Azure Active Directory:通过Graph API从库向用户分配应用程序 [英] Azure Active Directory: assign user to an application from the gallery via Graph API
问题描述
我需要自动执行从图库(即Trello)添加应用程序,对其进行配置(即密码单点登录)并为其分配用户的过程.
I'd need to automate the process of adding an application from the gallery (i.e. Trello), configuring it (i.e. password single sign on) and assign users to it.
这可以通过Graph API完成吗?
Can this be done via Graph API?
推荐答案
是. 您可以通过在与Trello应用程序相对应的目录中创建servicePrincipal来自动将Trello添加到Azure AD目录.默认的SSO设置是密码SSO.您还可以使用图形API分配用户(和组).但是,分配的用户将需要配置他们将与应用程序一起手动使用的密码.
Yes. You can automate adding Trello to an Azure AD directory by creating a servicePrincipal in the directory corresponding to the Trello application. The default SSO setting is password SSO. You can also assign users (and groups) using graph API. However the assigned users will need to configure the password that they will use with the application manually.
将Trello添加到目录(创建servicePrincipal):
Add Trello to the directory (create a servicePrincipal):
- appId是Trello应用程序的应用程序ID.所有租户的值均为a4937c28-17cc-469b-b082-1d6124a402f3.
HTTP POST https://graph.windows.net/7fe877e6-a150-4992-bbfe
f517e304dfa0/servicePrincipals?api-version=1.5
Authorization : Bearer eyJ0eXO--snip--zvg
Content-Type : application/json
Content-Length : 58
{
"appId": "a4937c28-17cc-469b-b082-1d6124a402f3"
}
Query successfully executed.
HTTP POST https://graph.windows.net/7fe877e6-a150-4992-bbfe
f517e304dfa0/servicePrincipals?api-version=1.5
Authorization : Bearer eyJ0eXO--snip--zvg
Content-Type : application/json
Content-Length : 58
{
"appId": "a4937c28-17cc-469b-b082-1d6124a402f3"
}
Query successfully executed.
odata.metadata : https://graph.windows.net/7fe877e6-a150-4992-bbfe-f517e304dfa0/$metadata#directoryObjects/Microsoft.DirectorySer
vices.ServicePrincipal/@Element
odata.type : Microsoft.DirectoryServices.ServicePrincipal
objectType : ServicePrincipal
objectId : 93c60e8e-74f9-4add-9ae2-dd9bc0d6edcd
deletionTimestamp :
accountEnabled : True
appDisplayName : Trello
appId : a4937c28-17cc-469b-b082-1d6124a402f3
appOwnerTenantId : 47df5bb7-e6bc-4256-afb0-dd8c8e3c1ce8
appRoleAssignmentRequired : False
appRoles : {@{allowedMemberTypes=System.Object[]; description=msiam_access; displayName=msiam_access;
id=fc60bc23-43df-4a60-baaa-f0b8694e0259; isEnabled=True; value=}}
displayName : Trello
errorUrl :
homepage : https://127.0.0.1:444/applications/default.aspx?metadata=trello|ISV9.3|primary|z
keyCredentials : {}
logoutUrl :
oauth2Permissions : {}
passwordCredentials : {}
preferredTokenSigningKeyThumbprint :
publisherName : Active Directory Application Registry
replyUrls : {https://127.0.0.1:444/applications/default.aspx}
samlMetadataUrl :
servicePrincipalNames : {a4937c28-17cc-469b-b082-1d6124a402f3, http://adapplicationregistry.onmicrosoft.com/trello/primary}
tags : {}
odata.metadata : https://graph.windows.net/7fe877e6-a150-4992-bbfe-f517e304dfa0/$metadata#directoryObjects/Microsoft.DirectorySer
vices.ServicePrincipal/@Element
odata.type : Microsoft.DirectoryServices.ServicePrincipal
objectType : ServicePrincipal
objectId : 93c60e8e-74f9-4add-9ae2-dd9bc0d6edcd
deletionTimestamp :
accountEnabled : True
appDisplayName : Trello
appId : a4937c28-17cc-469b-b082-1d6124a402f3
appOwnerTenantId : 47df5bb7-e6bc-4256-afb0-dd8c8e3c1ce8
appRoleAssignmentRequired : False
appRoles : {@{allowedMemberTypes=System.Object[]; description=msiam_access; displayName=msiam_access;
id=fc60bc23-43df-4a60-baaa-f0b8694e0259; isEnabled=True; value=}}
displayName : Trello
errorUrl :
homepage : https://127.0.0.1:444/applications/default.aspx?metadata=trello|ISV9.3|primary|z
keyCredentials : {}
logoutUrl :
oauth2Permissions : {}
passwordCredentials : {}
preferredTokenSigningKeyThumbprint :
publisherName : Active Directory Application Registry
replyUrls : {https://127.0.0.1:444/applications/default.aspx}
samlMetadataUrl :
servicePrincipalNames : {a4937c28-17cc-469b-b082-1d6124a402f3, http://adapplicationregistry.onmicrosoft.com/trello/primary}
tags : {}
将主体(用户或组)分配给Trello:
Assign principal (user or group) to Trello:
- resourceId是在上一个命令中的租户中创建的Trello servicePrincipal的objectId.
