您如何使用 MSAL-ANGULAR 阅读角色/权限 [英] How do you read Roles/Permissions using MSAL-ANGULAR

问题描述

因此，我已按照 msal-angular 中的说明成功地将 Azure AD 身份验证集成到我的 Angular 站点中，现在我正在寻找定义和利用角色和权限来提供更精细的控制用户能做什么和不能做什么.

So I've successfully integrated Azure AD authentication in my angular site as per the instructions in msal-angular and now I'm at the point where I'm looking to define and leverage roles and permissions to provide more granular control of what a user can and can't do.

据我所知，我可以按照这组说明定义角色 (https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles) 但 msal-angular 似乎没有暴露这在登录时 - 或者至少我还没有找到有关如何执行此操作的说明.

From what I've been able to determine I can define roles by following this set of instructions (https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles) but msal-angular doesn't seem to expose this upon logging in - or at least I haven't found instructions on how to do this just yet.

也许我错过了什么.任何建议将不胜感激

Perhaps I'm missing something. Any suggestions would be appreciated

推荐答案

要获取用户所属的组，您需要将 directory.read.all 添加到 Angular 应用程序的范围中以及 Azure 应用设置中的 API 权限.

To get the groups a user belongs to, you will need to add directory.read.all to your scope in your Angular app and also in the API permissions in the Azure app settings.

let graphUser = await graphClient.api('/me').get();
let graphUserGroups = await graphClient.api(`/users/${graphUser.id}/memberOf`).get();

let user = new User();
user.id = graphUser.id;
user.displayName = graphUser.displayName;
// Prefer the mail property, but fall back to userPrincipalName
user.email = graphUser.mail || graphUser.userPrincipalName;

graphUserGroups.value.forEach(group => {
    user.groups.push({
        group_id: group.id,
        group_name: group.displayName
    });
});

这篇关于您如何使用 MSAL-ANGULAR 阅读角色/权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！