使用 Graph API 以编程方式将用户分配给 Azure AD 应用程序 [英] Programmatically assign users to Azure AD Application using Graph API
问题描述
我正在尝试编写脚本以使用 Graph API 将用户分配给 Azure AD 应用程序 (servicePrincipal).我正在我的沙箱中测试这个,我已经定义了应用程序并将用户分配给它.但是,当我查询 servicePrincipal 时,我在响应中的任何地方都看不到用户.
I am trying to write a script to assign users to an Azure AD application (servicePrincipal) using Graph API. I am testing this in my sandbox, where I have defined the app and assigned users to it. However, when I query the servicePrincipal, I don't see the users anywhere in the response.
问题:
基于文档,不是应该有
appRoleAssignment吗?
文档说这个字段是只读的,那么你应该如何分配用户?
The documentation says this field is read-only, so how are you supposed to assign users?
推荐答案
查询Graph API时可以通过导航属性获取用户的appRoleAssignments:
You can get the appRoleAssignments of a user via the navigation property when querying the Graph API:
https://graph.windows.net/tenant-id/users/user-id/appRoleAssignments?api-version=1.6
您可以通过 HTTP POST 来创建分配:
You can create assignments by making an HTTP POST to:
https://graph.windows.net/tenant-id/users/user-id/appRoleAssignments?api-version=1.6
您需要发送的对象如下所示:
The object that you need to send looks like this:
{
"id": "id-of-role",
"principalId": "objectId-of-user",
"resourceId": "objectId-of-service-principal"
}
如果您的应用没有任何角色,但您仍然想分配一个用户,那么您似乎可以将 id 设置为全零:
If your app does not have any roles, but you still want to assign a user, it seems you can just set the id to all zeros:
如果资源未声明任何权限,则必须指定默认 ID(零 GUID).
Where the resource does not declare any permissions, a default id (zero GUID) must be specified.
比如:
{
"id":"00000000-0000-0000-0000-000000000000",
"resourceId": "a27d8321-3dc6-44a1-bf19-2546a9f2806e",
"principalId": "c4f810b8-2ea1-4580-9595-30275a28c2a2"
}
这篇关于使用 Graph API 以编程方式将用户分配给 Azure AD 应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
