使用 Microsoft Graph API 检索 Azure AD 应用程序的用户详细信息和角色 [英] Retrieve User Details and Roles for an Azure AD application using Microsoft Graph API

问题描述

我正在尝试使用 Microsoft Graph API 在 Azure AD 中获取特定企业应用程序的用户详细信息.

I'm attempting to get user details for a particular enterprise application in Azure AD, using the Microsoft Graph API.

我能够使用以下方法成功检索应用程序的用户:

I'm able to successfully retrieve users of the application using:

https://graph.microsoft.com/v1.0/servicePrincipals/{objectId}/appRoleAssignedTo

但是，用户的详细信息被忽略了；例如，联系方式、电子邮件.对于分配给用户的每个角色，它还有一个重复条目.

However, the users details are left out; such as, contact details, email. It also has a duplicate entry for each role assigned to a user.

如果我查询，我可以获得这些用户详细信息:

I'm able to get these user details if I query:

https://graph.microsoft.com/v1.0/users

但是，这会检索组织中的所有用户，并且我未能成功过滤给定应用程序的查询中的列表.

However, this retrieves all users in the organization, and I've not been successful with filtering the list in the query for a given application.

使用 $expand 运算符似乎也没有实现.

Using the $expand operator does not seem implemented either.

这似乎是应用程序的常见用例；谁是我的用户，他们的角色和详细信息是什么?如何使用 Graph API 最好地解决这个问题?

Seems like this would be a common use case for an application; Who are my users and what are their roles and details? How would one best approach this with the Graph API?

推荐答案

个人，

您可以获取 appRoles 使用以下查询的 Azure AD 应用程序.

You can get the appRoles of an Azure AD application using the below query.

https://graph.microsoft.com/v1.0/serviceprincipals/07fce81e-8069-4ccb-9775-63f96d1f4e53

并检查 appRoles 属性.

and check the appRoles property.

您可以使用以下查询获取用户详细信息.

And you can get the user details using the below query.

https://graph.microsoft.com/v1.0/users/4ef105cc-508b-41c4-a5d2-7d41f2244c4c

您可以使用以下查询获取组详细信息.

And you can get the group details using the below query.

https://graph.microsoft.com/v1.0/groups/0023c709-3556-4296-a6ab-6df2a0a1113c

在你的情况下，你需要调用你指定的同一个调用

In your case you need to call the same call that you specified

https://graph.microsoft.com/v1.0/servicePrincipals/07fce81e-8069-4ccb-9775-63f96d1f4e53/appRoleAssignedTo

这将返回分配给应用角色的所有用户和组，您可以从这些 app 角色分配对象 如下所示，它们只不过是分配角色的用户的用户 ID，在组的情况下它是提供组详细信息的组的组 ID.

This will return all the users and groups assigned app roles and you can pull the principal id from these app role assignment objects as shown below which are nothing but the userid of the user that the role was assigned to and in the groups case its the group id of the group which gives the group details.

您可以通过 principaltype 区分用户和组，并据此调用上述 http 调用(用户或组)并获取这些详细信息.

You can differentiate user and group by principaltype and according to that you can call the above http calls(User or group) and get those details.

我们需要对重复的部分进行编码以避免它.

The duplicate ones need to be coded on our end to avoid it.

我的 JSON 数据示例:-

My Example JSON Data:-

For getting users and groups assigned app roles
GET https://graph.microsoft.com/v1.0/servicePrincipals/07fce81e-8069-4ccb-9775-63f96d1f4e53/appRoleAssignedTo
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('07fce81e-8069-4ccb-9775-63f96d1f4e53')/appRoleAssignedTo",
    "value": [
        {
            "id": "zAXxTotQxEGl0n1B8iRMTPwz3O48iw9Oq3aFtqfYVjA",
            "deletedDateTime": null,
            "appRoleId": "00000000-0000-0000-0000-000000000000",
            "createdDateTime": "2020-06-01T19:21:01.4268687Z",
            "principalDisplayName": "Nishant Singh",
            "principalId": "4ef105cc-508b-41c4-a5d2-7d41f2244c4c",
            "principalType": "User",
            "resourceDisplayName": "testspaquestion",
            "resourceId": "07fce81e-8069-4ccb-9775-63f96d1f4e53"
        },
        {
            "id": "Y3tbwNOvDkqKK9yLxJ5wp2-uBAbApk9LoMs6AN_7iSs",
            "deletedDateTime": null,
            "appRoleId": "00000000-0000-0000-0000-000000000000",
            "createdDateTime": "2020-06-01T18:47:47.2702435Z",
            "principalDisplayName": "Sruthi J",
            "principalId": "c05b7b63-afd3-4a0e-8a2b-dc8bc49e70a7",
            "principalType": "User",
            "resourceDisplayName": "testspaquestion",
            "resourceId": "07fce81e-8069-4ccb-9775-63f96d1f4e53"
        },
        {
            "id": "CccjAFY1lkKmq23yoKERPBqNLldhOdBAm0lJzewK0Nk",
            "deletedDateTime": null,
            "appRoleId": "00000000-0000-0000-0000-000000000000",
            "createdDateTime": "2020-07-23T17:34:53.9538274Z",
            "principalDisplayName": "Bgroup",
            "principalId": "0023c709-3556-4296-a6ab-6df2a0a1113c",
            "principalType": "Group",
            "resourceDisplayName": "testspaquestion",
            "resourceId": "07fce81e-8069-4ccb-9775-63f96d1f4e53"
        }
    ]
}

查询完以上内容，拉取每条记录的principalid，根据principaltype相应调用user endpoint或group endpoint.

After querying the above, pull the principalid of each record and accordingly call user endpoint or group endpoint according to principaltype.

Get https://graph.microsoft.com/v1.0/users/4ef105cc-508b-41c4-a5d2-7d41f2244c4c //principalId

如果您有任何疑问，请告诉我.

Let me know if you have any queries.

这篇关于使用 Microsoft Graph API 检索 Azure AD 应用程序的用户详细信息和角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！