MS Graph 后台/守护程序应用程序能否在没有用户交互的情况下模拟用户帐户 [英] Can a MS Graph background/daemon app impersonate a user account without user interaction
问题描述
MS Graph 守护程序应用程序能否在没有用户交互的情况下模拟用户帐户(我的帐户)进行呼叫?
Can a MS Graph daemon application impersonate a user account (my account) for a call without user interaction?
背景
- 我打算使用
/search/query
不支持应用权限的端点. - 应用程序/主体确实具有获得租户范围内同意的所需委派权限.
- 同一个用户帐户(我的)每次调用都需要授权.
- 我无法使用 ROPC 身份验证流程,因为我们使用 MFA.
- 这不能是浏览器应用程序 - 目的是让它在没有用户交互的情况下运行.它正在使用 Azure 函数运行.
- 尝试 代表身份验证流程出现"尽管租户范围内的同意似乎通过 azure 门户激活,但仍返回同意浏览器提示.不过我可能做错了.
- 尝试 身份验证尽管设置了
prompt=none
参数,但代码流 似乎也返回了同意浏览器.我也可能搞错了.
- I'm intending to use the
/search/query
endpoint which doesn't support application permissions. - The app/principal does have the required delegated permissions that's with tenant-wide consent.
- The same user account (mine) will make each call requiring delegated permission.
- I can't run the app with the ROPC authentication flow since we use MFA.
- This can't be a browser application - the intent is to have it run without user interaction. It's being run using an Azure function.
- Attempting the on-behalf-of auth flow "appears" to return a consent browser prompt despite tenant-wide consent seemingly active via the azure portal. I may be going about it incorrectly though.
- Attempting the auth code flow also appears to return a consent browser despite the
prompt=none
parameter being set. I may also be going about this one incorrectly.
目标
目的是为网站集和子网站的大量用户获取 SharePoint 成员资格 - 特别是他们活跃的网站(希望也包括列表/库成员资格).我愿意接受其他方法.
The intent is to get the SharePoint membership for a large list of users for site collections and subsites - specifically sites they're active in (hopefully also down to list/library memberships). I'm open to alternate approaches.
我目前的方法是在整个租户中使用 /search/query
端点来识别每个用户最近创建/修改的内容,然后从结果中提取站点信息 - 并且希望还包括粒度列表/库/content 每个用户的权限.有大量的网站和子站点进行梳理,因此尝试为每个站点循环成员名册可能效率低下.
My current approach is to using the /search/query
endpoint across the tenant to identify recently created/modified content for each user, then pull site information from results - and hopefully also granular list/library/content permission for each user. There are a significant number of sites & subsites to comb through, so it may be inefficient to attempt looping membership rosters for each site.
推荐答案
- 您可以使用 客户端凭据流 适用于这种情况,其中恶魔应用无需用户交互即可调用 MS Graph.
- 可以帮助您的代码示例是 here 并被开发在 python 中.
- 而不是 /search/query 你可以使用
$filter
查询参数.请参阅 MS Docs 了解更多信息.李>
- You can use client credentials flow for this scenario where demon apps call MS Graph without user interaction.
- The code sample which can help you was here and was developed in python.
- Instead of /search/query you can use
$filter
query parameter. Please refer MS Docs for more information.
这篇关于MS Graph 后台/守护程序应用程序能否在没有用户交互的情况下模拟用户帐户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!