Azure AD-检索本地AD组公用名 [英] Azure AD - Retrieve a On-Prem AD Group Common Name
问题描述
我有一个需要根据其本地AD通用名称过滤权限的应用程序.几个注意事项:
I have an application that needs to filter permissions based on their on-prem AD common name. Couple of notes:
- Azure AD Connect正在OnPrem AD和Azure之间同步数据
- 我已成功将Azure Graph API中已登录用户的组信息检索到Web应用程序中.
我遇到的问题是从Graph API返回的数据不是我所需要的,或者我没有正确配置Azure AD Connect.组的Graph API JSON返回对象记录在这里.
The problem I'm having is the data returned from Graph API is not what I need or I have not properly configured Azure AD Connect properly. The Graph API JSON return object for groups is documented here.
这是从Graph API返回的Group对象:
Here is the Group object returned from Graph API:
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Group/@Element",
"odata.type": "Microsoft.DirectoryServices.Group",
"objectType": "Group",
"objectId": "b4bda672-1fba-4711-8fb1-5383c40b2c14",
"deletionTimestamp": null,
"description": "Marketing Department",
"dirSyncEnabled": null,
"displayName": "Marketing",
"lastDirSyncTime": null,
"mail": null,
"mailNickname": "BposMailNickName",
"mailEnabled": false,
"onPremisesSecurityIdentifier": null,
"provisioningErrors": [],
"proxyAddresses": [],
"securityEnabled": true
}
我能找到的最接近的东西是显示名称",但这不是通用名称.我不想使用的一个选项是使所有显示名称"与组CN相同.
The closest thing I can find is "Display Name" but this is not the Common Name. An option, one I don't want to use, is make all of the "Display Names" the same as the group CN.
TLDR; 是否可以通过Graph API访问用户组CN,如果可以,如何获取这些数据?
TLDR; Is a user groups CN accessible through Graph API and if so, how can I get to this data?
-更新:检索所有用户组ID后,我将使用Graph API端点getObjectsByObjectIds来访问Graph API.
-Update: I'm using the Graph API endpoint getObjectsByObjectIds to hit Graph API once I have retrieve all of the Users Group Ids.
推荐答案
CN不能通过Graph API(AAD或Microsoft Graph)访问.如果要在内部部署和云之间寻找通用的唯一标识符,则可以使用内部部署组SID(在云onPremisesSecurityIdentifier中).此属性是可过滤的.
CN is not accessible through Graph API (AAD or Microsoft Graph). If you are looking for a common unique identifier between on-premises and the cloud the you could use the on-premises group SID (in the cloud onPremisesSecurityIdentifier). This property is filterable.
我能想到的唯一其他选择(如果这是不可接受的,并且您真的需要CN)是使用
The only other option I can think of (if that's not acceptable and you really need CN) is to use directory schema extensions, to extend the group entity with an additional CN property. Schema extensions are also filterable. Please also take a look at the latest AD Connect versions, as I believe they offer the ability to create/configure AAD cloud schema extensions and map from on-premises.
希望这会有所帮助
这篇关于Azure AD-检索本地AD组公用名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
