我无法弄清楚这一点。我需要一种使用 Microsoft Graph 和 PowerShell 将 Endpoint Manager 的范围标记分配给 Azure AD 组的方法。
在门户下,这是在 Endpoint Manager\Tenant Administration\Roles\Scope(标签)下完成的。。然后单击“标记”并转到“分配”并浏览到 Azure AD 组。
由于它位于“角色”下,我假设它属于 roleAssignment 或 roleScopeTag 资源类型?
我已彻底阅读了 REST api 的所有文档,并且还尝试通过 Microsoft.Graph.Intune 模块执行此操作,但仍然找不到合适的 cmdlet 来执行此操作。我错过了什么吗?
这是我按照 this document 构建的当前代码
首先假设我有正确的代码 ID 和 azure 广告组对象 ID。
$ScopeTagId = 2
$TargetGroupIds = @()
$TargetGroupIds += '687c08f1-e78f-4506-b4a6-dfe35a05d138'
$graphApiVersion = "beta"
$Resource = "deviceManagement/roleScopeTags"
$object = New-Object -TypeName PSObject
$object | Add-Member -MemberType NoteProperty -Name 'assignments' -Value @($TargetGroupIds)
$JSON = $object | ConvertTo-Json
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)/$ScopeTagId/assign"
Invoke-RestMethod -Method Post -Uri $uri -Headers $global:authToken -Body $JSON
没有成功。然后我认为,由于 create roleScopeTag API 在请求正文中没有赋值属性,因此必须使用 update method 来完成此操作。 ,但那里也没有它。我读到的唯一一个是使用 assign action在文档示例中,它显示 roleScopeTagAutoAssignment URI,所以我进入了那个兔子洞:
$ScopeTagId = 2
$TargetGroupIds = @()
$TargetGroupIds += '687c08f1-e78f-4506-b4a6-dfe35a05d138'
$graphApiVersion = "beta"
$Resource = "deviceManagement/roleScopeTags"
$AutoTagObject = @()
foreach ($TargetGroupId in $TargetGroupIds) {
#Build custom object for assignment
$AssignmentProperties = "" | Select '@odata.type',id,target
$AssignmentProperties.'@odata.type' = '#microsoft.graph.roleScopeTagAutoAssignment'
$AssignmentProperties.id = $TargetGroupId
#Build custom object for target
$targetProperties = "" | Select "@odata.type",deviceAndAppManagementAssignmentFilterId,deviceAndAppManagementAssignmentFilterType
$targetProperties."@odata.type" = "microsoft.graph.deviceAndAppManagementAssignmentTarget"
$targetProperties.deviceAndAppManagementAssignmentFilterId = $TargetGroupId
$targetProperties.deviceAndAppManagementAssignmentFilterType = 'include'
#add target object to assignment
$AssignmentProperties.target = $targetProperties
$AutoTagObject += $AssignmentProperties
}
#build body object
$object = New-Object -TypeName PSObject
$object | Add-Member -MemberType NoteProperty -Name 'assignments' -Value @($AutoTagObject)
$JSON = $object | ConvertTo-Json
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)/$ScopeTagId/assign"
Invoke-RestMethod -Method Post -Uri $uri -Headers $global:authToken -Body $JSON
我得到的错误类似于:“有效负载中的属性目标具有与架构不匹配的值。”,“innerError”:{“date”:“2022-01-27T16:28:34 ","request-id":"75626c4d-f09b-438e-8b0f-0b2928ac23ce","client-request-id":"75626c4d-f09b-438e-8b0f-0b2928ac23ce" 我假设是odata。输入我正在调用的对象“microsoft.graph.deviceAndAppManagementAssignmentTarget”
文档中有一个通过 roledefinition URI 的 第二个 post 方法,这似乎是一个不必要的步骤,但我也尝试过,但没有成功。
我不知道这些是否正确。我非常了解其他人的 API 调用,并且我已经能够使用图表成功为自定义角色及其分配添加标签;我似乎无法找到范围标签本身的 URI 和 JSON 正文的正确组合...如果它存在的话。 :(
任何想法,如果可以的话,请分享一些代码片段。谢谢!
最佳答案
我找到了正确的 URI 和请求正文
如果可以这样生成:
$ScopeTagId = 2
$TargetGroupIds = @()
$TargetGroupIds += '687c08f1-e78f-4506-b4a6-dfe35a05d138'
$graphApiVersion = "beta"
$Resource = "deviceManagement/roleScopeTags"
$AutoTagObject = @()
#TEST $TargetGroupId = $TargetGroupIds[0]
foreach ($TargetGroupId in $TargetGroupIds) {
#Build custom object for assignment
$AssignmentProperties = "" | Select id,target
$AssignmentProperties.id = ($TargetGroupId + '_' + $ScopeTagId)
#Build custom object for target
$targetProperties = "" | Select "@odata.type",deviceAndAppManagementAssignmentFilterId,deviceAndAppManagementAssignmentFilterType,groupId
$targetProperties."@odata.type" = "microsoft.graph.groupAssignmentTarget"
$targetProperties.deviceAndAppManagementAssignmentFilterId = $null
$targetProperties.deviceAndAppManagementAssignmentFilterType = 'none'
$targetProperties.groupId = $TargetGroupId
#add target object to assignment
$AssignmentProperties.target = $targetProperties
$AutoTagObject += $AssignmentProperties
}
#build body object
$object = New-Object -TypeName PSObject
$object | Add-Member -MemberType NoteProperty -Name 'assignments' -Value @($AutoTagObject)
$JSON = $object | ConvertTo-Json -Depth 10
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)/$ScopeTagId/assign"
Invoke-RestMethod -Method Post -Uri $uri -Headers $global:authToken -Body $JSON -ErrorAction Stop
Json 请求正文如下所示:
{
"assignments": [
{
"id": "b25c80e3-78cc-4b7c-888e-fc50dcc6b582_2",
"target": {
"@odata.type": "microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "b25c80e3-78cc-4b7c-888e-fc50dcc6b582"
}
}
]
}
没有任何记录......
关于azure - 将 Intune 范围标记分配给 Azure Azure AD 组,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/70882242/