获取Azure Active Directory应用程序用户和角色 [英] Get Azure Active Directory application users and roles

问题描述

我已经在Azure AD Premium中设置了一个应用程序，并需要进行用户分配才能访问该应用程序.我已将自定义应用程序角色添加到应用程序清单中.我可以为该应用程序分配具有角色的用户.

I've setup an application in Azure AD Premium and made user assignment required to access the application. I've added custom app roles to the application manifest. I can assign users with a role to the application.

如何获取分配给该应用程序的所有用户及其分配的角色的列表?

How can you get a list of all users that are assigned to the application and their assigned role?

推荐答案

Azure门户(预览版)

在新的Azure门户的企业应用程序">(您的应用程序)>用户和组"下，您现在将仅看到分配给该应用程序的用户列表以及他们的应用程序角色被分配给.您还可以按应用角色进行过滤和排序.这是一个示例:

In the new Azure portal, under "Enterprise applications" > (your app) > "Users and groups", you'll now see only the list of users who are assigned to the application, as well as the app role they are assigned to. You can also filter and sort by app role. Here's an example:

注意:截至2016年9月，新Azure门户中的Azure AD管理经验已在预览中.

经典Azure门户

在和应用程序的用户和组"下，您可以列出所有用户(及其分配状态是什么)以及所有组:

Under and application's "Users and groups" you can list all users (and what their assignment state is), as well as all groups:

[]

PowerShell

使用新的预览(截至2016年9月)Azure AD PowerShell模块，您可以使用以下示例:

Using the new preview (as of Sept 2016) Azure AD PowerShell module, you can use the following example:

# Get all service principals, and for each one, get all the app role assignments, 
# resolving the app role ID to it's display name. Output everything to a CSV.
Get-AzureADServicePrincipal | % {

  # Build a hash table of the service principal's app roles. The 0-Guid is
  # used in an app role assignment to indicate that the principal is assigned
  # to the default app role (or rather, no app role).
  $appRoles = @{ "$([Guid]::Empty.ToString())" = "(default)" }
  $_.AppRoles | % { $appRoles[$_.Id] = $_.DisplayName }

  # Get the app role assignments for this app, and add a field for the app role name
  Get-AzureADServiceAppRoleAssignment -ObjectId ($_.ObjectId) | % {
    $_ | Add-Member "AppRoleDisplayName" $appRoles[$_.Id] -Passthru
  }
} | Export-Csv "app_role_assignments.csv" -NoTypeInformation

Azure AD Graph API

使用Azure AD Graph API，您可以执行与PowerShell脚本相同的操作(实际上，新的Azure AD PowerShell模块将Azure AD Graph API用于大多数请求).

With Azure AD Graph API, you can do the equivalent of what the PowerShell script does, above (in fact, the new Azure AD PowerShell module uses Azure AD Graph API for the majority of the requests).

列出所有服务主体:

GET https://graph.windows.net/{tenant-id}/servicePrincipals

列出服务负责人的应用角色分配:

List a service principal's app role assignments:

GET https://graph.windows.net/{tenant-id}/servicePrincipals/{object-id}/appRoleAssignments

这篇关于获取Azure Active Directory应用程序用户和角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！