问题描述

我试图弄清楚如何使用 Azure Active Directory 的 Graph API 从组或用户中删除 AppRoleAssignment.我正在使用 .NET SDK (Microsoft.Azure.ActiveDirectory.GraphClient).

I'm trying to figure out how to delete an AppRoleAssignment from either an Group or a User using the Graph API for Azure Active Directory. I'm using the .NET SDK (Microsoft.Azure.ActiveDirectory.GraphClient).

我尝试使用每个 IEntityBase 上的标准 DeleteAsync 方法，但它失败并出现错误.它发出一个如下所示的 HTTP 请求:

I've tried using the standard DeleteAsync method that's on every IEntityBase, but it fails with an error. It's issuing an HTTP request that looks like this:

DELETE/{tenantId}/directoryObjects/{appRoleAssignment ObjectID}/Microsoft.DirectoryServices.AppRoleAssignment?api-version=1.5

失败并返回 400 Bad Request 并显示错误不支持直接查询此资源类型."

which fails with a 400 Bad Request with the error "Direct queries to this resource type are not supported."

根据 this Microsoft blog post 说您需要执行如下所示的 HTTP 请求:

This isn't the correct way to delete AppRoleAssignments using the Graph API according to this Microsoft blog post which says you need to do an HTTP request that looks like:

DELETE/{tenantId}/users/{user object ID}/appRoleAssignments/{appRoleAs}?api-version=1.5

如果我使用 HttpClient 使用该 URL 格式执行手动 HTTP 请求，它可以工作，但我想知道如何在 .NET 库的范围内执行此操作，而不是自己执行手动 HTTP 请求.

If I do a manual HTTP request using HttpClient using that URL format, it works, but I want to know how to do this within the bounds of the .NET library rather than doing manual HTTP requests myself.

如何通过 .NET 库删除 AppRoleAssignments?

How do I delete AppRoleAssignments via the .NET library?

推荐答案

虽然不固定，但您可以手动发出 HTTP 请求，但仍使用 Azure AD SDK 获取令牌.像这样的:

While it is not fixed, you can make a manual HTTP-request, but still using Azure AD SDK to acqure the token. Something like this:

var tenantId = "<guid> tenant id";
var appId = "<guid> your Azure app id";
var appKey = "your app key";
var authority = "i.e. https://login.windows.net/mycompany.onmicrosoft.com";
var graphUrl = "https://graph.windows.net/";

public async Task RemoveRoleFromUser(Guid userId, string roleObjectId) {
    var uri = string.Format("{0}/users/{1}/appRoleAssignments/{2}?api-version=1.5", tenantId, userId, roleObjectId);
    await ExecuteRequest<object>(uri, HttpMethod.Delete);
}

private async Task<T> ExecuteRequest<T>(string uri, HttpMethod method = null, Object body = null) where T : class {
    if (method == null) method = HttpMethod.Get;
    T response;
    var token = await AcquireTokenAsyncForApplication();
    using (var httpClient = new HttpClient { BaseAddress = getServicePointUri() }) {
        var request = new HttpRequestMessage(method, uri);
        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
        if (body != null) {
            request.Content = new StringContent(JsonConvert.SerializeObject(body), Encoding.UTF8, "application/json");
        }
        var responseMessage = await httpClient.SendAsync(request).ConfigureAwait(false);
        responseMessage.EnsureSuccessStatusCode();
        response = await responseMessage.Content.ReadAsAsync<T>();
    }
    return response;
}

private async Task<string> AcquireTokenAsyncForApplication() {
    ClientCredential clientCred = new ClientCredential(appId, appKey);
    var authenticationContext = new AuthenticationContext(authority, false);
    AuthenticationResult authenticationResult = authenticationContext.AcquireToken(graphUrl, clientCred);
    return authenticationResult.AccessToken;
}

private Uri getServicePointUri() {
    Uri servicePointUri = new Uri(graphUrl);
    Uri serviceRoot = new Uri(servicePointUri, tenantId);
    return serviceRoot;
}

这篇关于如何使用 Azure Active Directory .NET SDK 删除 AppRoleAssignment?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！