使用Graph Api对租户进行角色计数 [英] Role Count using Graph Api against a tenant
问题描述
是否有一种方法可以找到使用GraphServiceClient或GraphConnection类针对每个role分配的tenant和number of users存在的每个role?我正在使用C#.
Is there a way to find each role that exists against a tenant and number of users which have been assigned against each role using GraphServiceClient or GraphConnection class? I am using C#.
推荐答案
目录角色-查找所有目录角色及其租户成员数
Directory Roles - Finding all directory roles and count of their members for tenant
我已经提供了两个Microsoft Graph API的示例代码( https://graph.microsoft.com )以及Azure AD Graph API( https://graph.windows.net ),但它会非常强大建议您使用较新的Microsoft Graph API,除非您无法从中获取特定的内容,然后再查看Azure AD Graph API.
I have given sample code for both Microsoft Graph API (https://graph.microsoft.com) as well as Azure AD Graph API (https://graph.windows.net), but it would be strongly recommended to use newer Microsoft Graph API unless there is something specific that you aren't able to get from it and only then look at Azure AD Graph API.
Look here for more detailed comparisons Microsoft Graph or Azure AD Graph
这是nuget包和类的详细信息,如您在评论中所要求的:
Here are nuget package and class details, as you've asked in comments:
-
Microsoft.Graphnuget软件包-与Microsoft Graph API一起使用并使用GraphServiceClient类.
Microsoft.Graphnuget package - to work withMicrosoft Graph APIand useGraphServiceClientclass.
Microsoft.Azure.ActiveDirectory.GraphClient nuget程序包-与Azure AD Graph API配合使用并使用ActiveDirectoryClient类.
Microsoft.Azure.ActiveDirectory.GraphClient nuget package - to work with Azure AD Graph API and use ActiveDirectoryClient class.
Microsoft Graph API
API的-列出directoryRoles 和列出成员
var roles = await graphServiceClient.DirectoryRoles.Request().GetAsync();
var members = graphServiceClient.DirectoryRoles[role.Id].Members.Request().GetAsync();
Azure AD Graph API
API的-获取目录角色和注意:在测试代码时,我还注意到两个API的行为略有不同.当您要求目录角色的成员时,Microsoft Graph仅返回用户".另一方面,Azure AD Graph返回了用户和服务主体.有关Azure AD Graph的特殊检查,请参阅我的代码.
NOTE: While testing code I also noticed a slight difference in behavior of the 2 API's. Microsoft Graph only returns Users when you ask for members of a directory role. Azure AD Graph on the other hand returned both users and service principals. See my code for a special check in case of Azure AD Graph.
还要注意,您获得的许多结果将是分页集合,因此,如果有多页结果,则可能需要处理分页.
Also note that many of the results you get will be paginated collections, so you may need to handle pagination in case of multiple pages of results.
应用程序角色-查找应用程序的所有应用程序角色,然后通过应用程序角色分配查找用户数.
Application Roles - Finding all Application Roles for an application and then finding Number of users through App Role Assignments.
应用程序角色特定于在Azure AD中注册的应用程序.可以通过在租户中遍历该应用程序的服务主体来读取该应用程序的角色分配集合.
Application Roles are specific to an application registered in Azure AD. Role Assignments collection for that application can be read by going through the service principal for that application in the tenant.
Azure AD Graph API
应用角色
var app = activeDirectoryClient.Applications["<applicationObjectId>"].ExecuteAsync().Result;
var appRoles = app.AppRoles;
应用角色分配
ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(new Uri("https://graph.windows.net/<tenantGuid>"),
async () => await GetTokenForApplication());
var servicePrincipal = activeDirectoryClient.ServicePrincipals.Where(x => x.AppId == "<applicationId>").ExecuteAsync().Result.CurrentPage[0];
var appRoleAssignments = activeDirectoryClient.ServicePrincipals[servicePrincipal.ObjectId].AppRoleAssignedTo.ExecuteAsync().Result;
int userCountForApp = 0;
foreach(var appRoleAssignment in appRoleAssignments.CurrentPage)
{
if (appRoleAssignment.PrincipalType == "User")
{
userCountForApp++;
Console.WriteLine("Role Id = {0} and User Name = {1}", appRoleAssignment.Id, appRoleAssignment.PrincipalDisplayName);
}
}
Microsoft Graph API
读取分配给用户的所有应用程序特定角色(即AppRoleAssignments)的功能仅作为Microsoft Graph API Beta端点的一部分提供.因此它不够稳定,无法在生产代码中使用,并且您将找不到Client SDK对C#的支持.在此SO Post中阅读更多具体要点通过马克·拉弗勒尔(Marc LaFleur)
The ability to read all application specific roles assigned to a user (i.e. AppRoleAssignments) is only available as part of Microsoft Graph API beta endpoint. So it's not stable enough to be used in production code and you won't find Client SDK support for C#. Read more specific points in this SO Post by Marc LaFleur
以下是相关的API:
- AppRoleAssignments
- AppRoles
这篇关于使用Graph Api对租户进行角色计数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
