[英]How to create role assignments using Azure Active Directory Graph client in C#?
I'm using this library : Microsoft.Azure.ActiveDirectory.GraphClient
class: ActiveDirectoryClient
. 我正在使用此库:
Microsoft.Azure.ActiveDirectory.GraphClient
类: ActiveDirectoryClient
。
I'd like to give an Application (I have the appID) "Owner" access to some subscription. 我想给一个应用程序(我有appID)“所有者”访问某些订阅。 How would I go about doing that?
我将如何去做? Thanks
谢谢
The whole premise of this question is incorrect. 这个问题的全部前提是不正确的。 The
GraphClient
is not the right client to manage such authorizations. GraphClient
不是管理此类授权的正确客户端。 The proper API library for that is Microsoft.Azure.Management.Authorization
and the class AuthorizationManagementClient
. 正确的API库是
Microsoft.Azure.Management.Authorization
和类AuthorizationManagementClient
。
I will post additional notes on the actual sequence of calls. 我将在实际的通话顺序中添加其他注释。
*** Update *********** ***更新************
As promised here's the sample code: 如所承诺的,这里是示例代码:
public static async Task<IServicePrincipal> GetServicePrincipalAsync(string accessToken, string tenantId, string clientId)
{
var graphClient = NewActiveDirectoryClient(accessToken, tenantId);
var matches = await graphClient.ServicePrincipals.Where(sp => sp.AppId == clientId).ExecuteAsync();
return matches.CurrentPage.ToList().FirstOrDefault();
}
private static ActiveDirectoryClient NewActiveDirectoryClient(string accessToken, string tenantId)
{
TaskCompletionSource<string> tcs = new TaskCompletionSource<string>();
tcs.SetResult(accessToken);
return new ActiveDirectoryClient(
new Uri($"{GraphApiBaseUrl}{tenantId}"),
async () => { return await tcs.Task; });
}
First you need to get the ObjectId of the principal you want to add. 首先,您需要获取要添加的主体的ObjectId。 In the case of ServicePricipal I have a function that gets it from the directory like so:
对于ServicePricipal,我有一个从目录中获取它的函数,如下所示:
Then using that and a scope ("/subscriptions/{my_subscription_id}", for the entire subscription) you can create a RoleAssignment: 然后,使用它和一个范围(对于整个订阅,为“ / subscriptions / {my_subscription_id}”),您可以创建RoleAssignment:
public static async Task AssignRoleToPrincipalAsync(
string accessToken,
string subscriptionId,
string scope,
string roleName,
string principalObjectId)
{
using (var client = NewAuthorizationManagementClient(accessToken, subscriptionId))
{
RoleDefinition roleDef = (await FindRoleDefinitionAsync(accessToken, subscriptionId, scope, roleName)).FirstOrDefault();
if (roleDef == null)
throw new Exception($"Role was not found: {roleName}");
var props = new RoleAssignmentProperties()
{
PrincipalId = principalObjectId,
RoleDefinitionId = roleDef.Id
};
await client.RoleAssignments.CreateAsync(scope, Guid.NewGuid().ToString("N"), props);
}
}
private static AuthorizationManagementClient NewAuthorizationManagementClient(string accessToken, string subscriptionId)
{
return new AuthorizationManagementClient(new TokenCredentials(accessToken)) { SubscriptionId = subscriptionId};
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.