Azure Graph API，Angular，获取用户组 [英] Azure Graph API, Angular, Get users Groups

问题描述

我想查询Azure AD Graph API，以从注册的Azure B2C应用中检索登录用户的组声明.我正在调用的应用是Angular 5 SPA.

I want to query Azure AD Graph API to retrieve the groups claim for the logged in user from a registered Azure B2C app. The app I'm calling from is an Angular 5 SPA.

在试用了Azure Active Directory和adal-angular4之后，我成功地检索了用户的自定义角色声明.为此，我注册了一个Azure AD应用程序，设置了必需的权限范围，将自定义角色添加到了应用程序的清单中，将用户添加到了该应用程序中，并为该用户设置了自定义角色.然后，我将新注册的应用程序的应用程序ID和租户用于adal-angular4配置.当我查询端点时，我得到包含角色声明的令牌.它运作良好.当我更改角色时，它会显示在令牌中.

After experimenting with Azure Active Directory and adal-angular4, I was successful retrieving a user's custom roles claim. To do this, I registered an Azure AD app, set required permission scopes, added custom roles to the application's manifest, added the user to the application, and set the custom role for the user. Then, I used my new registered app's application id and tenant for the adal-angular4 config. When I query the endpoint I get the token which contains the roles claim. It works well. When I change the role it shows in the token.

此角色声明对我来说足够了，但需要两次登录，一次用于我的B2C应用程序，一次用于我的其他注册应用程序.我认为我不能为两者使用相同的令牌.

This roles claim would be enough for me but it requires two logins, one for my B2C app, and one for my other registered app. I don’t think I can use the same token for both.

为了只进行一次登录，我想直接查询Azure B2C.我听说它不提供查询用户角色(如Azure Active Directory)的功能，并且已被指示使用用户组.我也看过文档，并被告知我需要使用Azure Graph API，因为Microsoft Graph尚未实现查询此信息的功能.

In order to have only one login, I want to query Azure B2C directly. I’ve heard it doesn't offer the ability to query the user's roles like Azure Active Directory, and have been directed to use user groups. I also have seen documentation and have been told that I need to use Azure Graph API because Microsoft Graph has not implemented the ability to query this info yet.

我尝试遵循与AAD一起使用的B2C的类似方法.我创建了一个网上论坛，并将用户添加到了该网上论坛.我尝试使用Azure Graph API终结点 https:/访问B2C应用程序的信息/graph.windows.net/myorganization/users?api-version=1.6 使用MSAL.js，但出现错误代码":"Authentication_MissingOrMalformed" .我验证了令牌已由MSAL检索并被添加到请求中.当我将网址更改为无效网址时，会出现相同的错误.我已经在此处，

I tried to follow a similar path for B2C that I used with AAD. I created a group and added a user to the group. I have tried to access my B2C app's information with the Azure Graph API endpoint https://graph.windows.net/myorganization/users?api-version=1.6 using MSAL.js but I get the error "code": "Authentication_MissingOrMalformed". I verified that a token is retrieved by MSAL and is being added to the request. When I change the url to one that is invalid, I get the same error. I have searched and found questions with the same problem here, here, but none are answered

如何解决此错误?

是否需要一个本地管理员帐户?

我是否需要在B2C应用程序上设置任何特殊范围以授予查询授权?如果有，它们具体是什么?我试图将范围的不同值交换到MSAL配置中，但没有找到任何有效的方法.

Are there any special Scopes I need to set on my B2C app to grant authorization for my queries? If there are, what specifically are they? I have tried to swapping different values for the scopes into the MSAL config and haven't found anything that works.

此应用需要多租户吗?

我在

I have found resources on access tokens and scopes but I'm using Angular 5 / typescript and don't have the Azure AD Graph Client Library that's available in .NET. I haven't been able to make use of either resource.

推荐答案

我想写这篇文章来帮助其他可能陷入与我试图找到基本方向/理解相同的车辙的人.我基本上是使用@Chris Pradget所描述的工作流程.不过，我最初对问题的理解是错误的，我将弄清楚错误在哪里，并提供一些背景信息.

I wanted to write this to help others who might be stuck in the same rut I was in trying to find a basic direction / understanding. I essentially went with the workflow that @Chris Pradget described. My initial perception of the problem was wrong though and I’ll clarify where my error was and give a little context.

我的最初目标是在用户登录我的Azure/Angular App时带来用户的角色和/或组声明.当您使用Azure B2C登录策略时，Azure并不容易做到这一点. (从某些方面来看，Firebase似乎很容易做到这一点.)

