我正在尝试利用 AAD 身份来访问 Azure SQL 服务器而不是 SQL 服务器用户。 我正在关注这篇文章https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure 。 我需要根据 Microsoft 文档做的是在数据库中创建包含的用户。因此,我从 Azure Function 应用程序执行此操作。
CREATE USER [existing group in AAD] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [existing group in AAD]
函数应用能够登录 SQL Server,因为其服务主体设置为 SQL Server 的 Azure Active Directory 管理员。
我遇到了异常:
Principal 'existing group in AAD' could not be resolved. Error message: 'AADSTS700016: Application with
identifier '168d4e19-6718-4e50-8f96-c280e821ad6c' was not found in the directory 'my directory'. This can
happen if the application has not been installed by the administrator of the tenant or consented to by any
user in the tenant. You may have sent your authentication request to the wrong tenant.
因此,我将系统分配托管标识分配给 SQL Server。然后我得到:
Server identity does not have Azure Active Directory Readers permission. Please follow the steps here : https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-service-principal
我根据需要向该身份分配了“目录读取者”权限,并且它开始工作。
我的问题是我需要使用用户分配托管标识,所以我做了同样的事情,但得到了第一个异常,就像没有分配给 SQL Server 的标识一样。
有什么想法为什么系统分配的身份有效但用户分配的身份无效?
最佳答案
此错误可能是由以下因素之一引起的:
确保您使用应用程序 ID 作为客户端 ID。
此问题表明您在配置时犯了错误 代码中的客户端 ID 或租户 ID;首先,仔细检查两者 根据您的服务原则(租户 ID 和 客户端 ID)。
The issue indicates that there is a discrepancy between the tenant where your app is registered and the tenant where you have indicated that your app is registered in either the application code or the portal. You must set the tenant ID in your application's code. This is usually found in the web.config or app settings files. Then, using the same tenant ID that you specified in your code, you must register the application on the portal. Also, make sure your application ID and client ID are the same on both sides, and that all of the variables in your app settings/web.config are the same as what you have in the portal.
关于具有托管标识(用户分配)的 Azure SQL 无法针对 AAD 使用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/69368554/