【Azure 环境】AAD 注册应用获取AAD Group权限接口遇 403 ： Attempted to perform an unauthorized operation 错误

问题描述

通过Azure AD的注册应用获取到Token后，访问AAD Group并查看日志信息时候，遇见了 {"error":{"code":"UnauthorizedAccessException","message":"Attempted to perform an unauthorized operation."}}

Python 代码 -- 使用AAD 注册应用获取Token

import requests
import json

def get_bearer_token():
    tenant_id = "your azure tenant id"
    client_id = "your AAD registrations application id "
    client_secret = "***********************************"

    # The resource (URI) that the bearer token will grant access to
    scope = 'https://api.azrbac.azurepim.identitygovernance.azure.cn/.default'
    # Azure AD authentication endpoint
    AUTHORITY = f'https://login.chinacloudapi.cn/{tenant_id}/oauth2/v2.0/token'
    # Request an access token from Azure AD
    response = requests.post(
        AUTHORITY,
        data={
            'grant_type': 'client_credentials',
            'client_id': client_id,
            'client_secret': client_secret,
            'scope': scope
        }
    )

    if response.status_code == 200:
        access_token = response.json().get('access_token')
    else:
        print("Error occurred while retrieving token:", response.text)
    return access_token

但是，在调用 https://api.azrbac.azurepim.identitygovernance.azure.cn/api/v2/privilegedAccess/aadGroups/activities 接口时候，遇见错误，提示权限不够。

{"error":{"code":"UnauthorizedAccessException","message":"Attempted to perform an unauthorized operation."}}

问题解答

因错误消息提示当前 Access Token无权查看AAD Groups的Activities日志，所以需要进入具体的AAD Groups查看，当前AAD注册应用是否由权限进行任何操作。如无，加入权限后就可以解决问题(PS: 赋予Member 或 Owner权限都可以）

在门户上直接查看的方式：

门户入口：https://portal.azure.cn/#view/Microsoft_Azure_PIMCommon/CommonMenuBlade/~/aadgroup

通过API来列出权限操作列表：

url = "https://api.azrbac.azurepim.identitygovernance.azure.cn/api/v2/privilegedAccess/aadGroups/resources/"+str(aad_groups_list[index]['id'])+"/permissions"

将应用程序加入active assignment后即可获得权限

{'accessLevel': 'AdminRead', 'isActive': True, 'isEligible': False}, {'accessLevel': 'ActivityRead', 'isActive': True, 'isEligible': False}

附录：根据AAD Token获取AAD Group列表和每一个AAD Group的Activity Logs

import requests
import json

def get_bearer_token():
tenant_id = "your azure tenant id"

client_id = "your AAD registrations application id "

client_secret = "***********************************"

# The resource (URI) that the bearer token will grant access to
scope = 'https://api.azrbac.azurepim.identitygovernance.azure.cn/.default'

# Azure AD authentication endpoint
AUTHORITY = f'https://login.chinacloudapi.cn/{tenant_id}/oauth2/v2.0/token'

# Request an access token from Azure AD
response = requests.post(
AUTHORITY,
data={
'grant_type': 'client_credentials',
'client_id': client_id,
'client_secret': client_secret,
'scope': scope
}
)

if response.status_code == 200:
access_token = response.json().get('access_token')
else:
print("Error occurred while retrieving token:", response.text)

return access_token

def list_aad_groups(bearer_token):
url = https://api.azrbac.azurepim.identitygovernance.azure.cn/api/v2/privilegedAccess/aadGroups/resources? $select=id,displayName,type,externalId&$ expand=parent

headers = {
'Authorization': bearer_token
}

response = requests.get(url=url,headers=headers)

data = json.loads(response.text)

aad_groups_count = data["value"].__len__()

aad_groups_list = []

for aad_groups_index in range(0,aad_groups_count):
aad_groups = {}
aad_groups["id"] = data["value"][aad_groups_index]["id"]
aad_groups["name"] = data["value"][aad_groups_index]["displayName"]
aad_groups_list.append(aad_groups)

return aad_groups_list

def download_pim_audit_log(date, group_id, group_name, bearer_token):

start_time = str(date) + "T00:00:00.000Z"
end_time = str(date) + "T23:59:59.999Z"

url = https://api.azrbac.azurepim.identitygovernance.azure.cn/api/v2/privilegedAccess/aadGroups/activities? $f i l t e r = c r e a t e d D a t e T i m e + g e + + s t r (s t a r t_{t} i m e) + " + a n d + c r e a t e d D a t e T i m e + l e + " + s t r (e n d_{t} i m e) + " + a n d + r e s o u r c e / i d + e q +$ orderby=createdDateTime+desc& $e x p a n d = r e q u e s t o r, o r i g i n a l R e q u e s t o r, s u b j e c t, t a r g e t, r e s o u r c e ($ expand=parent),scopedResource"

headers = {
'Authorization': bearer_token
}

response = requests.get(url=url, headers=headers)

if response.status_code == 200:
raw_data = json.loads(response.text)

data = raw_data["value"]

records_count = data.__len__()

dst_path = "\" + str(date) + " " + str(group_name) + ".json"
file_debug = open(dst_path, "a+")

for record_index in range(0, records_count):
record = str(data[record_index]).replace("None","'None'")
file_debug.write(record)
file_debug.write("\n")

return True

else:
print("Failed to Download log : " + response.text)
exit()

if __name__ == '__main__':

token = "Bearer " + str(get_bearer_token())

print(token)

date = "2023-07-26"

aad_groups_list = list_aad_groups(token)

for index in range(0,aad_groups_list.__len__()):

group_id = aad_groups_list[index]['id']
group_name = aad_groups_list[index]['name']

download_pim_audit_log(date, group_id, group_name, token)