROD'.
所执行的Power Shell 脚本为:
$updatePolicy = Get-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $p.id if ($updatePolicy.requestorSettings.acceptRequests) { $requestorSettings = $updatePolicy.requestorSettings $requestorSettings.acceptRequests = $false Update-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $p.id ` -RequestorSettings $requestorSettings }
问题分析
在 Update-MgEntitlementManagementAccessPackageAssignmentPolicy 指令中使用 -debug 输出调试信息中,发现出错在执行 PATCH https://microsoftgraph.chinacloudapi.cn/beta/xxx 时出现的404 Not Found错误。
DEBUG: PATCH https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx HTTP/1.1 404 Not Found Date: Sat, 18 Sep 2021 07:38:34 GMT Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx client-request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"China East","Slice":"E","Ring":"6","ScaleUnit":"001","RoleInstance":"SH1NEPF0000034A"}} Content-Type: application/json Content-Encoding: gzip {"error":{"code":"", "message":"No HTTP resource was found that matches the request URI 'https://igaelm-ecapi-cne2.chinacloudsites.cn/api/v1/accessPackageAssignmentPolicies('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx')?slice=PROD'.", "innerError":{"date":"2021-09-18T07:38:35","request-id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","client-request-id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}}} DEBUG: Finally: DEBUG: CmdletAfterAPICall: DEBUG: CmdletProcessRecordAsyncEnd: DEBUG: CmdletProcessRecordEnd: DEBUG: CmdletEndProcessing:
所以问题就定位在 PATCH 请求这里,通过对比REST API, 使用GET, PUT都是成功的。所以这里就是 SDK 中 Microsoft.Graph.Identity.Governance 部分的一个Bug。 使用错误的HTTP Method。但是在版本没有发布前,如何来解决这个问题呢?
1) 使用 REST API 来代替 PowerShell Command 发送 https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx请求
If send a put request https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxx by the postman tool, It returned 200 Success.
If send a patch request https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxx and it returned a 404 error code.
|
2) 使用 Invoke-MgGraphRequest 并指定 Method 为 PUT 来完成 https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 请求
详细代码为:
## 连接到 MgGraph if ($AzureEnvironment -eq "Global") { Connect-MgGraph -TenantId $config.tenantId ` -Scopes "EntitlementManagement.ReadWrite.All" } else { Connect-MgGraph -Environment "China" ` -TenantId $config.tenantId ` -ClientId $config.spClientId ` -Scopes "EntitlementManagement.ReadWrite.All" ` -UseDeviceAuthentication } Select-MgProfile -Name "beta" if ($AzureEnvironment -eq "Global") { $baseGraphUri = 'https://graph.microsoft.com' } else { $baseGraphUri = 'https://microsoftgraph.chinacloudapi.cn' } $apiVersion = "beta" ## 调用 Invoke-MgGraphRequest -Method PUT -Uri policyUri−BodyupdatedPolicy 更新Policy policyUri=(https://0/1/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/2−fbaseGraphUri, apiVersion,p.id) currentPolicy=Invoke−MgGraphRequest−MethodGET−UripolicyUri -OutputType Json | ConvertFrom-Json -Depth 10 if ($currentPolicy.RequestorSettings.acceptRequests) { Write-Host "disable assignment policy" p.id"withactiveassignmentsfor"accessPackage.displayName newPolicy=currentPolicy newPolicy.RequestorSettings.acceptRequests=false updatedPolicy=newPolicy | ConvertTo-Json -Depth 10 Invoke-MgGraphRequest -Method PUT -Uri policyUri−BodyupdatedPolicy }
注意:如果在执行命令时候遇见了 “ generalException Message: Unexpected exception returned from MSAL.” 错误,则是认证问题,可以在调用 Invoke-MgGraphRequest 前,Connect-MgGraph 一次。
参考资料
Update-EMAccessPackagePolicy.ps1: https://github.com/JefTek/AzureADSamples/blob/main/PowerShell/IdentityGovernance/Update-EMAccessPackagePolicy.ps1
Update accessPackageAssignmentPolicy:https://docs.microsoft.com/en-us/graph/api/accesspackageassignmentpolicy-update?view=graph-rest-beta&tabs=java
Overview of Microsoft Graph:https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-beta
Microsoft Graph PowerShell SDK: https://docs.microsoft.com/en-us/graph/powershell/installation?view=graph-rest-beta