使用Graph API以编程方式将用户分配给Azure AD应用程序 [英] Programmatically assign users to Azure AD Application using Graph API
问题描述
我正在尝试编写一个脚本,以使用Graph API将用户分配给Azure AD应用程序(servicePrincipal).我正在沙箱中对此进行测试,在该沙箱中我已定义了应用程序并为其分配了用户.但是,当我查询servicePrincipal
时,在响应中的任何地方都看不到用户.
I am trying to write a script to assign users to an Azure AD application (servicePrincipal) using Graph API. I am testing this in my sandbox, where I have defined the app and assigned users to it. However, when I query the servicePrincipal
, I don't see the users anywhere in the response.
问题:
-
基于文档,不应该有
appRoleAssignment
吗?
文档说此字段是只读的,所以应该如何分配用户?
The documentation says this field is read-only, so how are you supposed to assign users?
推荐答案
查询Graph API时,可以通过导航属性获取用户的appRoleAssignments
:
You can get the appRoleAssignments
of a user via the navigation property when querying the Graph API:
https://graph.windows.net/tenant-id/users/user-id/appRoleAssignments?api-version=1.6
您可以通过以下方式进行HTTP POST来创建分配:
You can create assignments by making an HTTP POST to:
https://graph.windows.net/tenant-id/users/user-id/appRoleAssignments?api-version=1.6
您需要发送的对象如下所示:
The object that you need to send looks like this:
{
"id": "id-of-role",
"principalId": "objectId-of-user",
"resourceId": "objectId-of-service-principal"
}
如果您的应用没有任何角色,但您仍要分配用户,则似乎可以将ID设置为全零:
If your app does not have any roles, but you still want to assign a user, it seems you can just set the id to all zeros:
在资源未声明任何权限的情况下,必须指定默认ID(零GUID).
Where the resource does not declare any permissions, a default id (zero GUID) must be specified.
类似这样:
{
"id":"00000000-0000-0000-0000-000000000000",
"resourceId": "a27d8321-3dc6-44a1-bf19-2546a9f2806e",
"principalId": "c4f810b8-2ea1-4580-9595-30275a28c2a2"
}
这篇关于使用Graph API以编程方式将用户分配给Azure AD应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!