• 【Azure 环境】Update-MgEntitlementManagementAccessPackageAssignmentPolicy 命令执行时候遇见的 No HTTP Resource was found 问题分析

    Microsoft Graph PowerShell SDK: acts as an API wrapper for the Microsoft Graph APIs, exposing the entire API set for use in PowerShell. It contains a set of cmdlets that helps you manage identities at scale from automating tasks to managing users in bulk using Azure Active Directory (Azure AD). It will help administer every Azure AD feature that has an API in Microsoft Graph.

    The Microsoft Graph PowerShell SDK is the replacement for the Azure AD PowerShell module and is recommended for interacting with Azure AD.

    Microsoft Graph PowerShell SDK:作为微软 Graph APIs 的SDK工具,通过PowerShell指令可以调用全部的Graph API。 它包含一组 cmdlets 指令集,可以非常好的使用自动任务来管理在AAD中的用户。 Microsoft Graph PowerShell SDK是以前Azure AD模块的替代产品,用于和Azure AD交互。

    问题描述

    由于 Microsoft Graph PowerShell 还处于 Beta版本,所以在使用中会遇见 Unknow Issue,比如在使用 Update-MgEntitlementManagementAccessPackageAssignmentPolicy 命令从 IdentityGovernance 中更新 accessPackageAssignmentPolicies时候,就遇见了如下错误:

    Update-MgEntitlementManagementAccessPackageAssignmentPolicy_UpdateExpanded: C:UserssetupGovernance-v2.ps1:15:33
Line |
15 |  …             Update-MgEntitlementManagementAccessPackageAssignmentPoli …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | No HTTP resource was found that matches the request URI
     | 'https://igaelm-ecapi-cne2.chinacloudsites.cn/api/v1/accessPackageAssignmentPolicies('ee52b1d4-95f6-4532-9682-b94dc24783e3')?slice=PROD'.

    所执行的Power Shell 脚本为:

    $updatePolicy = Get-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $p.id

if ($updatePolicy.requestorSettings.acceptRequests) {
    $requestorSettings = $updatePolicy.requestorSettings
    $requestorSettings.acceptRequests = $false
    Update-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $p.id `
        -RequestorSettings $requestorSettings
}

    问题分析

    在 Update-MgEntitlementManagementAccessPackageAssignmentPolicy 指令中使用 -debug 输出调试信息中,发现出错在执行 PATCH  https://microsoftgraph.chinacloudapi.cn/beta/xxx 时出现的404 Not Found错误。

    DEBUG: PATCH https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
HTTP/1.1 404 Not Found
Date: Sat, 18 Sep 2021 07:38:34 GMT
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
client-request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"China East","Slice":"E","Ring":"6","ScaleUnit":"001","RoleInstance":"SH1NEPF0000034A"}}
Content-Type: application/json
Content-Encoding: gzip
 
{"error":{"code":"",

    "message":"No HTTP resource was found that matches the request URI 'https://igaelm-ecapi-cne2.chinacloudsites.cn/api/v1/accessPackageAssignmentPolicies('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx')?slice=PROD'.",

    "innerError":{"date":"2021-09-18T07:38:35","request-id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","client-request-id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}}}
    
DEBUG:     Finally: 
DEBUG: CmdletAfterAPICall:
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: CmdletEndProcessing:

    所以问题就定位在 PATCH 请求这里,通过对比REST API, 使用GET, PUT都是成功的。所以这里就是 SDK 中 Microsoft.Graph.Identity.Governance 部分的一个Bug。 使用错误的HTTP Method。但是在版本没有发布前,如何来解决这个问题呢?

    1) 使用 REST API 来代替 PowerShell Command 发送 https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx请求

    If send a put request https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxx  by the postman tool, It returned 200 Success.

    If send a patch request https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxx and it returned a 404 error code.

    Source : https://docs.microsoft.com/en-us/graph/api/accesspackageassignmentpolicy-update?view=graph-rest-beta&tabs=java

      

    2) 使用 Invoke-MgGraphRequest 并指定 Method 为 PUT 来完成 https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 请求

    详细代码为:

    ## 连接到 MgGraph
    if ($AzureEnvironment -eq "Global") {
        Connect-MgGraph -TenantId $config.tenantId `
            -Scopes "EntitlementManagement.ReadWrite.All"
    }
    else {
        Connect-MgGraph -Environment "China" `
            -TenantId $config.tenantId  `
            -ClientId $config.spClientId `
            -Scopes "EntitlementManagement.ReadWrite.All" `
            -UseDeviceAuthentication
    }
    Select-MgProfile -Name "beta"
               
    if ($AzureEnvironment -eq "Global") {
        $baseGraphUri = 'https://graph.microsoft.com'
    }
    else {
        $baseGraphUri = 'https://microsoftgraph.chinacloudapi.cn'
    }
    $apiVersion = "beta"
     
    ## 调用 Invoke-MgGraphRequest -Method PUT -Uri $policyUri -Body $updatedPolicy 更新Policy

    $policyUri = (https://{0}/{1}/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/{2} -f $baseGraphUri, $apiVersion, $p.id)
    $currentPolicy = Invoke-MgGraphRequest -Method GET -Uri $policyUri -OutputType Json | ConvertFrom-Json -Depth 10

    if ($currentPolicy.RequestorSettings.acceptRequests) {
        Write-Host "disable assignment policy" $p.id "with active assignments for" $accessPackage.displayName
        $newPolicy = $currentPolicy
        $newPolicy.RequestorSettings.acceptRequests = $false
        $updatedPolicy = $newPolicy | ConvertTo-Json -Depth 10
        Invoke-MgGraphRequest -Method PUT -Uri $policyUri -Body $updatedPolicy
    }

    注意:如果在执行命令时候遇见了 “ generalException Message: Unexpected exception returned from MSAL.” 错误,则是认证问题,可以在调用 Invoke-MgGraphRequest 前,Connect-MgGraph  一次。

    参考资料

    Update-EMAccessPackagePolicy.ps1:  https://github.com/JefTek/AzureADSamples/blob/main/PowerShell/IdentityGovernance/Update-EMAccessPackagePolicy.ps1

    Update accessPackageAssignmentPolicy:https://docs.microsoft.com/en-us/graph/api/accesspackageassignmentpolicy-update?view=graph-rest-beta&tabs=java

    Overview of Microsoft Graph:https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-beta

    Microsoft Graph PowerShell SDK: https://docs.microsoft.com/en-us/graph/powershell/installation?view=graph-rest-beta

    当在复杂的环境中面临问题,格物之道需:浊而静之徐清,安以动之徐生。 云中,恰是如此!
  • 相关阅读:
    20.谱聚类
    19.受限玻尔兹曼机(Restricted Boltzmann Machine)
    18.高斯过程回归(GPR)
    17.贝叶斯线性回归(Bayesian Linear Regression)
    16.高斯网络(GN)
    15.条件随机场(CRF)
    14(2).线性动态系统---粒子滤波 particle filter
    比较IE6的不同之处,与IE8 IE11 比较
    doctype声明、浏览器的标准、怪异等模式
    通过HTML条件注释判断IE版本的HTML语句详解<!--[if IE]> <![endif]-->
  • 原文地址:https://www.cnblogs.com/lulight/p/15347533.html
Copyright © 2020-2023  润新知