问题描述
我正在将 Azure AD 与已注册的应用程序一起使用,并且我正在使用 Microsoft Graph API 来查询 AD.
I am using Azure AD with a registered Application and I am using the Microsoft Graph API to query the AD.
下面的代码告诉用户分配到哪些组
The following code below tells which groups the User is Assigned to
var memberof = await graphClient.Users[xxx].MemberOf.Request().GetAsync();
我使用的是标准 AD 包,似乎团体受到了一些限制,我需要购买Premium AD 包"才能完全使用它们.
I am using standard AD package and it seems that groups are somewhat restricted and I need to buy the "Premium AD Package" to use them fully.
所以我不想使用组信息.我对分配给我的用户的角色感兴趣,这些角色已放入我的应用程序清单中.
So I don't want to use the group information. I am interested in the roles that I assign my users that I have put into my application manifest.
例如
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Case Manager",
"id": "{A_Guid}",
"isEnabled": true,
"description": "Case Manager's can create and assign Cases to other users",
"value": "CaseManager"
},
那么,如何使用 Graph Api 告诉我用户是否具有特定角色?
So, how can I use the Graph Api to tell me if a user has a particular role ?
推荐答案
1.微软图形 API
读取分配给用户的所有应用程序特定角色(即 AppRoleAssignments)的功能仅作为当前 AFAIK 的 Microsoft Graph API beta 端点 的一部分提供.这在 v1.0 中不可用.您可以在这里
1. Microsoft Graph API
The ability to read all application specific roles assigned to a user (i.e. AppRoleAssignments) is only available as part of Microsoft Graph API beta endpoint currently AFAIK. This is not available as part of v1.0. You can read about versions here
从名称beta"可以看出,它预计不会是生产应用程序可以依赖的稳定版本.阅读 此 SO 帖子中的更多具体点马克·拉弗勒(Marc LaFleur)
As evident from name "beta", it's not expected to be a stable version that can be relied upon for production applications. Read more specific points in this SO Post by Marc LaFleur
确切的 API(Microsoft Docs 参考):
GET https://graph.microsoft.com/beta/users/{id | userPrincipalName}/appRoleAssignments
我尝试使用 GraphServiceClient(用于 Microsoft Graph 的 .NET SDK),但找不到与 AppRoleAssignments 相关的任何内容.(可能是因为 SDK 使用的是稳定 1.0 版本的元数据,而不是 beta 版本)
I tried using GraphServiceClient (.NET SDK for Microsoft Graph) but wasn't able to find anything related to AppRoleAssignments. (probably because SDK uses metadata from stable 1.0 version and not the beta version)
无论如何,如果您仍然可以对此进行测试,请使用 Microsoft Graph Explorer 或直接从 C# 代码调用端点
In any case, if you can still test this, use Microsoft Graph Explorer or directly call the endpoint from C# code
string graphRequest = $"https://graph.microsoft.com/beta/users/{my user GUID}/appRoleAssignments";
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, graphRequest);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
HttpResponseMessage response = await client.SendAsync(request);
2.Windows Azure AD 图形 API
尽管建议尽可能使用 Microsoft Graph API,但仍有一些情况下 Microsoft Graph 尚未赶上,因此您不得不使用 Azure AD Graph API.应用程序管理相关的案例就是其中的一些.
2. Windows Azure AD Graph API
Even though it's recommended to use Microsoft Graph API whenever possible, there are still some cases where Microsoft Graph hasn't caught up yet so you are forced to use Azure AD Graph API. Application management related cases are some of those.
所以你可以使用这个 Azure AD Graph API.我从 Azure AD Graph Explorer 快速对此进行了测试,它运行良好.
So you could use this Azure AD Graph API. I quickly tested this from Azure AD Graph Explorer and it works fine.
https://graph.windows.net/{yourtenantid}/users/{id}/appRoleAssignments?api-version=1.6
就像 Microsoft Graph Library for .NET 一样,您可以使用 Azure AD Graph.NET 的客户端库,您的代码看起来像这样..
Just like Microsoft Graph Library for .NET you can use Azure AD Graph Client Library for .NET and your code would look something like this..
aadgraphClient.Users["<user guid>"].AppRoleAssignments;
附带说明,由于您专门针对 Microsoft Graph API 提出了该问题,因此我已相应地回答了该问题.
On a side note, since you've asked the question specifically for Microsoft Graph API, I've answered it accordingly.
至少对于应用程序的当前登录用户,您始终可以找到 应用程序角色 从 角色声明作为 Azure Active Directory 访问令牌的一部分提供.
At least for the currently signed in user for an application, you can always find the Application Roles assigned to them from the Role claims available as part of the access token from Azure Active Directory.
虽然这仅对当前用户的角色有帮助,但如果您尝试跨应用程序的所有用户进行管理,则对管理类型的场景没有帮助.这是一个读取角色声明并根据当前登录用户的应用角色进行授权的示例.
This although only helps with roles for current user and not in management sort of scenarios if you're trying to go across all users for an application. Here's a sample that reads role claims and does authorization based on App Roles for currently signed in user.
在网络应用程序中使用授权Azure AD 应用程序角色和角色声明
这篇关于如何获得“分配的角色"?Azure Active Directory 中的用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!