Azure AD - 检索本地 AD 组公用名 [英] Azure AD - Retrieve a On-Prem AD Group Common Name
问题描述
我有一个应用程序需要根据其本地 AD 公用名过滤权限.几点说明:
I have an application that needs to filter permissions based on their on-prem AD common name. Couple of notes:
- Azure AD Connect 正在 OnPrem AD 和 Azure 之间同步数据
- 我已成功将已登录用户的组信息从 Azure Graph API 检索到 Web 应用程序中.
我遇到的问题是从 Graph API 返回的数据不是我需要的,或者我没有正确配置 Azure AD Connect.记录组的 Graph API JSON 返回对象 这里.
The problem I'm having is the data returned from Graph API is not what I need or I have not properly configured Azure AD Connect properly. The Graph API JSON return object for groups is documented here.
这是从 Graph API 返回的 Group 对象:
Here is the Group object returned from Graph API:
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Group/@Element",
"odata.type": "Microsoft.DirectoryServices.Group",
"objectType": "Group",
"objectId": "b4bda672-1fba-4711-8fb1-5383c40b2c14",
"deletionTimestamp": null,
"description": "Marketing Department",
"dirSyncEnabled": null,
"displayName": "Marketing",
"lastDirSyncTime": null,
"mail": null,
"mailNickname": "BposMailNickName",
"mailEnabled": false,
"onPremisesSecurityIdentifier": null,
"provisioningErrors": [],
"proxyAddresses": [],
"securityEnabled": true
}我能找到的最接近的是显示名称",但这不是通用名称.我不想使用的一个选项是使所有显示名称"与组 CN 相同.
The closest thing I can find is "Display Name" but this is not the Common Name. An option, one I don't want to use, is make all of the "Display Names" the same as the group CN.
TLDR;是否可以通过 Graph API 访问用户组 CN,如果可以,我如何获取这些数据?
TLDR; Is a user groups CN accessible through Graph API and if so, how can I get to this data?
-更新:一旦我检索到所有用户组 ID,我将使用 Graph API 端点 getObjectsByObjectIds 来访问 Graph API.
-Update: I'm using the Graph API endpoint getObjectsByObjectIds to hit Graph API once I have retrieve all of the Users Group Ids.
推荐答案
无法通过 Graph API(AAD 或 Microsoft Graph)访问 CN.如果您正在寻找本地和云之间的通用唯一标识符,您可以使用本地组 SID(在云 onPremisesSecurityIdentifier 中).此属性是可过滤的.
CN is not accessible through Graph API (AAD or Microsoft Graph). If you are looking for a common unique identifier between on-premises and the cloud the you could use the on-premises group SID (in the cloud onPremisesSecurityIdentifier). This property is filterable.
我能想到的唯一其他选择(如果这是不可接受的并且您真的需要 CN)是使用 目录架构扩展,使用额外的 CN 属性扩展组实体.模式扩展也是可过滤的.另请查看最新的 AD Connect 版本,因为我相信它们提供了从本地创建/配置 AAD 云架构扩展和映射的能力.
The only other option I can think of (if that's not acceptable and you really need CN) is to use directory schema extensions, to extend the group entity with an additional CN property. Schema extensions are also filterable. Please also take a look at the latest AD Connect versions, as I believe they offer the ability to create/configure AAD cloud schema extensions and map from on-premises.
希望对你有帮助,
这篇关于Azure AD - 检索本地 AD 组公用名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
