如何在 Graph Api 中使用 appRoleAssignment [英] How to use appRoleAssignment in Graph Api

问题描述

我正在尝试利用 beta api 将 azure 用户分配给应用程序.

I'm trying to leverage the beta api for assigning azure users to applications.

我查看了文档，并在使用 HttpClient 和 WebClient 的 C# 控制台应用程序中尝试了各种尝试，但均未成功.然后我去了 Microsoft 图形资源管理器 https://developer.microsoft.com/en-us/graph/graph-explorer .我无法让它工作.

I looked at the documentation and tried a variety of attempts in a C# console app using HttpClient and WebClient and couldn't succeed. I then went to the Microsoft graph explorer https://developer.microsoft.com/en-us/graph/graph-explorer . I couldn't get it to work.

我查看了文档https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/approleassignment_get

与示例不匹配的 HTTP 请求的实际文档.Graph Explorer 似乎暗示这个例子是正确的，但是通过各种尝试，我只能得到一个响应

The document's actual documentation of the HTTP request which doesn't match the Example. The Graph Explorer seems to hint that the example is correct, but through various attempts, I can only get a response of

{
    "error": {
        "code": "Request_UnsupportedQuery",
        "message": "Direct queries to this resource type are not supported.",
        ...
    }
}

我的基本网址是https://graph.microsoft.com/beta/appRoleAssignments/

示例中显示的是 {id}，但我不知道要输入什么.我输入了几个 guid、用户 ID、对象 ID、资源 ID，但都没有工作.

The example says {id} but I have no idea what to put in. I put in several guids, user ids, object ids, resource ids, and none worked.

它并没有说任何拒绝访问的消息，所以我认为它与 Scopes 无关(尽管文档也有点空洞).

It isn't saying any access denied messages so I assume it has nothing to do with Scopes (all though the documentation is a little empty regarding that as well).

理想情况下，我可以查看给定来宾 Azure 用户是否可以访问特定应用程序，然后我可以去更新分配.我可能还需要删除作业.

Ideally, I'd be able to see if for a given Guest Azure User has access to a particular App, then I'd be able to go and Update the assignment. I'll probably also need to delete the assignment as well.

推荐答案

Microsoft Graph API 的 beta 端点目前似乎不允许您列出 AppRoleAssignments.

幸运的是，Azure AD Graph API 确实为此工作(另外，它不是 beta 端点，所以它更有可能是稳定的).

Fortunately, the Azure AD Graph API does work for this (plus, it's not a beta endpoint, so it's more likely to be stable).

要列出用户分配给 Microsoft Graph 的所有应用角色:

To list all app roles a user is assigned with Microsoft Graph:

https://graph.microsoft.com/v1.0/users/{id}/appRoleAssignments

列出分配给一个组的所有应用角色:

To list all app roles a group is assigned:

https://graph.microsoft.com/v1.0/groups/{id}/appRoleAssignments

反过来，列出分配给应用的所有用户或组:

To do the reverse, and list all users or groups assigned to an app:

https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo

Azure AD Graph 已弃用，所有对它的支持将于 2022 年 6 月停止. 等效请求是(按与上述相同的顺序):

Azure AD Graph is deprecated and all support for it will cease in June 2022. The equivalent requests were (in the same order as above):

https://graph.windows.net/{tenant-id}/users/{id}/appRoleAssignments?api-version=1.6
https://graph.windows.net/{tenant-id}/groups/{id}/appRoleAssignments?api-version=1.6
https://graph.windows.net/{tenant-id}/servicePrincipals/{id}/appRoleAssignedTo?api-version=1.6

这篇关于如何在 Graph Api 中使用 appRoleAssignment的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！