如何使用Microsoft Graph API从用户配置文件中获取组织(租户)ID [英] How to get the organization (tenant) id from user profile using the Microsoft Graph API
问题描述
我正在创建一个加载项,可以使用组织许可证进行销售.
I'm creating an add-in that I to sell using organizational licenses.
我已经在外接程序上实现了身份验证方案.我目前正在要求使用 User.Read
范围来确保使用Azure和v2终结点进行身份验证.要获取用户的信息,我正在查询
I have implemented an authentication scheme on the add-in. I'm currently asking for User.Read
scope for a sure authenticating using and Azure v2 endpoint. To get the user's information I'm querying
https://graph.microsoft.com/v1.0/me
要正确测试用户许可证,我需要提取用户组织的标识.但是,我从Grah请求中收到的用户信息非常贫乏.对于AAD帐户,架构如下所示:
To properly test for the user's license I need extract the user's organization's identification. However, the user information I receive from the Grah request is increadibly lean. For an AAD account the schema looks something like:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
businessPhones: [],
displayName: "FirstName LastName",
givenName: "FirstName",
id: "unique-id",
jobTitle: null,
mail: "First.LastName@COMPANYDOMAIN.COM",
mobilePhone: null,
officeLocation: null,
preferredLanguage: null,
surname: "LastName",
userPrincipalName: "FILastName@COMPANYDOMAIN.COM"
}
如果我使用
https://graph.microsoft.com/BETA/me
我获得了更多信息,但是没有什么可以帮助我确定用户组织上的唯一ID.
I get more information, but nothing that helps me pin down a unique id on the user's organization.
我需要使用其他范围来获取用户组织的信息吗?如果没有,我是否可以依靠将用户电子邮件中的域名解析为用户组织的唯一ID?我需要查询其他API吗?
Is there a different scope I need to use to get information for the user's organization? And if there is not, can I rely on parsing the domain name from the user's email as a unique id for the user's organization? Do I need to query a different API?
以防万一,在用户通过AD进行身份验证后,我会收到以下响应:
In case it helps, after the user authenticates with AD, I receive the following response:
{
access_token: "eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEWDhHQ2k2SnM2U0s4MlRzRDJQYjdyN1VLTzdJSDJSLWpTcmpScU9..."
expires_at: Fri May 18 2018 07: 18: 42 GMT - 0400(Eastern Daylight Time) {}
expires_in: "3599"
provider: "Microsoft"
scope: "https://graph.microsoft.com/User.Read"
session_state: "012f4565-31bb-..."
state: "259309..."
token_type: "Bearer"
}
更新:使用 https://graph.microsoft.com/BETA/me
的完整AD响应
Update: The full AD response using https://graph.microsoft.com/BETA/me
{
@odata.context: "https://graph.microsoft.com/beta/$metadata#users/$entity",
accountEnabled: true,
ageGroup: null,
assignedLicenses: [],
assignedPlans: [],
businessPhones: [],
city: null,
companyName: null,
consentProvidedForMinor: null,
country: null,
deletedDateTime: null,
department: null,
deviceKeys: [],
displayName: "FirstName LastName",
employeeId: null,
givenName: "FirstName",
id: "ebdcf715-43c5-4f48-ad0d-b798a3330849",
imAddresses: [],
jobTitle: null,
legalAgeGroupClassification: null,
mail: "FirstName.LastName@COMPANYDOMAIN.COM",
mailNickname: "FirstName.LastName",
mobilePhone: null,
officeLocation: null,
onPremisesDomainName: "COMPANYDOMAIN.COM",
onPremisesExtensionAttributes: {
…
},
onPremisesImmutableId: "...RVWAty...",
onPremisesLastSyncDateTime: "2018-05-10T18:13:45Z",
onPremisesProvisioningErrors: [],
onPremisesSamAccountName: "FILastName",
onPremisesSecurityIdentifier: "...-21-1412366426-...",
onPremisesSyncEnabled: true,
onPremisesUserPrincipalName: "FILastName@COMPANYDOMAIN.COM",
passwordPolicies: "DisablePasswordExpiration",
passwordProfile: null,
postalCode: null,
preferredDataLocation: null,
preferredLanguage: null,
provisionedPlans: [],
proxyAddresses: [],
refreshTokensValidFromDateTime: "2018-05-10T17:54:45Z",
showInAddressList: null,
state: null,
streetAddress: null,
surname: "LastName",
usageLocation: "US",
userPrincipalName: "FILastName@COMPANYDOMAIN.COM",
userType: "Member"
}
更新:使用jwt.ms解码 access_token
{
"typ": "",
"nonce": "",
"alg": "",
"x5t": "",
"kid": "iBjL1Rcqzhiy4fpxIxdZqohM2Yk"
}.{
"aud": "",
"iss": "",
"iat": "",
"nbf": "",
"exp": "",
"acr": "",
"aio": "",
"amr": [
"pwd"
],
"app_displayname": "",
"appid": "",
"appidacr": "",
"family_name": "",
"given_name": "",
"ipaddr": "",
"name": "",
"oid": "",
"onprem_sid": "",
"platf": "",
"puid": "",
"scp": "",
"sub": "",
"tid": "",
"unique_name": "",
"upn": "",
"uti": "",
"ver": "1.0"
}.[Signature]
推荐答案
如果没有其他效果,则可以解码访问令牌并获得 tid
声明.那是Azure AD租户的ID.
If nothing else works, you can decode the access token and get the tid
claim. That is the id for the Azure AD tenant.
You can find the documentation for the claims in tokens from here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims
例如,这是 tid
的含义:
一个不变的,不可重用的标识符,用于标识发布令牌的目录租户.您可以使用此值来访问多租户应用程序中特定于租户的目录资源.例如,您可以使用此值来标识对Graph API的调用中的租户.
An immutable, non-reusable identifier that identifies the directory tenant that issued the token. You can use this value to access tenant-specific directory resources in a multi-tenant application. For example, you can use this value to identify the tenant in a call to the Graph API.
这篇关于如何使用Microsoft Graph API从用户配置文件中获取组织(租户)ID的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!