如何Azure中的PowerShell与基于用户名/密码身份验证工作?
我想了解的Azure PowerShell如何使得使用基于AAD的用户名/密码凭据的Azure API调用。
I want to understand how Azure PowerShell makes Azure API calls using AAD username/password based credentials.
我的理解是,一个应用程序需要一个客户端ID,才可以使Azure的API调用。此客户端ID必须与用户的帐户进行注册。
My understanding is that an app needs a client-id before it can make Azure API calls. This client ID must be registered with a user’s account.
Azure中的PowerShell是否有一个客户端ID?如果是这样,它是如何不与Azure的账户注册明确它的工作?它是已在多个帐户列入白名单的一个特殊的ID?
Does Azure PowerShell have a client-id? If so, how does it work without explicitly registering it with Azure accounts? Is it a special id that has been whitelisted across accounts?
您不需要建立在Azure的PowerShell的Azure的Active Directory中的应用程序注册。为了利用一个Azure的AD用户的用户名/密码凭据,您可以使用Add-AzureAccount的cmdlet:
You don't need to create an application registration in Azure Active Directory for Azure Powershell. To leverage username/password credentials of an Azure AD user, you can use the Add-AzureAccount cmdlet:
$username = "admin@your_account.onmicrosoft.com"
$password = "SuperSecretPassword" | ConvertTo-SecureString -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, $password
Add-AzureAccount -Credential $credential
只要确保你拥有最新版本安装在Azure PowerShell的模块,并且你正在使用的帐户是一个组织帐户(而不是Microsoft帐户)或本地的Azure AD用户。
Just make sure you have the latest version of the Azure PowerShell module installed, and the account you're using is an organizational account (as opposed to a Microsoft account) or a native Azure AD user.
要回答你的问题的最后一部分,有一个Azure的PowerShell的一个知名的客户端ID(1950a258-227b-4e31-a9cf-717495945fc2)。这是在Azure PowerShell模块,硬$ C $的CD和可用于PowerShell脚本验证到Azure的AD时,他们直接调用Azure的管理API:
To answer the last part of your question, there is a well-known client ID for Azure PowerShell ("1950a258-227b-4e31-a9cf-717495945fc2"). It's hard coded in the Azure Powershell module and can be used to authenticate PowerShell scripts to Azure AD when they invoke the Azure Management APIs directly:
# Load Active Directory Authentication Library (ADAL) Assemblies
$adal = "${env:ProgramFiles(x86)}\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\Services\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = "${env:ProgramFiles(x86)}\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\Services\Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll"
[System.Reflection.Assembly]::LoadFrom($adal)
[System.Reflection.Assembly]::LoadFrom($adalforms)
# Set Azure AD Tenant name
$adTenant = "yourtenant.onmicrosoft.com"
# Set well-known client ID for Azure PowerShell
$clientId = "1950a258-227b-4e31-a9cf-717495945fc2"
# Set redirect URI for Azure PowerShell
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
# Set Resource URI to Azure Service Management API
$resourceAppIdURI = "https://management.core.windows.net/"
# Set Authority to Azure AD Tenant
$authority = "https://login.windows.net/$adTenant"
# Set user credentials (*** obviously you wouldn't have the password in clear text in a production script ***)
$userName = "admin@your_tenant.onmicrosoft.com"
$password = "SecretPassword"
$creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList $userName,$password
# Create AuthenticationContext tied to Azure AD Tenant
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# Acquire token
$authResult = $authContext.AcquireToken($resourceAppIdURI,$clientId,$creds)