我们如何才能使我们的应用程序在AAD中享有特权? [英] How can we make our app privileged in AAD?
问题描述
我们正在构建一项服务,使用AAD对用户进行身份验证.我们还需要从AAD中读取用户所属的组,以便我们可以解析用户在系统中应具有的权限(我们将AAD中的某些组隐藏在 我们的系统,并且具有存储在我们这边的系统特定权限).但是,我们面对的是要向AAD查询用户的权限,看来我们的应用程序需要具有读取AAD中所有组(完整目录)的权限.
We are building a service where we use AAD to authenticate users. We also have the need to read the groups the user is member of from AAD, so that we can resolve the permissions the user should have in our system (we shadow some of the groups from AAD in our system and have system specific permissions stored on our side). However, what we face is that to query AAD for the permissions of the user, it seems our app needs to have permission of reading all groups (full directory) in AAD.
问题是,我们如何才能使我们的应用在AAD中具有特权,使其只能从目录中读取某些组?
Question is, how can we make our app privileged in AAD to only read certain groups from the directory?
推荐答案
Once you registered the application with Azure AD, you can update the application. The Azure AD consent framework will allow you to access web APIs such as the Microsoft Graph API to access Azure Active Directory. Here you can choose appropriate application permission and delegated permission. There is an option of Read all groups, but it can’t be customized further to have read access to certain groups only. For more information refer: Integrating applications with Azure Active Directory
----------- -------------------------------------------------- -------------------------
如果此答案有帮助,请单击标记为答案" "或赞".要提供有关您的论坛体验的其他反馈,请单击 此处
这篇关于我们如何才能使我们的应用程序在AAD中享有特权?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
