REST API在Sharepoint上管理用户 [英] REST API to manage users on Sharepoint

问题描述

作为对>要管理的REST API的后续问题Skype for Business上的用户，我想了解

As a follow-up question to REST API to manage users on skype for business, I would like to understand how the Sharepoint Server User API differs from MS Graph API for Users. The Graph documentation indicates that we could use it to manage Sharepoint users the same way we would Office 365 users. However, there are standalone Sharepoint installations (like versions e.g. 2007, 2010, etc.,) which don't fall under Office 365 plans.

上面链接的Graph API Docs表示用户资源代表一个"Azure AD用户帐户".但是，Sharepoint用户文档说它代表"Microsoft SharePoint Foundation中的用户".这些用户彼此完全不同吗?

The Graph API Docs linked above says the User resource represents an "Azure AD user account". However, the Sharepoint User doc says it represents a "user in Microsoft SharePoint Foundation." Are these users entirely different from each other?

我们要做的就是为客户管理用户，其中一些用户已订阅Office 365，而另一些人仅使用独立的Sharepoint设置.我们不必为访问共享点文件，站点甚至管理Word文档，Excel工作表等应用程序特定的功能而烦恼，那么在这种情况下Graph API是否也支持管理用户?

All we're looking to do is manage users for our clients some of whom have subscriptions to Office 365 and some who just use standalone Sharepoint setup. We are not bothered about application specific features like Accessing the sharepoint files, sites or even managing Word documents, Excel sheets, etc., So, does the Graph API support managing users in such cases as well?

推荐答案

该API仅适用于SharePoint 2013 +

在您的问题中链接的用户管理REST API专用于SharePoint 2013，并且大概也可以在SharePoint 2016中使用.这与SharePoint环境是在内部还是在云中无关.

The user management REST API linked in your question is specifically for SharePoint 2013, and presumably works in SharePoint 2016 as well. This is regardless of whether the SharePoint environment is on premises or in the cloud.

就功能和特性而言，Office 365当前是SharePoint 2013/2016的子集.

Office 365 is currently a subset of SharePoint 2013/2016 in terms features and functionality.

请注意，SharePoint 2007和2010将没有此API.

Note that SharePoint 2007 and 2010 will not have this API.

SharePoint用户和Azure AD帐户不是同义词

请考虑SharePoint和AD可以彼此独立存在.

Consider that SharePoint and AD can exist independently of each other.

SharePoint 不需要使用Azure Active Directory进行身份验证.它可以使用传统的本地或云托管的Active Directory，或者从理论上(从2010版开始)可以使用除Active Directory之外的任何基于声明的身份验证提供程序.

SharePoint does not need to use Azure Active Directory for authentication. It can use a traditional on-premises or cloud-hosted Active Directory, or theoretically (starting with version 2010) can use any claims-based authentication provider aside from Active Directory.

SharePoint 2007和2010还可以支持基于简单表单的身份验证以及自定义身份验证提供程序，但是如上所述，这两个版本的SharePoint都没有公开所涉及的REST API.

SharePoint 2007 and 2010 could also support simple forms based authentication as well as custom authentication providers, but as noted previously, neither of those versions of SharePoint expose the REST API in question.

AD =身份验证； SharePoint用户=授权

Azure AD是索赔提供者.声明提供者用于身份验证；当您登录到SharePoint时，SharePoint依靠Active Directory来确定您是谁.用户的SharePoint帐户用于授权； SharePoint帐户被授予逐站点访问SharePoint中内容的权限.

Azure AD is a claim provider. A claim provider is used for authentication; when you log on to SharePoint, SharePoint relies on Active Directory to determine that you are who you say you are. A user's SharePoint account is used for authorization; the SharePoint account is granted access to content within SharePoint on a site by site basis.

AD中的信息与SharePoint中的信息

使用Azure AD进行身份验证时，SharePoint中的数据和AD中的数据之间通常存在一些重叠的区域.

When using Azure AD for authentication, there are usually some areas of overlap between the data in SharePoint and the data in AD.

SharePoint的用户配置文件服务通常被设置为将数据从Active Directory同步到SharePoint，以便AD用作用户显示名称和标题之类的主数据集.但是，并非所有信息都必须从AD同步到SharePoint，并且可以将其他信息附加到SharePoint用户配置文件.

SharePoint's user profile service is usually set up to synchronize data from Active Directory to SharePoint, so that AD serves as the master data set for things like user display name and title. However, not all information is necessarily sync'd from AD to SharePoint, and additional information can be tacked on to SharePoint user profiles.

AD中的组成员身份与SharePoint中的组成员身份

在Azure AD中，用户可以是多个组的成员.组可以包括Active Directory组(可以嵌套)和Office 365(SharePoint)组(不能嵌套).

In Azure AD, a user can be a member of multiple groups. Groups can include both Active Directory groups (which can be nested) and Office 365 (SharePoint) groups (which cannot be nested).

SharePoint用户只能是SharePoint组的成员，因为SharePoint不会跟踪Active Directory组的成员身份.也就是说，由于Active Directory组已被授予访问权限，因此用户可以间接访问SharePoint中的内容.

A SharePoint user can only be a member of SharePoint groups, since SharePoint does not keep track of membership of Active Directory groups. That said, a user may have access to content in SharePoint indirectly due to an Active Directory group having been granted access.

AD用户范围vs SharePoint用户范围

除非直接使用用户配置文件服务，否则当以编程方式使用SharePoint用户时，需要从SharePoint中的特定网站中检索他们.这是因为每个网站集都有其自己的组集，这些组不能在SharePoint场内的其他网站集上使用，因此仅在逐个站点的基础上跟踪组成员身份.

Unless you're working directly with the user profile service, when you work with SharePoint users programmatically, they need to be retrieved from a specific site in SharePoint. This is because each site collection has its own set of groups which cannot be used on other site collections within the SharePoint farm, so group membership is tracked only on a site-by-site basis.

请注意，这意味着网站集之间用户的查找ID号(与他们的登录名不同)可能会有所不同.这也意味着，用户的组集合将根据检索用户对象的站点而有所不同.

Note that this means that a user's lookup ID number (which is different from their login name) may vary between site collections. This also means that a user's collection of groups will vary depending on the site from which the user object was retrieved.

Azure AD用户没有这样的孤岛.

An Azure AD user has no such silos.

这篇关于REST API在Sharepoint上管理用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！