分享程序员开发的那些事...
更新时间:2023-02-21 10:24:56
读取分配给用户的所有应用程序特定角色(即 AppRoleAssignments)的功能仅作为当前 AFAIK 的 Microsoft Graph API beta 端点 的一部分提供.这在 v1.0 中不可用.您可以在这里
The ability to read all application specific roles assigned to a user (i.e. AppRoleAssignments) is only available as part of Microsoft Graph API beta endpoint currently AFAIK. This is not available as part of v1.0. You can read about versions here
从名称beta"可以看出,它预计不会是生产应用程序可以依赖的稳定版本.阅读 此 SO 帖子中的更多具体点马克·拉弗勒(Marc LaFleur)
As evident from name "beta", it's not expected to be a stable version that can be relied upon for production applications. Read more specific points in this SO Post by Marc LaFleur
确切的 API(Microsoft Docs 参考):
GET https://graph.microsoft.com/beta/users/{id | userPrincipalName}/appRoleAssignments
我尝试使用 GraphServiceClient(用于 Microsoft Graph 的 .NET SDK),但找不到与 AppRoleAssignments 相关的任何内容.(可能是因为 SDK 使用的是稳定 1.0 版本的元数据,而不是 beta 版本)
I tried using GraphServiceClient (.NET SDK for Microsoft Graph) but wasn't able to find anything related to AppRoleAssignments. (probably because SDK uses metadata from stable 1.0 version and not the beta version)
无论如何,如果您仍然可以对此进行测试,请使用 Microsoft Graph Explorer 或直接从 C# 代码调用端点
In any case, if you can still test this, use Microsoft Graph Explorer or directly call the endpoint from C# code
string graphRequest = $"https://graph.microsoft.com/beta/users/{my user GUID}/appRoleAssignments";
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, graphRequest);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
HttpResponseMessage response = await client.SendAsync(request);
尽管建议尽可能使用 Microsoft Graph API,但仍有一些情况下 Microsoft Graph 尚未赶上,因此您不得不使用 Azure AD Graph API.应用程序管理相关的案例就是其中的一些.
Even though it's recommended to use Microsoft Graph API whenever possible, there are still some cases where Microsoft Graph hasn't caught up yet so you are forced to use Azure AD Graph API. Application management related cases are some of those.
所以你可以使用这个 Azure AD Graph API.我从 Azure AD Graph Explorer 快速对此进行了测试,它运行良好.
So you could use this Azure AD Graph API. I quickly tested this from Azure AD Graph Explorer and it works fine.
https://graph.windows.net/{yourtenantid}/users/{id}/appRoleAssignments?api-version=1.6
就像 Microsoft Graph Library for .NET 一样,您可以使用 Azure AD Graph.NET 的客户端库,您的代码看起来像这样..
Just like Microsoft Graph Library for .NET you can use Azure AD Graph Client Library for .NET and your code would look something like this..
aadgraphClient.Users["<user guid>"].AppRoleAssignments;
附带说明,由于您专门针对 Microsoft Graph API 提出了该问题,因此我已相应地回答了该问题.
On a side note, since you've asked the question specifically for Microsoft Graph API, I've answered it accordingly.
至少对于应用程序的当前登录用户,您始终可以找到 应用程序角色 从 角色声明作为 Azure Active Directory 访问令牌的一部分提供.
At least for the currently signed in user for an application, you can always find the Application Roles assigned to them from the Role claims available as part of the access token from Azure Active Directory.
虽然这仅对当前用户的角色有帮助,但如果您尝试跨应用程序的所有用户进行管理,则对管理类型的场景没有帮助.这是一个读取角色声明并根据当前登录用户的应用角色进行授权的示例.
This although only helps with roles for current user and not in management sort of scenarios if you're trying to go across all users for an application. Here's a sample that reads role claims and does authorization based on App Roles for currently signed in user.