如何使用 Microsoft Graph API 从用户配置文件中获取组织(租户)ID [英] How to get the organization (tenant) id from user profile using the Microsoft Graph API
问题描述
我正在创建一个要使用组织许可进行销售的加载项.
I'm creating an add-in that I to sell using organizational licenses.
我已在加载项上实施了身份验证方案.我目前正在要求 User.Read 范围以确保使用 Azure v2 端点进行身份验证.为了获取我正在查询的用户信息
I have implemented an authentication scheme on the add-in. I'm currently asking for User.Read scope for a sure authenticating using and Azure v2 endpoint. To get the user's information I'm querying
https://graph.microsoft.com/v1.0/me
为了正确测试用户的许可证,我需要提取用户的组织标识.但是,我从 Grah 请求中收到的用户信息非常精简.对于 AAD 帐户,架构类似于:
To properly test for the user's license I need extract the user's organization's identification. However, the user information I receive from the Grah request is increadibly lean. For an AAD account the schema looks something like:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
businessPhones: [],
displayName: "FirstName LastName",
givenName: "FirstName",
id: "unique-id",
jobTitle: null,
mail: "First.LastName@COMPANYDOMAIN.COM",
mobilePhone: null,
officeLocation: null,
preferredLanguage: null,
surname: "LastName",
userPrincipalName: "FILastName@COMPANYDOMAIN.COM"
}
如果我使用
https://graph.microsoft.com/BETA/me
我获得了更多信息,但没有任何信息可以帮助我确定用户组织的唯一 ID.
I get more information, but nothing that helps me pin down a unique id on the user's organization.
我需要使用不同的范围来获取用户组织的信息吗?如果没有,我可以依靠解析用户电子邮件中的域名作为用户组织的唯一 ID 吗?我需要查询不同的 API 吗?
Is there a different scope I need to use to get information for the user's organization? And if there is not, can I rely on parsing the domain name from the user's email as a unique id for the user's organization? Do I need to query a different API?
如果有帮助,在用户使用 AD 进行身份验证后,我会收到以下响应:
In case it helps, after the user authenticates with AD, I receive the following response:
{
access_token: "eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEWDhHQ2k2SnM2U0s4MlRzRDJQYjdyN1VLTzdJSDJSLWpTcmpScU9..."
expires_at: Fri May 18 2018 07: 18: 42 GMT - 0400(Eastern Daylight Time) {}
expires_in: "3599"
provider: "Microsoft"
scope: "https://graph.microsoft.com/User.Read"
session_state: "012f4565-31bb-..."
state: "259309..."
token_type: "Bearer"
}
更新:使用 https://graph.microsoft.com/BETA/me
的完整广告响应
Update: The full AD response using https://graph.microsoft.com/BETA/me
{
@odata.context: "https://graph.microsoft.com/beta/$metadata#users/$entity",
accountEnabled: true,
ageGroup: null,
assignedLicenses: [],
assignedPlans: [],
businessPhones: [],
city: null,
companyName: null,
consentProvidedForMinor: null,
country: null,
deletedDateTime: null,
department: null,
deviceKeys: [],
displayName: "FirstName LastName",
employeeId: null,
givenName: "FirstName",
id: "ebdcf715-43c5-4f48-ad0d-b798a3330849",
imAddresses: [],
jobTitle: null,
legalAgeGroupClassification: null,
mail: "FirstName.LastName@COMPANYDOMAIN.COM",
mailNickname: "FirstName.LastName",
mobilePhone: null,
officeLocation: null,
onPremisesDomainName: "COMPANYDOMAIN.COM",
onPremisesExtensionAttributes: {
…
},
onPremisesImmutableId: "...RVWAty...",
onPremisesLastSyncDateTime: "2018-05-10T18:13:45Z",
onPremisesProvisioningErrors: [],
onPremisesSamAccountName: "FILastName",
onPremisesSecurityIdentifier: "...-21-1412366426-...",
onPremisesSyncEnabled: true,
onPremisesUserPrincipalName: "FILastName@COMPANYDOMAIN.COM",
passwordPolicies: "DisablePasswordExpiration",
passwordProfile: null,
postalCode: null,
preferredDataLocation: null,
preferredLanguage: null,
provisionedPlans: [],
proxyAddresses: [],
refreshTokensValidFromDateTime: "2018-05-10T17:54:45Z",
showInAddressList: null,
state: null,
streetAddress: null,
surname: "LastName",
usageLocation: "US",
userPrincipalName: "FILastName@COMPANYDOMAIN.COM",
userType: "Member"
}
更新:使用 jwt.ms 解码 access_token
{
"typ": "",
"nonce": "",
"alg": "",
"x5t": "",
"kid": "iBjL1Rcqzhiy4fpxIxdZqohM2Yk"
}.{
"aud": "",
"iss": "",
"iat": "",
"nbf": "",
"exp": "",
"acr": "",
"aio": "",
"amr": [
"pwd"
],
"app_displayname": "",
"appid": "",
"appidacr": "",
"family_name": "",
"given_name": "",
"ipaddr": "",
"name": "",
"oid": "",
"onprem_sid": "",
"platf": "",
"puid": "",
"scp": "",
"sub": "",
"tid": "",
"unique_name": "",
"upn": "",
"uti": "",
"ver": "1.0"
}.[Signature]
推荐答案
如果没有其他方法,您可以解码访问令牌并获取 tid 声明.这是 Azure AD 租户的 ID.
If nothing else works, you can decode the access token and get the tid claim. That is the id for the Azure AD tenant.
您可以从此处找到令牌声明的文档:https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims
You can find the documentation for the claims in tokens from here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims
例如,tid 的含义如下:
一个不可变的、不可重用的标识符,用于标识颁发令牌的目录租户.您可以使用此值访问多租户应用程序中特定于租户的目录资源.例如,您可以在调用 Graph API 时使用此值来识别租户.
An immutable, non-reusable identifier that identifies the directory tenant that issued the token. You can use this value to access tenant-specific directory resources in a multi-tenant application. For example, you can use this value to identify the tenant in a call to the Graph API.
这篇关于如何使用 Microsoft Graph API 从用户配置文件中获取组织(租户)ID的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
