使用Microsoft Graph API检索Azure AD应用程序的用户详细信息和角色 [英] Retrieve User Details and Roles for an Azure AD application using Microsoft Graph API

问题描述

我正在尝试使用Microsoft Graph API获取Azure AD中特定企业应用程序的用户详细信息.

I'm attempting to get user details for a particular enterprise application in Azure AD, using the Microsoft Graph API.

我能够使用以下方法成功检索应用程序的用户:

I'm able to successfully retrieve users of the application using:

https://graph.microsoft.com/v1.0/servicePrincipals/{objectId}/appRoleAssignedTo

但是，用户详细信息被遗漏了；例如联系方式，电子邮件.对于分配给用户的每个角色，它也具有重复的条目.

However, the users details are left out; such as, contact details, email. It also has a duplicate entry for each role assigned to a user.

如果我查询，我就能获得这些用户的详细信息

I'm able to get these user details if I query:

https://graph.microsoft.com/v1.0/users

但是，这会检索组织中的所有用户，但是我无法成功过滤给定应用程序的查询中的列表.

However, this retrieves all users in the organization, and I've not been successful with filtering the list in the query for a given application.

使用$ expand运算符似乎也未实现.

Using the $expand operator does not seem implemented either.

看起来，这将是应用程序的常见用例；我的用户是谁，他们的角色和详细信息是什么?使用Graph API的最佳方法是什么?

Seems like this would be a common use case for an application; Who are my users and what are their roles and details? How would one best approach this with the Graph API?

推荐答案

单独

您可以获取 appRoles .

https://graph.microsoft.com/v1.0/serviceprincipals/07fce81e-8069-4ccb-9775-63f96d1f4e53

并检查appRoles属性.

and check the appRoles property.

您可以使用以下查询获取用户详细信息.

And you can get the user details using the below query.

https://graph.microsoft.com/v1.0/users/4ef105cc-508b-41c4-a5d2-7d41f2244c4c

然后您可以使用以下查询获取组的详细信息.

And you can get the group details using the below query.

https://graph.microsoft.com/v1.0/groups/0023c709-3556-4296-a6ab-6df2a0a1113c

在您的情况下，您需要拨打与您指定的电话相同的电话

In your case you need to call the same call that you specified

https://graph.microsoft.com/v1.0/servicePrincipals/07fce81e-8069-4ccb-9775-63f96d1f4e53/appRoleAssignedTo

这将返回所有分配给应用程序角色的用户和组，您可以从这些

This will return all the users and groups assigned app roles and you can pull the principal id from these app role assignment objects as shown below which are nothing but the userid of the user that the role was assigned to and in the groups case its the group id of the group which gives the group details.

您可以按主体类型区分用户和组，并根据其可以调用上述http调用(用户或组)并获取这些详细信息.

You can differentiate user and group by principaltype and according to that you can call the above http calls(User or group) and get those details.

重复的代码需要在我们这一端进行编码，以免发生.

The duplicate ones need to be coded on our end to avoid it.

我的示例JSON数据:-

My Example JSON Data:-

For getting users and groups assigned app roles
GET https://graph.microsoft.com/v1.0/servicePrincipals/07fce81e-8069-4ccb-9775-63f96d1f4e53/appRoleAssignedTo
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('07fce81e-8069-4ccb-9775-63f96d1f4e53')/appRoleAssignedTo",
    "value": [
        {
            "id": "zAXxTotQxEGl0n1B8iRMTPwz3O48iw9Oq3aFtqfYVjA",
            "deletedDateTime": null,
            "appRoleId": "00000000-0000-0000-0000-000000000000",
            "createdDateTime": "2020-06-01T19:21:01.4268687Z",
            "principalDisplayName": "Nishant Singh",
            "principalId": "4ef105cc-508b-41c4-a5d2-7d41f2244c4c",
            "principalType": "User",
            "resourceDisplayName": "testspaquestion",
            "resourceId": "07fce81e-8069-4ccb-9775-63f96d1f4e53"
        },
        {
            "id": "Y3tbwNOvDkqKK9yLxJ5wp2-uBAbApk9LoMs6AN_7iSs",
            "deletedDateTime": null,
            "appRoleId": "00000000-0000-0000-0000-000000000000",
            "createdDateTime": "2020-06-01T18:47:47.2702435Z",
            "principalDisplayName": "Sruthi J",
            "principalId": "c05b7b63-afd3-4a0e-8a2b-dc8bc49e70a7",
            "principalType": "User",
            "resourceDisplayName": "testspaquestion",
            "resourceId": "07fce81e-8069-4ccb-9775-63f96d1f4e53"
        },
        {
            "id": "CccjAFY1lkKmq23yoKERPBqNLldhOdBAm0lJzewK0Nk",
            "deletedDateTime": null,
            "appRoleId": "00000000-0000-0000-0000-000000000000",
            "createdDateTime": "2020-07-23T17:34:53.9538274Z",
            "principalDisplayName": "Bgroup",
            "principalId": "0023c709-3556-4296-a6ab-6df2a0a1113c",
            "principalType": "Group",
            "resourceDisplayName": "testspaquestion",
            "resourceId": "07fce81e-8069-4ccb-9775-63f96d1f4e53"
        }
    ]
}

查询完上述内容后，提取每个记录的主体ID，并根据主体类型相应地调用用户端点或组端点.

After querying the above, pull the principalid of each record and accordingly call user endpoint or group endpoint according to principaltype.

Get https://graph.microsoft.com/v1.0/users/4ef105cc-508b-41c4-a5d2-7d41f2244c4c //principalId

如果您有任何疑问，请告诉我.

Let me know if you have any queries.

这篇关于使用Microsoft Graph API检索Azure AD应用程序的用户详细信息和角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！