根据AADB2C属性值在AAD中查找用户 [英] Look up user in AAD based on AADB2C attribute value

问题描述

如果我在Aure AD B2C中有一个基于Azure AD(企业)标识创建的用户(如此处所述:

If I have a user in Aure AD B2C that was created based on an Azure AD (enterprise) identity (as described here: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom), is there an attribute stored in AADB2C that will allow me to look up (using Graph API or similar) the user object in AAD? I see that among the AADB2C attributes there is userPrincipalName and issuerUserId but it's not obvious to me if either of these match any value stored in AAD.

谢谢！

马丁

推荐答案

对于外部帐户，将编写外部发行者(即Azure AD)和外部用户标识符(即Azure AD用户的对象标识符)到Azure AD B2C目录中用户对象的"userIdentities"属性，其中"issuerUserId"属性包含外部用户标识符的Base64编码:

For an external account, the external issuer (i.e., Azure AD) and the external user identifier (i.e., the object identifier of the Azure AD user) are written to the "userIdentities" property of the user object in the Azure AD B2C directory, where the "issuerUserId" property contains the Base64-encoding of the external user identifier:

{
    "userIdentities": [
        {
            "issuer": "contoso.com",
            "issuerUserId": "Mjk2NzdlNTAtY2MwZS00MmU5LWJhNWMtZjFmMDdkZTUwMDhm"
        }
    ]
}

要通过外部帐户查找用户对象，可以调用以下Graph API操作，其中将"x/issuerUserId"值设置为外部用户标识符的十六进制编码:

To find the user object by the external account, you can invoke the following Graph API operation, where the "x/issuerUserId" value is set to the hexadecimal-encoding of the external user identifier:

GET https://graph.windows.net/myorganization/users?$filter=userIdentities/any(x:x/issuer eq 'contoso.com' and x/issuerUserId eq X'32393637376535302d636330652d343265392d626135632d663166303764653530303866')

更新:

来自外部身份提供者的issuerUserId应该被视为字符串，而不是十进制.在上面的示例中，当您基于64位解码"Mjk2NzdlNTAtY2MwZS00MmU5LWJhNWMtZjFmMDdkZTUwMDhm"时，它会返回guid 29677e50-cc0e-42e9-ba5c-f1f07de5008f.如果是facebook，则issuerUserId将为数字，但仍应视为字符串.

The issuerUserId from the external identity provider should be treated as string and not decimal. In above example, when you base 64 decode "Mjk2NzdlNTAtY2MwZS00MmU5LWJhNWMtZjFmMDdkZTUwMDhm" - it returns a guid 29677e50-cc0e-42e9-ba5c-f1f07de5008f. In case of facebook, the issuerUserId will be a number, but still should be treated as string.

下一步将使用字符串到十六进制转换器，然后在查询中使用该值.

Next step will be to use string to hexadecimal converter and then use that value in the query.

这篇关于根据AADB2C属性值在AAD中查找用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！