Azure AD Graph API用户memberOf嵌套组 [英] Azure AD Graph API User memberOf nested groups

问题描述

我正在查询我的Azure AD图API以获取用户的组成员身份.我可以使查询很好，但结果只是用户直接所属的组.没有列出任何嵌套组.

I am querying my Azure AD graph API for a user's group memberships. I can make the query just fine, but the results are only the groups that the user DIRECTLY belongs to. None of the nested groups are listed.

我正在尝试确定用户是否属于特定组，但是我不想做，最终可能会超过100个api调用来进行查找.(即，用户属于GroupA的成员，GroupA是GroupB的成员，GroupB是GroupC的成员，GroupC是GroupD的成员.尽管B，C和D在技术上属于他们，但它们不会显示在用户的列表中-仅GroupA).

I'm trying to find out if a user belongs to a specific group, but I don't want to have to make, what could end up to be, over 100 api calls to find out. (i.e. a user belongs to GroupA which is a member of GroupB which is a member of GroupC which is a member of GroupD. Groups B, C, and D do not show up in the user's list of groups even though he technically belongs to them - only GroupA).

有没有办法在一个API调用或另一个API调用中获得所有组成员身份?当我使用集成Windows身份验证时，IsInRole(GroupD)将返回true.但是，这在Azure AD身份验证中不可用，并且任何声称具有重新实现IsInRole的代码的发布都只是对user.memberOf(不执行嵌套组)进行相同的调用.

Is there any way to get ALL group memberships in one API call or another? When I was using Integrated Windows Authentication, the IsInRole(GroupD) would have returned true. Though, that is not available with Azure AD authentication and any of the postings that claim to have code to re-implement IsInRole are simply making the same call to user.memberOf (which does not do the nested groups).

仅供参考，这是我拨打电话的代码.

Just for reference, this is the code where I make the call.

var client = AuthenticationHelper.GetActiveDirectoryClient();
var user = await client.Users.GetByObjectId(objectId).ExecuteAsync();
var userFetcher = (IUserFetcher)user;
var pagedCollection = await userFetcher.MemberOf.ExecuteAsync();

do
{
    var directoryObjects = pagedCollection.CurrentPage.ToList();

    foreach (var group in directoryObjects.OfType<Group>().Select(directoryObject => directoryObject))
    {
        groupMembership.Add(group);
    }

    pagedCollection = await pagedCollection.GetNextPageAsync();
}
while (pagedCollection != null && pagedCollection.MorePagesAvailable);

推荐答案

是.getMemberObjects API返回用户所属的所有组(透明):https://msdn.microsoft.com/zh-CN/library/azure/dn835117.aspx .另外，使用checkMemberGroups API，您可以(透明地)检查用户是否是组的成员: https://msdn.microsoft.com/en-us/library/azure/dn835107.aspx

Yes. The getMemberObjects API returns all groups (transitive) of which the user is a member: https://msdn.microsoft.com/en-us/library/azure/dn835117.aspx . Also, using the checkMemberGroups API you can check whether or not the user is member of a group (transitively): https://msdn.microsoft.com/en-us/library/azure/dn835107.aspx

不过，对于您的要求，Azure AD的应用程序角色功能可能更合适.您的应用程序可以声明应用程序角色，管理员可以将其分配给用户和组.当用户登录到您的应用程序时，Azure AD将计算已分配给他们的应用程序角色，并在角色声明中将其发送.无需在运行时查询图形.参见此处:

However for your requirement the application roles feature of Azure AD might be a better fit. Your application can declare application roles, that can be assigned by the admin to users as well as groups. When the users signs in to your application, Azure AD computes the application roles that have been assigned to them and sends them in the roles claim. No need to query graph at runtime. See here: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/

这篇关于Azure AD Graph API用户memberOf嵌套组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！