使用 Graph Api 对租户进行角色计数

Role Count using Graph Api against a tenant(使用 Graph Api 对租户进行角色计数)
本文介绍了使用 Graph Api 对租户进行角色计数的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

问题描述

有没有办法找到针对 tenant 存在的每个 role 和针对每个 分配的 number of users角色 使用 GraphServiceClientGraphConnection 类?我正在使用 C#.

Is there a way to find each role that exists against a tenant and number of users which have been assigned against each role using GraphServiceClient or GraphConnection class? I am using C#.

推荐答案

目录角色 - 为租户查找所有目录角色及其成员数量

Directory Roles - Finding all directory roles and count of their members for tenant

我已经给出了 Microsoft Graph API (https://graph.microsoft.com) 的示例代码以及 Azure AD Graph API (https://graph.windows.net),但它会很强大建议使用较新的 Microsoft Graph API,除非您无法从中获得特定的东西,然后才查看 Azure AD Graph API.

I have given sample code for both Microsoft Graph API (https://graph.microsoft.com) as well as Azure AD Graph API (https://graph.windows.net), but it would be strongly recommended to use newer Microsoft Graph API unless there is something specific that you aren't able to get from it and only then look at Azure AD Graph API.

在此处查看更详细的比较 Microsoft Graph 或 Azure AD Graph

Look here for more detailed comparisons Microsoft Graph or Azure AD Graph

这里是 nuget 包和类的详细信息,正如您在评论中询问的那样:

Here are nuget package and class details, as you've asked in comments:

  • Microsoft.Graph nuget 包 - 使用 Microsoft Graph API 并使用 GraphServiceClient 类.

  • Microsoft.Graph nuget package - to work with Microsoft Graph API and use GraphServiceClient class.

Microsoft.Azure.ActiveDirectory.GraphClient nuget 包 - 使用 Azure AD Graph API 并使用 ActiveDirectoryClient 类.

Microsoft.Azure.ActiveDirectory.GraphClient nuget package - to work with Azure AD Graph API and use ActiveDirectoryClient class.

微软图形 API

API - 列出目录角色 和 列出成员

var roles = await graphServiceClient.DirectoryRoles.Request().GetAsync();

var members = graphServiceClient.DirectoryRoles[role.Id].Members.Request().GetAsync();

Azure AD 图形 API

API - 获取目录角色和获取目录角色的成员

var directoryRoles =  activeDirectoryClient.DirectoryRoles.ExecuteAsync();

var members = await activeDirectoryClient.DirectoryRoles[role.ObjectId].Members.ExecuteAsync();

注意:在测试代码时,我还注意到 2 个 API 的行为略有不同.Microsoft Graph 仅在您请求目录角色的成员时返回用户.另一方面,Azure AD Graph 返回用户和服务主体.有关 Azure AD Graph 的特殊检查,请参阅我的代码.

NOTE: While testing code I also noticed a slight difference in behavior of the 2 API's. Microsoft Graph only returns Users when you ask for members of a directory role. Azure AD Graph on the other hand returned both users and service principals. See my code for a special check in case of Azure AD Graph.

另请注意,您获得的许多结果将是分页集合,因此您可能需要在多页结果的情况下处理分页.

Also note that many of the results you get will be paginated collections, so you may need to handle pagination in case of multiple pages of results.

应用程序角色 - 查找应用程序的所有应用程序角色,然后通过应用程序角色分配找到用户数.

Application Roles - Finding all Application Roles for an application and then finding Number of users through App Role Assignments.

应用程序角色特定于在 Azure AD 中注册的应用程序.可以通过在租户中浏览该应用程序的服务主体来读取该应用程序的角色分配集合.

Application Roles are specific to an application registered in Azure AD. Role Assignments collection for that application can be read by going through the service principal for that application in the tenant.

Azure AD 图形 API

应用角色

var app = activeDirectoryClient.Applications["<applicationObjectId>"].ExecuteAsync().Result;
var appRoles = app.AppRoles;

应用角色分配

ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(new Uri("https://graph.windows.net/<tenantGuid>"),
async () => await GetTokenForApplication());

var servicePrincipal = activeDirectoryClient.ServicePrincipals.Where(x => x.AppId == "<applicationId>").ExecuteAsync().Result.CurrentPage[0];
var appRoleAssignments = activeDirectoryClient.ServicePrincipals[servicePrincipal.ObjectId].AppRoleAssignedTo.ExecuteAsync().Result;
int userCountForApp = 0;
foreach(var appRoleAssignment in appRoleAssignments.CurrentPage)
{
    if (appRoleAssignment.PrincipalType == "User")
    {
        userCountForApp++;
        Console.WriteLine("Role Id = {0} and User Name = {1}", appRoleAssignment.Id, appRoleAssignment.PrincipalDisplayName);
    }
}

微软图形 API

读取分配给用户的所有应用程序特定角色(即 AppRoleAssignments)的功能仅作为 Microsoft Graph API beta 端点的一部分提供.所以它不够稳定,无法在生产代码中使用,而且您找不到 C# 的 Client SDK 支持.阅读 此 SO 帖子中的更多具体点马克·拉弗勒(Marc LaFleur)

The ability to read all application specific roles assigned to a user (i.e. AppRoleAssignments) is only available as part of Microsoft Graph API beta endpoint. So it's not stable enough to be used in production code and you won't find Client SDK support for C#. Read more specific points in this SO Post by Marc LaFleur

以下是相关的 API:

Here are the relevant API's though:

  • AppRoleAssignments
  • AppRoles

这篇关于使用 Graph Api 对租户进行角色计数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

本站部分内容来源互联网,如果有图片或者内容侵犯了您的权益,请联系我们,我们会在确认后第一时间进行删除!

相关文档推荐

How to MOQ an Indexed property(如何最小起订量索引属性)
Mocking generic methods in Moq without specifying T(在 Moq 中模拟泛型方法而不指定 T)
How Moles Isolation framework is implemented?(Moles Isolation 框架是如何实现的?)
Difference between Dependency Injection and Mocking Framework (Ninject vs RhinoMocks or Moq)(依赖注入和模拟框架之间的区别(Ninject vs RhinoMocks 或 Moq))
How to mock Controller.User using moq(如何使用 moq 模拟 Controller.User)
How do I mock a class without an interface?(如何模拟没有接口的类?)