天天看點
傳回

【Azure 環境】Update-MgEntitlementManagementAccessPackageAssignmentPolicy 指令執行時候遇見的 No HTTP Resource was found 問題分析

Microsoft Graph PowerShell SDK: acts as an API wrapper for the Microsoft Graph APIs, exposing the entire API set for use in PowerShell. It contains a set of cmdlets that helps you manage identities at scale from automating tasks to managing users in bulk using Azure Active Directory (Azure AD). It will help administer every Azure AD feature that has an API in Microsoft Graph.

The Microsoft Graph PowerShell SDK is the replacement for the Azure AD PowerShell module and is recommended for interacting with Azure AD.

Microsoft Graph PowerShell SDK:作為微軟 Graph APIs 的SDK工具,通過PowerShell指令可以調用全部的Graph API。 它包含一組 cmdlets 指令集,可以非常好的使用自動任務來管理在AAD中的使用者。 Microsoft Graph PowerShell SDK是以前Azure AD子產品的替代産品,用于和Azure AD互動。

問題描述

由于 Microsoft Graph PowerShell 還處于 Beta版本,是以在使用中會遇見 Unknow Issue,比如在使用 Update-MgEntitlementManagementAccessPackageAssignmentPolicy 指令從 IdentityGovernance 中更新 accessPackageAssignmentPolicies時候,就遇見了如下錯誤:

Update-MgEntitlementManagementAccessPackageAssignmentPolicy_UpdateExpanded: C:\Users\setupGovernance-v2.ps1:15:33
Line |
15 |  …             Update-MgEntitlementManagementAccessPackageAssignmentPoli …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | No HTTP resource was found that matches the request URI
     | 'https://igaelm-ecapi-cne2.chinacloudsites.cn/api/v1/accessPackageAssignmentPolicies('ee52b1d4-95f6-4532-9682-b94dc24783e3')?slice=PROD'.

所執行的Power Shell 腳本為:

$updatePolicy = Get-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $p.id

if ($updatePolicy.requestorSettings.acceptRequests) {
    $requestorSettings = $updatePolicy.requestorSettings
    $requestorSettings.acceptRequests = $false
    Update-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $p.id `
        -RequestorSettings $requestorSettings
}

問題分析

在 Update-MgEntitlementManagementAccessPackageAssignmentPolicy 指令中使用 -debug 輸出調試資訊中,發現出錯在執行 PATCH  https://microsoftgraph.chinacloudapi.cn/beta/xxx 時出現的404 Not Found錯誤。

DEBUG: PATCH https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
HTTP/1.1 404 Not Found
Date: Sat, 18 Sep 2021 07:38:34 GMT
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
client-request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"China East","Slice":"E","Ring":"6","ScaleUnit":"001","RoleInstance":"SH1NEPF0000034A"}}
Content-Type: application/json
Content-Encoding: gzip
 
{"error":{"code":"",

"message":"No HTTP resource was found that matches the request URI 'https://igaelm-ecapi-cne2.chinacloudsites.cn/api/v1/accessPackageAssignmentPolicies('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx')?slice=PROD'.",

"innerError":{"date":"2021-09-18T07:38:35","request-id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","client-request-id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}}}

DEBUG: Finally: 
DEBUG: CmdletAfterAPICall:
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: CmdletEndProcessing:

是以問題就定位在 PATCH 請求這裡,通過對比REST API, 使用GET, PUT都是成功的。是以這裡就是 SDK 中 Microsoft.Graph.Identity.Governance 部分的一個Bug。 使用錯誤的HTTP Method。但是在版本沒有釋出前,如何來解決這個問題呢?

1) 使用 REST API 來代替 PowerShell Command 發送 https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx請求

If send a put request https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxx  by the postman tool, It returned 200 Success.

If send a patch request https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxx and it returned a 404 error code.

Source : https://docs.microsoft.com/en-us/graph/api/accesspackageassignmentpolicy-update?view=graph-rest-beta&tabs=java

2) 使用 Invoke-MgGraphRequest 并指定 Method 為 PUT 來完成 https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 請求

詳細代碼為:

## 連接配接到 MgGraph

if ($AzureEnvironment -eq "Global") {

    Connect-MgGraph -TenantId $config.tenantId `

        -Scopes "EntitlementManagement.ReadWrite.All"

}

else {

    Connect-MgGraph -Environment "China" `

        -TenantId $config.tenantId  `

        -ClientId $config.spClientId `

        -Scopes "EntitlementManagement.ReadWrite.All" `

        -UseDeviceAuthentication

Select-MgProfile -Name "beta"

    $baseGraphUri = 'https://graph.microsoft.com'

    $baseGraphUri = 'https://microsoftgraph.chinacloudapi.cn'

$apiVersion = "beta"

## 調用 Invoke-MgGraphRequest -Method PUT -Uri $policyUri -Body $updatedPolicy 更新Policy

$policyUri = (https://{0}/{1}/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/{2} -f $baseGraphUri, $apiVersion, $p.id)

$currentPolicy = Invoke-MgGraphRequest -Method GET -Uri $policyUri -OutputType Json | ConvertFrom-Json -Depth 10

if ($currentPolicy.RequestorSettings.acceptRequests) {

    Write-Host "disable assignment policy" $p.id "with active assignments for" $accessPackage.displayName

    $newPolicy = $currentPolicy

    $newPolicy.RequestorSettings.acceptRequests = $false

    $updatedPolicy = $newPolicy | ConvertTo-Json -Depth 10

    Invoke-MgGraphRequest -Method PUT -Uri $policyUri -Body $updatedPolicy

注意:如果在執行指令時候遇見了 “ generalException Message: Unexpected exception returned from MSAL.” 錯誤,則是認證問題,可以在調用 Invoke-MgGraphRequest 前,Connect-MgGraph  一次。

【Azure 環境】Update-MgEntitlementManagementAccessPackageAssignmentPolicy 指令執行時候遇見的 No HTTP Resource was found 問題分析

參考資料

Update-EMAccessPackagePolicy.ps1:  https://github.com/JefTek/AzureADSamples/blob/main/PowerShell/IdentityGovernance/Update-EMAccessPackagePolicy.ps1

Update accessPackageAssignmentPolicy:https://docs.microsoft.com/en-us/graph/api/accesspackageassignmentpolicy-update?view=graph-rest-beta&tabs=java

Overview of Microsoft Graph:https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-beta

Microsoft Graph PowerShell SDK: https://docs.microsoft.com/en-us/graph/powershell/installation?view=graph-rest-beta

當在複雜的環境中面臨問題,格物之道需:濁而靜之徐清,安以動之徐生。 雲中,恰是如此!

Update-MgEntitlementManagementAccessPackage No HTTP resource was found that ... Unexpected exception returned from MSAL Microsoft Graph PowerShell SDK Microsoft Graph API管理AAD Application裡面的Permissions AssignmentPolicy
上一篇: 【Azure Redis 緩存】使用Azure Redis服務時候,如突然遇見異常,遇見指令Timeout performing SET xxxxxx等情況,如何第一時間檢視是否有Failover存在呢?
下一篇: 【Azure Developer】如何通過Azure REST API 擷取到虛拟機(VM)所使用的公共IP位址資訊

繼續閱讀