My initial goal was to bring a user’s roles and / or groups claims when a user logs in to my Azure / Angular App. Azure doesn’t have an easy way to do this when you are logging in with Azure B2C for policies. (In some regards it seems that Firebase makes this easy).

经过一番研究，但并没有真正理解全局，我看到了似乎是矛盾的信息，这需要一些时间来进行梳理.最终，我发现我正在寻找的信息是我不能只有一个登录名.

After a bunch of research and not really comprehending the big picture I saw what seemed to be conflicting information which took some time to sort through. Eventually I found the information I was looking for which was that I couldn’t have only one login.

(请注意，我将我经典的Azure AD注册应用程序称为应用程序注册"，目的是要区别于Azure门户中的代码实现和配置集)

(Just a heads up, I refer to my classic Azure AD registered app as an 'app registration' just to draw a distinction from the code implementation and the configuration set in Azure's Portal)

进行了大量实验，但我想出了一些可行的方法.我实际上检索了3个令牌，其中2个在Angular中使用MSAL.js，1个在.NET中使用ADAL for Microsoft Graph. Angular中的一个用于初始登录(MSAL客户端的loginRedirect调用)以检索id_token，而另一个我使用该令牌以及aquireTokenSlient函数检索以检索access_token.我将其发送到我的.NET Core后端，在这里我将传入令牌中的用户ID用作

It took alot of experimentation, but i came up with something that seems to work. I essentially retrieve 3 tokens, 2 in Angular using MSAL.js and one in .NET using ADAL for Microsoft Graph. One in Angular is for the initial login (MSAL Client's loginRedirect call) to retrieve the id_token and the other I retrieved using that token along with the aquireTokenSlient function to retrieve the access_token. I sent that to my .NET Core backend where I used the users id from the incoming token as resource id in a request to Microsoft Graph to get my groups claim and then I crafted my own JWT token with the claims to send back to Angular for my route guards.

我研究中的注意事项:

Azure AD Graph与Microsoft Graph吸引用户组:关于使用哪个信息存在冲突，有人说Microsoft Graph是因为不推荐使用Azure Graph，而其他人则说Azure Graph是因为MS Graph尚未涵盖所有基础.经过试验，我发现我可以从MS Graph中提取用户的组.考虑到这一点以及MS Graph是较新的事实，我选择了MS Graph.为了对图形进行实验，我同时使用了 Azure Graph资源管理器和

Azure AD Graph vs Microsoft Graph to pull user groups: There’s conflicting information about which to use, some say Microsoft Graph because Azure Graph is being deprecated, but others say Azure Graph because MS Graph doesn’t cover all of the bases yet. After experimenting, I found that I was able to pull a user’s groups out of MS Graph. Given that and the fact that MS Graph is newer, I went with MS Graph. For experimentation with the graphs I used both Azure Graph explorer and MS Graph Explorer.

我花了一段时间才能成功查询Microsoft Graph，但是当我这样做时是通过.我首先遇到的主要问题是当我用自己的帐户查询应用程序时.只有一些查询有效，甚至那些查询返回的信息也非常有限.直到我重新阅读

It took me awhile to successfully query the Microsoft Graph, but when I did was through MS Graph Explorer as stated above. The main problem I first encountered was when I queried my app with my own account. Only some queries worked and even those brought back very limited info. It wasn’t until I re-read this article about the Azure AD Graph API did I notice that in order to query the Graphs, you need to use a user id that is local to your tenant’s domain and is an admin. When I created and used my tenant’s admin (from that domain), all of the queries worked. So as far as my questions above are concerned:

1)如何解决此["code":"Authentication_MissingOrMalformed"]错误? 使用本地管理员帐户

1) How do I fix this ["code": "Authentication_MissingOrMalformed"] error? Use a local admin account

2)是否需要一个本地管理员帐户? 是的

3)我需要在B2C应用程序上设置任何特殊范围来授予查询授权吗?如果有，它们具体是什么? 要以ADAL所需的方式查询MS Graph，请使用Directory.Read Access

3) Are there any special Scopes I need to set on my B2C app to grant authorization for my queries? If there are, what specifically are they? To query the MS Graph in the ways you want with ADAL use Directory.Read Access

4)此应用是否需要多租户? 不

此外，在我的研究中，我发现可以使用Azure AD角色来代替使用B2C组.具体来说，可以将应用程序角色添加到Azure门户中的Classic Azure AD应用程序清单中.对于我来说，这是另一条充满希望的路线.我发现这篇文章描述了如何编辑清单以添加应用程序角色.首先，将角色添加到清单中，然后将用户分配给Azure门户中的角色，然后使用ADAL.js库(从Angular中)查询用户信息.当您使用库登录时，应用程序角色"会降低到获得的令牌上.当然，这不使用B2C策略.同样，这可能不言而喻，但是在您登录时，B2C id_token或access_token都不能用于获取经典Azure AD凭据/令牌.我试图思考其他方法来实现我想要的.鉴于这2个注册都在同一个租户中，我想我可以使用单点登录来登录一个，而保留另一个登录.我没有走很远.我考虑过的另一种方法是使用自定义策略从我的Azure AD经典应用中检索数据，但两者都做不到.

