【Azure 环境】AAD 注册应用获取AAD Group权限接口遇 403 ： Attempted to perform an unauthorized operation 错误

2024-08-25 11

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介： 【Azure 环境】AAD 注册应用获取AAD Group权限接口遇 403 ： Attempted to perform an unauthorized operation 错误

问题描述

通过Azure AD的注册应用获取到Token后，访问AAD Group并查看日志信息时候，遇见了 {"error":{"code":"UnauthorizedAccessException","message":"Attempted to perform an unauthorized operation."}}

Python 代码 -- 使用AAD 注册应用获取Token

import requests
import json
def get_bearer_token():
    tenant_id = "your azure tenant id"
    client_id = "your AAD registrations application id "
    client_secret = "***********************************"
    # The resource (URI) that the bearer token will grant access to
    scope = 'https://api.azrbac.azurepim.identitygovernance.azure.cn/.default'
    # Azure AD authentication endpoint
    AUTHORITY = f'https://login.chinacloudapi.cn/{tenant_id}/oauth2/v2.0/token'
    # Request an access token from Azure AD
    response = requests.post(
        AUTHORITY,
        data={
            'grant_type': 'client_credentials',
            'client_id': client_id,
            'client_secret': client_secret,
            'scope': scope
        }
    )
    if response.status_code == 200:
        access_token = response.json().get('access_token')
    else:
        print("Error occurred while retrieving token:", response.text)
    return access_token

但是，在调用 https://api.azrbac.azurepim.identitygovernance.azure.cn/api/v2/privilegedAccess/aadGroups/activities 接口时候，遇见错误，提示权限不够。

{"error":{"code":"UnauthorizedAccessException","message":"Attempted to perform an unauthorized operation."}}

问题解答

因错误消息提示当前 Access Token无权查看AAD Groups的Activities日志，所以需要进入具体的AAD Groups查看，当前AAD注册应用是否由权限进行任何操作。如无，加入权限后就可以解决问题(PS: 赋予Member 或 Owner权限都可以）

在门户上直接查看的方式：

门户入口：https://portal.azure.cn/#view/Microsoft_Azure_PIMCommon/CommonMenuBlade/~/aadgroup

通过API来列出权限操作列表：

url = "https://api.azrbac.azurepim.identitygovernance.azure.cn/api/v2/privilegedAccess/aadGroups/resources/"+str(aad_groups_list[index]['id'])+"/permissions"

将应用程序加入active assignment后即可获得权限

{'accessLevel': 'AdminRead', 'isActive': True, 'isEligible': False}, {'accessLevel': 'ActivityRead', 'isActive': True, 'isEligible': False}

附录：根据AAD Token获取AAD Group列表和每一个AAD Group的Activity Logs

import requests
import json
def get_bearer_token():
tenant_id = "your azure tenant id"
client_id = "your AAD registrations application id "
client_secret = "***********************************"
# The resource (URI) that the bearer token will grant access to
scope = 'https://api.azrbac.azurepim.identitygovernance.azure.cn/.default'
# Azure AD authentication endpoint
AUTHORITY = f'https://login.chinacloudapi.cn/{tenant_id}/oauth2/v2.0/token'
# Request an access token from Azure AD
response = requests.post(
AUTHORITY,
data={
'grant_type': 'client_credentials',
'client_id': client_id,
'client_secret': client_secret,
'scope': scope
}
)
if response.status_code == 200:
access_token = response.json().get('access_token')
else:
print("Error occurred while retrieving token:", response.text)
return access_token
def list_aad_groups(bearer_token):
url = https://api.azrbac.azurepim.identitygovernance.azure.cn/api/v2/privilegedAccess/aadGroups/resources?select=id,displayName,type,externalId&select=id,displayName,type,externalId&select=id,displayName,type,externalId&expand=parent
headers = {
'Authorization': bearer_token
}
response = requests.get(url=url,headers=headers)
data = json.loads(response.text)
aad_groups_count = data["value"].__len__()
aad_groups_list = []
for aad_groups_index in range(0,aad_groups_count):
aad_groups = {}
aad_groups["id"] = data["value"][aad_groups_index]["id"]
aad_groups["name"] = data["value"][aad_groups_index]["displayName"]
aad_groups_list.append(aad_groups)
return aad_groups_list
def download_pim_audit_log(date, group_id, group_name, bearer_token):
start_time = str(date) + "T00:00:00.000Z"
end_time = str(date) + "T23:59:59.999Z"
url = https://api.azrbac.azurepim.identitygovernance.azure.cn/api/v2/privilegedAccess/aadGroups/activities?������=���������������+��++���(���������)+"+���+���������������+��+"+���(�������)+"+���+��������/��+��+orderby=createdDateTime+desc&������=���������,�����������������,�������,������,��������(expand=parent),scopedResource"
headers = {
'Authorization': bearer_token
}
response = requests.get(url=url, headers=headers)
if response.status_code == 200:
raw_data = json.loads(response.text)
data = raw_data["value"]
records_count = data.__len__()
dst_path = "\" + str(date) + " " + str(group_name) + ".json"
file_debug = open(dst_path, "a+")
for record_index in range(0, records_count):
record = str(data[record_index]).replace("None","'None'")
file_debug.write(record)
file_debug.write("\n")
return True
else:
print("Failed to Download log : " + response.text)
exit()
if __name__ == '__main__':
token = "Bearer " + str(get_bearer_token())
print(token)
date = "2023-07-26"
aad_groups_list = list_aad_groups(token)
for index in range(0,aad_groups_list.__len__()):
group_id = aad_groups_list[index]['id']
group_name = aad_groups_list[index]['name']
download_pim_audit_log(date, group_id, group_name, token)

文章标签：

API

Python