在声明中获取 Azure AD 用户所属的组列表

本文介绍了在声明中获取 Azure AD 用户所属的组列表的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着跟版网的小编来一起学习吧！

问题描述

我正在针对 Azure Active Directory 对我的 Web api 用户进行身份验证.现在我想获取该用户所属的组列表.

I am authenticating users of my web api against Azure Active Directory. Now I want to get a list of groups that this user belongs.

我更改了应用程序清单以包含

I changed application manifest to include

"groupMembershipClaims": "All",

但这所做的只是添加声明 hasGroups 但没有组名.

but all this does is to add claim hasGroups but no group names.

我在门户中为我的应用授予了 Windows Azure Active Directory 的所有 (8) 项委派权限.

I granted all (8) Delegated Permissions to Windows Azure Active Directory for my app in the portal.

推荐答案

我确实做到了.

让我们将我的 Azure AD 应用程序称为AD-App".

Let's call my Azure AD appication "AD-App".

广告应用

其他应用程序的权限设置为；

Windows Azure 活动目录.

Windows Azure Active Directory.

应用程序权限:0.

委派权限 2(读取目录数据"、登录并读取用户配置文件".

Delegated Permissions 2 ("Read directory data", "Sign in and read user profile".

Manifest 有如下设置:

"groupMembershipClaims": "SecurityGroup"

后端 API

以下是我返回用户组的方法.要么您发送用户 ID，否则它使用声明中的 ID.Id 的意思是objectIdentifier".

The following is my method to return the users groups. Either you send in the users id, if not it uses the id from claims. Id meaning "objectIdentifier".

        public static IEnumerable<string> GetGroupMembershipsByObjectId(string id = null)
    {
        if (string.IsNullOrEmpty(id))
            id = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;

        IList<string> groupMembership = new List<string>();
        try
        {
            ActiveDirectoryClient activeDirectoryClient = ActiveDirectoryClient;
            IUser user = activeDirectoryClient.Users.Where(u => u.ObjectId == id).ExecuteSingleAsync().Result;
            var userFetcher = (IUserFetcher)user;

            IPagedCollection<IDirectoryObject> pagedCollection = userFetcher.MemberOf.ExecuteAsync().Result;
            do
            {
                List<IDirectoryObject> directoryObjects = pagedCollection.CurrentPage.ToList();
                foreach (IDirectoryObject directoryObject in directoryObjects)
                {
                    if (directoryObject is Group)
                    {
                        var group = directoryObject as Group;
                        groupMembership.Add(group.DisplayName);
                    }
                }
                pagedCollection = pagedCollection.GetNextPageAsync().Result;
            } while (pagedCollection != null);

        }
        catch (Exception e)
        {
            ExceptionHandler.HandleException(e);
            throw e;
        }

        return groupMembership;
    }

我不能告诉你这是否是最佳实践，但它对我有用.

I can't tell you wether this is done by best practice or not, but it works for me.

这篇关于在声明中获取 Azure AD 用户所属的组列表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！

本站部分内容来源互联网,如果有图片或者内容侵犯了您的权益，请联系我们，我们会在确认后第一时间进行删除！

在声明中获取 Azure AD 用户所属的组列表

问题描述

推荐答案

相关文档推荐