Additionally In my research I found that instead of using B2C Groups, you can use Azure AD Roles. Specifically, Application Roles can be added to a Classic Azure AD app manifest in the Azure Portal. It was a different route that looked promising for me. I found this article describing how to edit the manifest to add the Application Roles. First you add roles to the manifest, next you assign users to roles in the Azure Portal, then you query the user information (from Angular) using the ADAL.js library. When you login using the library, the Application Roles are brought down on the token acquired. This of course doesn't use the B2C policies. Also this might go without saying, but when you login, neither the B2C id_token or access_token can be used to acquire the Classic Azure AD credentials/token. I tried to think of other ways to accomplish what I wanted. Given that the 2 registrations are in the same tenant I thought I could use single sign on to log into one and remain logged in for the other. I didn’t get very far. Another method that I considered was using custom policies to retrieve the data from my Azure AD classic app but didn’t get far with that either.

此外，当@Chris Padgett提到创建用户api"时，我误解了它.我所说的用户api"是指我在Azure门户中设置的经典Azure广告应用注册，其中包含我的用户信息，并充当检索我的令牌的api.我以为我首先需要从Angular中的B2C获取访问令牌，然后使用该令牌(仍在Angular中)来访问我的Azure AD经典注册.从那里，我将能够提取用户的信息，包括应用程序角色(可通过编辑清单来访问).这是行不通的，因为如上所述，我希望一次登录即可完成此操作，并且您不能在Classic Azure AD应用程序中使用B2C令牌.即使它确实起作用，也需要在我不想做的B2C应用程序之外的经典Azure AD应用程序注册中为用户设置角色.为应用程序注册一个应用程序，然后注册另一个应用程序来管理用户的角色并不是一件很优雅的事情.要使其正常工作，还需要进行2次登录，其中B2C登录一次，Classic Azure AD登录一次.用这种方法，感觉这两个应用程序是分开的，我不想在两个平台上分散关注点.因此，最后，在Angular中使用B2C登录然后通过MS Graph访问服务器以拉动用户组的方案是一种更好的方案.后端应用程序只需要登录一次即可，而无需访问它的用户，这意味着用户不需要登录两次.还将我的信息整合到我的B2C应用注册中.

Also when @Chris Padgett mentioned creating a "user api", I misinterpreted it. By "user api" I thought he meant my classic Azure Ad app registration, which was set up in Azure Portal, houses my user info, and acts as an api to retrieve my token. I thought I first needed to obtain an access token from B2C in Angular and then use that token (still in Angular) to access my Azure AD classic registration. From there I would be able to pull down my users' information including the Application Roles (made accessible from editing the manifest). This wouldn't have worked because as I've stated above I wanted to do this with one login and you can't use a B2C token in a Classic Azure AD app. Even if it did work, it would have required setting roles for users in my classic Azure AD app registration outside of my B2C app which I didn't want to do. Having one app registration for the policies and another to manage users' roles isn't very elegant. Also getting it to work would require 2 logins one for B2C and one for Classic Azure AD. In this approach, it feels like these 2 apps are separate and I don't want to divvy up concerns across 2 platforms. So, in the end, the scenario of logging in with B2C in Angular and then hitting the server to pull the user groups with MS Graph is a better one. The backend app only needs to log in once independent of users accessing it, which means users don't need to log in twice. Also it consolidates my information to my B2C app registration.

我认为Azure将来可能最终会在其id_tokens上提供组和/或角色，但是我认为此信息同时可能对人们有所帮助.另外，这里还有我问过的其他相关问题的链接，这些问题有助于指导我的研究:

I'm think Azure might eventually provide the groups and / or roles on their id_tokens in the future, but I thought this info might be helpful to people in the meantime. In addition here are links to other related questions I asked that helped guide me my research:

了解到我需要顺序使用ADAL.js上的MSAL.js使用B2C政策.

类似的问题，我问有关查询MS Graph并获得限制的问题响应

这篇关于Azure Graph API，Angular，获取用户组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！