c# - 如何使用功能应用程序更新共享点在线网站集
问题描述
我正在使用 azure 功能开发一些有关创建网站集的功能。我的步骤如下:
- 使用管理员创建网站集(通过客户端 ID 和客户端密码)
- 获取新的 URl 客户端上下文以更新一些信息,例如组成员站点所有者等
我现在面临一个问题,首先我使用帐户和密码来获取新的客户端上下文,然后更新站点属性,但现在无法使用它导致新的公司政策。我该如何改进这种方法来解决这个问题?
public ClientContext GetClientContextByCredential(SharePointOnlineCredentials cred, bool tryNewSite)
{
ClientContext ctx = ContextInit;
try
{
ctx.Credentials = cred;
Web web = ctx.Web;
ctx.Load(web, w => w.Url);
ctx.ExecuteQuery();
return ctx;
}
catch (Exception ex)
{
ctx = null;
if (_logHelper != null)
{
if (tryNewSite)
{
_logHelper.writeLog(ex.Message, TraceLevel.Info, ex);
}
else
_logHelper.writeLog(ex.Message, TraceLevel.Error, ex);
}
return ctx;
}
}
使用时会出现此类错误SharePointOnlineCredentials
The remote server returned an error: (401) Unauthorized.
解决方案
如果您想使用 Azure AD 应用程序在线连接 SharePoint,请参考以下步骤
- 创建 Azure AD 应用程序
Connect-AzureAD
# Create the self signed cert if you have the cert, please skip it
$currentDate = Get-Date
$endDate = $currentDate.AddYears(1)
$notAfter = $endDate.AddYears(1)
$pwd = "<password>"
$thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName com.foo.bar -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath c:\temp\examplecert.pfx -Password $pwd
# Load the certificate
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\temp\examplecert.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
# Create the Azure Active Directory Application
$application = New-AzureADApplication -DisplayName "test123" -IdentifierUris "https://test123"
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "Test123" -StartDate $currentDate -EndDate $endDate -Type AsymmetricX509Cert -Usage Verify -Value $keyValue
通过 Azure 门户配置权限
将证书上传到 Azure 密钥保管库
$Password = ConvertTo-SecureString -String "123" -AsPlainText -Force
Import-AzKeyVaultCertificate -VaultName "ContosoKV01" -Name "ImportCert01" -FilePath "C:\temp\examplecert.pfx" -Password $Password
配置 Azure 功能
一种。为函数应用配置 MSI
湾。在 Key Vault 中为你之前创建的应用程序标识创建访问策略。启用此策略的“获取”秘密权限。
C。代码
public ClientContext GetClientContextByCredential() { ClientContext ctx = ContextInit; try { ctx = new AuthenticationManager().GetAzureADAppOnlyAuthenticatedContext( siteUrl, ApplicationId, tenant + ".onmicrosoft.com", GetKeyVaultCertificate("kv-spo", "AzureAutomationSPOAccess"))) { ctx .Load(cc.Web, p => p.Title); ctx .ExecuteQuery(); return ctx; } catch (Exception ex) { ctx = null; if (_logHelper != null) { if (tryNewSite) { _logHelper.writeLog(ex.Message, TraceLevel.Info, ex); } else _logHelper.writeLog(ex.Message, TraceLevel.Error, ex); } return ctx; } } internal static X509Certificate2 GetKeyVaultCertificate(string keyvaultName, string name) { var serviceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(serviceTokenProvider.KeyVaultTokenCallback)); // Getting the certificate var secret = keyVaultClient.GetSecretAsync("https://" + keyvaultName + ".vault.azure.net/", name); // Returning the certificate return new X509Certificate2(Convert.FromBase64String(secret.Result.Value)); }
更多详情,请参阅
https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread