如何检查azure活动目录用户是否已在申请中 [英] How to check if an azure active directory user is already in an approle

问题描述

我已经创建了一个Azure活动目录用户，并将该用户添加到了应用程序角色中. 现在，我正在检索此用户，并尝试将其添加到更多应用角色中.

I've created an Azure active directory user and added the user to app roles. Now i am retrieving this user and attempting to add it to more app roles.

var activeDirectoryUser = client.Users.Where(u => u.UserPrincipalName == user.UserName).ExecuteSingleAsync().Result as User;

作为预防措施，我想先检查用户是否已经在应用程序角色中，然后再添加，但是问题是User对象上的ApproleAssignments字段始终为空.即使您已经为用户分配了应用程序角色，如果尝试将用户添加到相同的应用程序角色，我也会收到错误消息.

As a precaution i want to first check if the user is already in an app role before adding however the problem is that the ApproleAssignments field on the User object is always empty. Even thou the user has app role assignments and i get an error if i try and add the user to the same app role.

创建新的应用角色分配.

Creating new app role assignment.

var appRoleAssignment = new AppRoleAssignment
{
    Id = appRole.Id,
    ResourceId = Guid.Parse(servicePrincpal.ObjectId),
    PrincipalType = "User",
    PrincipalId = Guid.Parse(user.ObjectId)
};

if(IsUserInAppRole(user,appRoleAssignment))return;

user.AppRoleAssignments.Add(appRoleAssignment);
user.UpdateAsync().Wait();

检查用户是否具有应用角色.

Checking if user is in app role.

private bool IsUserInAppRole(User user, AppRoleAssignment appRoleAssignment)
{
    var userInApprole = user.AppRoleAssignments.Where(ara => ara.ObjectId == appRoleAssignment.Id.ToString());
    return userInApprole.Any();
}

我正在使用最新版本的Microsoft.Azure.ActiveDirectory.GraphClient库

I'm using the latest version of Microsoft.Azure.ActiveDirectory.GraphClient library

推荐答案

抱歉，回复晚.以下代码对我有用.不确定是否需要使用IUserFetcher接口，但是LINQ查询失败，因为您正在将分配的objectID与appRole ID进行比较.您需要比较的是作业的ID.

Sorry for the late response. The following code worked for me. Not sure if you need to use the IUserFetcher interface, but your LINQ query fails because you are comparing the objectID of the assignment, with the appRole Id. What you need to compare is the ID of the assignment.

var userFetcher = user as IUserFetcher;
IPagedCollection<IAppRoleAssignment> rawObjects = userFetcher.AppRoleAssignments.ExecuteAsync().Result;

IList<IAppRoleAssignment> assignments = rawObjects.CurrentPage.ToList();
IAppRoleAssignment a = null;
a = assignments.Where(ara => ara.Id.Equals(appRole.Id)).First();
if (a != null) {
    Console.WriteLine("Found assignment {0} for user {1}", appRole.Id, user.DisplayName);
}

希望这对您有帮助...

Hope this helps...

这篇关于如何检查azure活动目录用户是否已在申请中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！