我如何从Azure AD获取帐户? [英] How do I get accounts from Azure AD?
问题描述
我有一个不错的Azure Active Directory,其中包含十二个用户.(我所有!)所以我有一个租户ID,客户ID和客户机密.
我还在一个简单的控制台应用程序上工作,该应用程序将充当此目录的公共客户端.该客户端还拥有一个用户名和密码列表,因为这只是一个简单的实验.不知道,我知道.但是我首先需要了解它的工作原理 ...
I have a nice Azure Active Directory set up with a dozen users. (All me!) So I have a Tenant ID, client ID and Client Secret.
I am also working on a simple console application that will function as a public client for this directory. This client also holds a list of usernames and passwords as this is just meant as a simple experiment. Not secure, I know. But I first need to understand how it works...
我这样做:
IConfidentialClientApplication client = ConfidentialClientApplicationBuilder
.CreateWithApplicationOptions(options).Build();
这将创建我的客户端应用程序.效果很好.
我还使用" https://graph.microsoft.com/.default 获得令牌.可以使用它来获取所有用户为JSON:
And this creates my client app. Works fine.
I also get a token using "https://graph.microsoft.com/.default" and can use this to get all users as JSON:
string result = await GetHttpContentWithToken("https://graph.microsoft.com/v1.0/users",
token.AccessToken);
尽管我可能希望它更加人性化,但JSON目前还是可以的.
Although I might want it to be more user-friendly, JSON is fine for now.
如何检查用户是否是授权用户?
而且,我不想要需要各种nuget程序包的复杂解决方案.只是一个简单而简单的分步说明.我可能可以用Google查到,但是最终得到了数千个结果,但是没有一个有用的结果……这应该很容易,对吧?
How can I check if user is an authorized user?
And no, I don't want complex solutions that require various nuget packages. Just a plain and simple step-by-step explanation. I could probably Google this but I ended up with thousands of results and none were helpful... This should be easy, right?
我首先想获得由于错字而失败的用户列表……(默认"之前有一个小点...)
I first wanted to get a list of users nut that failed because of a typo... (There's a dot before 'default'...)
推荐答案
虽然花了一些时间,但毕竟不太困难.Azure周围有很多库,但基本上基本上都是一堆HTTP请求和响应.即使在控制台应用程序中...我首先开始制作PublicClientApplicationBuilder:
It took some fooling around but it's not too difficult after all. There are a lot of libraries around Azure but it is all basically just a bunch of HTTP requests and responses. Even in a console application... I started with making a PublicClientApplicationBuilder first:
var options = new PublicClientApplicationOptions()
{
ClientId = <**clientid**>,
TenantId = <**tenantid**>,
AzureCloudInstance = AzureCloudInstance.AzurePublic,
};
var client = PublicClientApplicationBuilder.CreateWithApplicationOptions(options).Build();
我还可以创建一个ConfidentialClientClientApplication,但这允许我以交互方式登录(如果需要).
I can also create a ConfidentialClientApplication instead, but this allows me to log in interactively, if need be.
下一步,设置范围:
var scopes = new List<string>() { "https://graph.microsoft.com/.default" };
由于我想使用用户名和密码登录,因此必须使用以下名称:
As I wanted to log in using username and password, I have to use this:
var token = await client.AcquireTokenInteractive(scopes).ExecuteAsync();
但是,如果我想使用代码登录,也可以使用以下代码:
But if I want to log in using code, I can also use this:
var password = new SecureString();
foreach (var c in <**password**>) { password.AppendChar(c); }
var token = await client.AcquireTokenByUsernamePassword(scopes, <**account**>, password).ExecuteAsync();
在这一点上,我已被授权为指定用户.所以,现在我所需要的就是用JSON字符串获取我喜欢的任何数据...
At this point, I'm authorized as the specified user. So, now all I need is to get whatever data I like, in JSON strings...
public static async Task<string> ExecCmd(string name, string url, string token)
{
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("bearer", token);
string result = await GetHttpContentWithToken(url, token);
JObject json = JsonConvert.DeserializeObject(result) as JObject;
File.WriteAllText(name, json.ToString());
return result;
}
由于我只想将数据读取为文本文件,因此我仅使用特定的代码执行操作并将其作为格式化的JSON写入文件中.因此,使用这种简单的方法,我现在可以使用:
As I just want to read the data as text files, I just execute the action in using a specific and write it as formatted JSON to the file . So, using this simple method I can now use this:
await ExecCmd("Profile.txt", "https://graph.microsoft.com/v1.0/me/", token.AccessToken);
await ExecCmd("Groups.txt", "https://graph.microsoft.com/v1.0/groups", token.AccessToken);
await ExecCmd("Users.txt", "https://graph.microsoft.com/v1.0/users", token.AccessToken);
这些将为我提供(1)当前用户的个人资料,(2)AD组和(3)AD用户.可能还有更多...如果需要,我可以使用此ExecCmd检索更多数据.但是还有其他需要注意的地方!为了使所有这些正常工作,您还需要配置Azure应用程序,并确保分配并批准了所有访问权限!因此,在Azure AD中,您必须添加应用程序注册"并弄乱设置...(Azure专家现在非常震惊,但是当您要学习时,只需尝试失败就可以了,直到您成功...)还要为注册的应用程序将默认客户端类型"设置为公共客户端".在Azure中,使用已注册的应用程序,还需要设置适当的API权限!否则,您将无权访问.并且,由于要访问Active Directory,因此需要向"Azure Active Directory图"添加权限.我可以在Azure内执行此操作,也可以在调用AcquireTokenInteractive()时使用范围来完成此操作.例如,通过使用" https://graph.windows.net/Directory.Read.All ",而不是" https://graph.windows.net/.default ".交互式访问令牌后,您还可以使用client.AcquireTokenSilent()获得更多令牌.从这里开始有点棘手,特别是如果您想访问许多不同的项目.幸运的是,Active Directory主要是目录本身,组,用户和成员.就个人而言,我更喜欢从Azure网站授予访问权限,但这很有趣.无论如何,我想使用Azure验证用户,现在我知道该怎么做了.仍然有很多问题,但这基本上回答了我的问题.我将用它作为答案,因为其他人可能会发现它有用...
These will provide me with (1) the profile of the current user, (2) the AD groups and (3) the AD users. And probably a bit more... I can use this ExecCmd to retrieve a lot more data, if I want to. But there's something else to keep in mind! For it all to work, you also need to configure the Azure application and make sure all access rights are assigned and approved! So, in Azure AD you have to add an "App registration" and fiddle around with the settings... (The Azure experts are horribly shocked now, but when you want to learn, you'd just have to try and fail until you succeed...) Also set "Default client type" to "public client" for the registered app. In Azure, with the registered app, you also need to set the proper API permissions! Otherwise, you won't have access. And as I want access to Active Directory, I need to add permissions to "Azure Active Directory Graph". I can do this inside Azure or by using the scope when I call AcquireTokenInteractive(). For example, by using "https://graph.windows.net/Directory.Read.All" instead of "https://graph.windows.net/.default". Once you've accessed a token interactively, you can also get more tokens using client.AcquireTokenSilent(). It gets a bit tricky from here, especially if you want to access a lot of different items. Fortunately, Active Directory is mostly the directory itself, groups, users and members. Personally, I prefer to grant access from the Azure website but this is quite interesting. Anyways, I wanted to authenticate users with Azure and now I know how to do this. It still leaves a lot more questions but this all basically answers my question... I'll use this as answer, as others might find it useful...
这篇关于我如何从Azure AD获取帐户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
