如何使用Microsoft Graph API从用户配置文件中获取组织(租户)ID [英] How to get the organization (tenant) id from user profile using the Microsoft Graph API

问题描述

我正在创建一个加载项，可以使用组织许可证进行销售.

I'm creating an add-in that I to sell using organizational licenses.

我已经在外接程序上实现了身份验证方案.我目前正在要求使用 User.Read 范围来确保使用Azure和v2终结点进行身份验证.要获取用户的信息，我正在查询

I have implemented an authentication scheme on the add-in. I'm currently asking for User.Read scope for a sure authenticating using and Azure v2 endpoint. To get the user's information I'm querying

https://graph.microsoft.com/v1.0/me

要正确测试用户许可证，我需要提取用户组织的标识.但是，我从Grah请求中收到的用户信息非常贫乏.对于AAD帐户，架构如下所示:

To properly test for the user's license I need extract the user's organization's identification. However, the user information I receive from the Grah request is increadibly lean. For an AAD account the schema looks something like:

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
  businessPhones: [],
  displayName: "FirstName LastName",
  givenName: "FirstName",
  id: "unique-id",
  jobTitle: null,
  mail: "First.LastName@COMPANYDOMAIN.COM",
  mobilePhone: null,
  officeLocation: null,
  preferredLanguage: null,
  surname: "LastName",
  userPrincipalName: "FILastName@COMPANYDOMAIN.COM"
}

如果我使用

https://graph.microsoft.com/BETA/me

我获得了更多信息，但是没有什么可以帮助我确定用户组织上的唯一ID.

I get more information, but nothing that helps me pin down a unique id on the user's organization.

我需要使用其他范围来获取用户组织的信息吗?如果没有，我是否可以依靠将用户电子邮件中的域名解析为用户组织的唯一ID?我需要查询其他API吗?

Is there a different scope I need to use to get information for the user's organization? And if there is not, can I rely on parsing the domain name from the user's email as a unique id for the user's organization? Do I need to query a different API?

以防万一，在用户通过AD进行身份验证后，我会收到以下响应:

In case it helps, after the user authenticates with AD, I receive the following response:

{
    access_token: "eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEWDhHQ2k2SnM2U0s4MlRzRDJQYjdyN1VLTzdJSDJSLWpTcmpScU9..."
    expires_at: Fri May 18 2018 07: 18: 42 GMT - 0400(Eastern Daylight Time) {}
    expires_in: "3599"
    provider: "Microsoft"
    scope: "https://graph.microsoft.com/User.Read"
    session_state: "012f4565-31bb-..."
    state: "259309..."
    token_type: "Bearer"
}

更新:使用 https://graph.microsoft.com/BETA/me

的完整AD响应

Update: The full AD response using https://graph.microsoft.com/BETA/me

{
    @odata.context: "https://graph.microsoft.com/beta/$metadata#users/$entity",
        accountEnabled: true,
        ageGroup: null,
        assignedLicenses: [],
        assignedPlans: [],
        businessPhones: [],
        city: null,
        companyName: null,
        consentProvidedForMinor: null,
        country: null,
        deletedDateTime: null,
        department: null,
        deviceKeys: [],
        displayName: "FirstName LastName",
        employeeId: null,
        givenName: "FirstName",
        id: "ebdcf715-43c5-4f48-ad0d-b798a3330849",
        imAddresses: [],
        jobTitle: null,
        legalAgeGroupClassification: null,
        mail: "FirstName.LastName@COMPANYDOMAIN.COM",
        mailNickname: "FirstName.LastName",
        mobilePhone: null,
        officeLocation: null,
        onPremisesDomainName: "COMPANYDOMAIN.COM",
        onPremisesExtensionAttributes: {
            …
        },
        onPremisesImmutableId: "...RVWAty...",
        onPremisesLastSyncDateTime: "2018-05-10T18:13:45Z",
        onPremisesProvisioningErrors: [],
        onPremisesSamAccountName: "FILastName",
        onPremisesSecurityIdentifier: "...-21-1412366426-...",
        onPremisesSyncEnabled: true,
        onPremisesUserPrincipalName: "FILastName@COMPANYDOMAIN.COM",
        passwordPolicies: "DisablePasswordExpiration",
        passwordProfile: null,
        postalCode: null,
        preferredDataLocation: null,
        preferredLanguage: null,
        provisionedPlans: [],
        proxyAddresses: [],
        refreshTokensValidFromDateTime: "2018-05-10T17:54:45Z",
        showInAddressList: null,
        state: null,
        streetAddress: null,
        surname: "LastName",
        usageLocation: "US",
        userPrincipalName: "FILastName@COMPANYDOMAIN.COM",
        userType: "Member"
}

更新:使用jwt.ms解码 access_token

{
  "typ": "",
  "nonce": "",
  "alg": "",
  "x5t": "",
  "kid": "iBjL1Rcqzhiy4fpxIxdZqohM2Yk"
}.{
  "aud": "",
  "iss": "",
  "iat": "",
  "nbf": "",
  "exp": "",
  "acr": "",
  "aio": "",
  "amr": [
    "pwd"
  ],
  "app_displayname": "",
  "appid": "",
  "appidacr": "",
  "family_name": "",
  "given_name": "",
  "ipaddr": "",
  "name": "",
  "oid": "",
  "onprem_sid": "",
  "platf": "",
  "puid": "",
  "scp": "",
  "sub": "",
  "tid": "",
  "unique_name": "",
  "upn": "",
  "uti": "",
  "ver": "1.0"
}.[Signature]

推荐答案

如果没有其他效果，则可以解码访问令牌并获得 tid 声明.那是Azure AD租户的ID.

If nothing else works, you can decode the access token and get the tid claim. That is the id for the Azure AD tenant.

您可以从以下位置找到令牌中的索赔文档:

You can find the documentation for the claims in tokens from here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims

例如，这是 tid 的含义:

一个不变的，不可重用的标识符，用于标识发布令牌的目录租户.您可以使用此值来访问多租户应用程序中特定于租户的目录资源.例如，您可以使用此值来标识对Graph API的调用中的租户.

An immutable, non-reusable identifier that identifies the directory tenant that issued the token. You can use this value to access tenant-specific directory resources in a multi-tenant application. For example, you can use this value to identify the tenant in a call to the Graph API.

这篇关于如何使用Microsoft Graph API从用户配置文件中获取组织(租户)ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！