如何使用Azure Active Directory Graph API获取属于AppRole的所有用户

本文介绍了如何使用Azure Active Directory Graph API获取属于AppRole的所有用户的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我一辈子都想不通如何查询Azure Active Directory的Graph API以获取属于特定AppRole的所有用户.

I can't for the life of me figure out how to query Azure Active Directory's Graph API to get all users that belong to a particular AppRole.

首先，我尝试过类似的操作:

First I tried something like:

client.Users.Where(u => u.AppRoleAssignments.Any(r => r.Id == "some-guid"));

但这不会编译，因为AppRoleAssignments是IPagedCollection，因此您无法在其上执行任何操作.

But that won't compile because AppRoleAssignments is a IPagedCollection so you can't do things like .Any on it.

然后我尝试在ServicePrincipal中查询我的应用程序中的所有AppRoleAssignments:

Then I tried to query all the AppRoleAssignments in the ServicePrincipal for my Application:

var servicePrincipal = await client.ServicePrincipals
    .Expand(p => p.AppRoleAssignments)
    .Where(p => p.AppId == "my app id guid")
    .ExecuteSingleAsync();

但是 servicePrincipal.AppRoleAssignments 似乎似乎忽略了我的.Expand，却顽固地返回了空白.

But servicePrincipal.AppRoleAssignments stubbornly comes back empty seemingly ignoring my .Expand.

我还尝试通过ID直接获取ServicePrincipal并进行扩展:

I also tried getting the ServicePrincipal directly by ID and doing an Expand:

var principal = await client.ServicePrincipals
    .GetByObjectId("feeaae9c-40a3-48a3-8a01-b87343f5ecfc")
    .Expand(p => p.AppRoleAssignments)
    .ExecuteAsync();

但这只会导致错误(如果删除.Expand，该错误会消失):

But that just causes an error (which goes away if you remove the .Expand):

{"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"Invalid object identifier 'feeaae9c-40a3-48a3-8a01-b87343f5ecfc()'."}}}

这是一个奇怪的错误，因为错误消息中的对象ID的后缀是我的代码未添加的'()'.

Which is an odd error because the object id in the error message is suffixed with a '()' that is not added by my code.

我缺少明显的东西吗?当然，有一种简单的方法可以让所有用户加入AppRole?

Am I missing something obvious? Surely there's an easy way to get all users in an AppRole?

推荐答案

我终于找到答案了.为了从ServicePrincipal转到AppRoleAssignments，您需要直接查询列表，而不是尝试从ServicePrincipal扩展它:

I finally figured out the answer. In order get to AppRoleAssignments off the ServicePrincipal you need to query the list directly rather than trying to expand it off the ServicePrincipal:

await client.ServicePrincipals
    .GetByObjectId(servicePrincipalObjectId)
    .AppRoleAssignedTo
    .ExecuteAsync()

然后，您必须手动浏览用户和组以获取最终的用户列表.这可能会导致调用许多Graph API服务，具体取决于存在的组和用户数量，因此请注意！

Then you have to manually walk through the users and groups to get a final list of users. This could potentially result in many Graph API service calls depending on how many groups and users there are, so be warned!

编辑:正如Dan Kershaw在评论中提到的那样，角色仅应用于直接链接到AppRoles的组中的用户.子组不继承角色.

As Dan Kershaw mentions in the comments, roles are only applied to users in groups that are directly linked to AppRoles. Sub-groups do not inherit the roles.

我将完整的解决方案放在Gist的此处，因为它确实也是大到可以在这里插入.

I've put up the full solution in a Gist here because it's really too big to put inline here.

这篇关于如何使用Azure Active Directory Graph API获取属于AppRole的所有用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！