使用Microsoft.Graph获取当前的应用程序权限 [英] Using Microsoft.Graph to get current application permissions

问题描述

我的C#程序使用Microsoft.Graph Nuget.并且它必须能够确保它具有正确的Microsoft Graph应用程序权限.

My C# program uses the Microsoft.Graph Nuget. And it needs be able to ensure that it has the correct Microsoft Graph application permissions.

我知道如何在AD中添加权限，但我希望我的程序能够测试它是否具有所需的权限.

I know how to add permissions in AD, but I want my program to be able test it has the permissions it needs.

我要实现的示例:

var graphClient = new GraphServiceClient(authenticationProvider);

if(!graphClient.GetPermissions().Contains("AdministrativeUnit.Read.All"))
{
    throw new Exception("Missing Permission AdministrativeUnit.Read.All")
}

提前谢谢！

推荐答案

这是很长的路要走.

在这里，我通过HTTP方法提供了Microsoft Graph beta版的一般概念:

Here I provide a general idea of Microsoft Graph beta version(through HTTP method):

1. 基于应用程序ID GET https://graph.microsoft.com/beta/servicePrincipals?$filter=appId eq '{App ID}'获取servicePrincipal的对象ID.
2. 获取appRole信息(应用程序许可信息) 基于步骤1:GET https://graph.microsoft.com/beta/servicePrincipals/{Object ID}/appRoleAssignedTo中的对象ID.
3. 获取appRoleID和Microsoft Graph应用程序权限名称:GET https://graph.microsoft.com/beta/servicePrincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'的匹配列表.请注意 "00000003-0000-0000-c000-000000000000"是固定值，其中 代表Microsoft内部Graph App的App ID.
4. 比较第二步和第三步的结果，您将知道哪个 应用程序权限在您的Azure AD应用程序中.

1. Get the Object ID of the servicePrincipal based on the App ID: GET https://graph.microsoft.com/beta/servicePrincipals?$filter=appId eq '{App ID}'.
2. Get the appRole information (the application permission information) based on the Object ID from step 1: GET https://graph.microsoft.com/beta/servicePrincipals/{Object ID}/appRoleAssignedTo.
3. Get a match list of appRoleID and Microsoft Graph application permission name: GET https://graph.microsoft.com/beta/servicePrincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'. Please note that "00000003-0000-0000-c000-000000000000" is a fixed value， which represents the App ID of the Microsoft internal Graph App.
4. Compare the results of the 2nd and 3rd steps and you will know which application permissions are in your Azure AD app.

顺便说一句，

By the way, Get appRoleAssignment is only available in beta version currently, but beta version api is not recommended to use.

Microsoft Graph中/beta版本下的API可能会更改. 不支持在生产应用程序中使用这些API.

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.

这篇关于使用Microsoft.Graph获取当前的应用程序权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！