- id是Trello应用程序的默认角色ID.所有租户的值均为fc60bc23-43df-4a60-baaa-f0b8694e0259.
- principalId是分配给应用程序的主体(用户或组)的objectId.
HTTP POST https://graph.windows.net/7fe877e6-a150-4992-bbfe-f517e304dfa0/users/de4b092e-1dd4-4d40-b74d-a2d7096c9495/appRoleAssignments?api-version=1.5
Authorization : Bearer eyJ0eXAiOi--snip--JKVBfk_Q
Content-Type : application/json
Content-Length : 176
{
"id": "fc60bc23-43df-4a60-baaa-f0b8694e0259",
"principalId": "de4b092e-1dd4-4d40-b74d-a2d7096c9495",
"resourceId": "93c60e8e-74f9-4add-9ae2-dd9bc0d6edcd"
}
Query successfully executed.
odata.metadata : https://graph.windows.net/7fe877e6-a150-4992-bbfe-f517e304dfa0/$metadata#directoryObjects/Microsoft.DirectoryServices.AppRoleA
ssignment/@Element
odata.type : Microsoft.DirectoryServices.AppRoleAssignment
objectType : AppRoleAssignment
objectId : LglL3tQdQE23TaLXCWyUlVPgf9W8rhZBi1YqpnYOyMg
deletionTimestamp :
creationTimestamp : 2015-01-29T05:52:12.4851494Z
id : fc60bc23-43df-4a60-baaa-f0b8694e0259
principalDisplayName :
principalId : de4b092e-1dd4-4d40-b74d-a2d7096c9495
principalType : User
resourceDisplayName : Trello
resourceId : 93c60e8e-74f9-4add-9ae2-dd9bc0d6edcd
HTTP POST https://graph.windows.net/7fe877e6-a150-4992-bbfe-f517e304dfa0/users/de4b092e-1dd4-4d40-b74d-a2d7096c9495/appRoleAssignments?api-version=1.5
Authorization : Bearer eyJ0eXAiOi--snip--JKVBfk_Q
Content-Type : application/json
Content-Length : 176
{
"id": "fc60bc23-43df-4a60-baaa-f0b8694e0259",
"principalId": "de4b092e-1dd4-4d40-b74d-a2d7096c9495",
"resourceId": "93c60e8e-74f9-4add-9ae2-dd9bc0d6edcd"
}
Query successfully executed.
odata.metadata : https://graph.windows.net/7fe877e6-a150-4992-bbfe-f517e304dfa0/$metadata#directoryObjects/Microsoft.DirectoryServices.AppRoleA
ssignment/@Element
odata.type : Microsoft.DirectoryServices.AppRoleAssignment
objectType : AppRoleAssignment
objectId : LglL3tQdQE23TaLXCWyUlVPgf9W8rhZBi1YqpnYOyMg
deletionTimestamp :
creationTimestamp : 2015-01-29T05:52:12.4851494Z
id : fc60bc23-43df-4a60-baaa-f0b8694e0259
principalDisplayName :
principalId : de4b092e-1dd4-4d40-b74d-a2d7096c9495
principalType : User
resourceDisplayName : Trello
resourceId : 93c60e8e-74f9-4add-9ae2-dd9bc0d6edcd
分配的用户将在其访问面板(myapp.microsoft.com)中看到该应用程序.他们将需要手动更新凭据.
The assigned user will see the app in their access panel (myapp.microsoft.com). They will need to update the credentials manually.
这篇关于Azure Active Directory:通过Graph API从库向用户分配应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!