问题描述
有没有办法找到针对 tenant
存在的每个 role
和针对每个 分配的
使用 number of users
角色GraphServiceClient
或 GraphConnection
类?我正在使用 C#.
Is there a way to find each role
that exists against a tenant
and number of users
which have been assigned against each role
using GraphServiceClient
or GraphConnection
class? I am using C#.
推荐答案
目录角色 - 为租户查找所有目录角色及其成员数量
Directory Roles - Finding all directory roles and count of their members for tenant
我已经给出了 Microsoft Graph API (https://graph.microsoft.com) 的示例代码以及 Azure AD Graph API (https://graph.windows.net),但它会很强大建议使用较新的 Microsoft Graph API,除非您无法从中获得特定的东西,然后才查看 Azure AD Graph API.
I have given sample code for both Microsoft Graph API (https://graph.microsoft.com) as well as Azure AD Graph API (https://graph.windows.net), but it would be strongly recommended to use newer Microsoft Graph API unless there is something specific that you aren't able to get from it and only then look at Azure AD Graph API.
在此处查看更详细的比较 Microsoft Graph 或 Azure AD Graph
Look here for more detailed comparisons Microsoft Graph or Azure AD Graph
这里是 nuget 包和类的详细信息,正如您在评论中询问的那样:
Here are nuget package and class details, as you've asked in comments:
Microsoft.Graph
nuget 包 - 使用Microsoft Graph API
并使用GraphServiceClient
类.
Microsoft.Graph
nuget package - to work withMicrosoft Graph API
and useGraphServiceClient
class.
Microsoft.Azure.ActiveDirectory.GraphClient
nuget 包 - 使用 Azure AD Graph API 并使用 ActiveDirectoryClient
类.
Microsoft.Azure.ActiveDirectory.GraphClient
nuget package - to work with Azure AD Graph API and use ActiveDirectoryClient
class.
微软图形 API
API - 列出目录角色 和 列出成员
var roles = await graphServiceClient.DirectoryRoles.Request().GetAsync();
var members = graphServiceClient.DirectoryRoles[role.Id].Members.Request().GetAsync();
Azure AD 图形 API
API - 获取目录角色和获取目录角色的成员
var directoryRoles = activeDirectoryClient.DirectoryRoles.ExecuteAsync();
var members = await activeDirectoryClient.DirectoryRoles[role.ObjectId].Members.ExecuteAsync();
注意:在测试代码时,我还注意到 2 个 API 的行为略有不同.Microsoft Graph 仅在您请求目录角色的成员时返回用户.另一方面,Azure AD Graph 返回用户和服务主体.有关 Azure AD Graph 的特殊检查,请参阅我的代码.
NOTE: While testing code I also noticed a slight difference in behavior of the 2 API's. Microsoft Graph only returns Users when you ask for members of a directory role. Azure AD Graph on the other hand returned both users and service principals. See my code for a special check in case of Azure AD Graph.
另请注意,您获得的许多结果将是分页集合,因此您可能需要在多页结果的情况下处理分页.
Also note that many of the results you get will be paginated collections, so you may need to handle pagination in case of multiple pages of results.
应用程序角色 - 查找应用程序的所有应用程序角色,然后通过应用程序角色分配找到用户数.
Application Roles - Finding all Application Roles for an application and then finding Number of users through App Role Assignments.
应用程序角色特定于在 Azure AD 中注册的应用程序.可以通过在租户中浏览该应用程序的服务主体来读取该应用程序的角色分配集合.
Application Roles are specific to an application registered in Azure AD. Role Assignments collection for that application can be read by going through the service principal for that application in the tenant.
Azure AD 图形 API
应用角色
var app = activeDirectoryClient.Applications["<applicationObjectId>"].ExecuteAsync().Result;
var appRoles = app.AppRoles;
应用角色分配
ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(new Uri("https://graph.windows.net/<tenantGuid>"),
async () => await GetTokenForApplication());
var servicePrincipal = activeDirectoryClient.ServicePrincipals.Where(x => x.AppId == "<applicationId>").ExecuteAsync().Result.CurrentPage[0];
var appRoleAssignments = activeDirectoryClient.ServicePrincipals[servicePrincipal.ObjectId].AppRoleAssignedTo.ExecuteAsync().Result;
int userCountForApp = 0;
foreach(var appRoleAssignment in appRoleAssignments.CurrentPage)
{
if (appRoleAssignment.PrincipalType == "User")
{
userCountForApp++;
Console.WriteLine("Role Id = {0} and User Name = {1}", appRoleAssignment.Id, appRoleAssignment.PrincipalDisplayName);
}
}
微软图形 API
读取分配给用户的所有应用程序特定角色(即 AppRoleAssignments)的功能仅作为 Microsoft Graph API beta 端点的一部分提供.所以它不够稳定,无法在生产代码中使用,而且您找不到 C# 的 Client SDK 支持.阅读 此 SO 帖子中的更多具体点马克·拉弗勒(Marc LaFleur)
The ability to read all application specific roles assigned to a user (i.e. AppRoleAssignments) is only available as part of Microsoft Graph API beta endpoint. So it's not stable enough to be used in production code and you won't find Client SDK support for C#. Read more specific points in this SO Post by Marc LaFleur
以下是相关的 API:
Here are the relevant API's though:
- AppRoleAssignments
- AppRoles
这篇关于使用 Graph Api 对租户进行角色计数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!