Microsoft Graph Azure AD用户不同步
[英]Microsoft Graph Azure AD User Out Of Sync
问题描述
When I log onto the Microsoft Graph Explorer with my Microsoft account and run the following query https://graph.microsoft.com/v1.0/users/ I get the correct user returned. 
当我使用Microsoft帐户登录到Microsoft Graph Explorer并运行以下查询https://graph.microsoft.com/v1.0/users/时,我得到了返回的正确用户。
On Azure AD (using the same login) I created an application with a key and when I sign in through c# using Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredentials with a token for resource https://graph.microsoft.com and run the same query I get a completely different user. 在Azure AD上(使用相同的登录名),我创建了一个具有密钥的应用程序,当我使用Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredentials通过c#登录并使用令牌https://graph.microsoft.com并运行同一查询,我得到一个完全不同的用户。 They are out of sync and I'm baffled. 他们不同步,我感到困惑。
Any ideas? 有任何想法吗? Should I create a new Azure account as I've had the Azure account from day 1 and I'm only doing this now to test for a client request. 我应该创建一个新的Azure帐户,就像从第一天起就拥有Azure帐户一样,现在我只是这样做以测试客户端请求。
1 个解决方案
解决方案1
0 已采纳 2017-08-05 16:59:01
Don't create a new Azure account. 不要创建新的Azure帐户。 When you are using Graph Explorer, are you signed in with a user from your Azure AD tenant? 使用Graph Explorer时,是否与Azure AD租户中的用户登录? If not, Graph Explorer will default to use a demo tenant for your queries. 否则,Graph Explorer将默认使用演示租户进行查询。
Also (if you have more than one tenant) you need to make sure that you select the correct tenant as part of the token acquisition (from https://login.microsoftonline.com/{tenantId | tenantDomain} . If you want the results to match between Graph Explorer and your app, the tenant the signed-in user belongs to (for Graph Explorer case) and the tenant used by your app needs to be the same. 另外(如果您有多个租户),还需要确保选择正确的租户作为令牌获取的一部分(来自https://login.microsoftonline.com/{tenantId | tenantDomain} 。为了在Graph Explorer和您的应用之间匹配,登录用户所属的租户(对于Graph Explorer情况)和您的应用所使用的租户必须相同。
UPDATE based on comment below: 根据以下评论进行更新:
I think I know what's going on here. 我想我知道这是怎么回事。 In graph explorer, you are signing in with your personal account - and it's showing you profile data of that personal account, including the unique ID for this account in the Microsoft Account system. 在graph Explorer中,您正在使用您的个人帐户登录-并且正在显示该个人帐户的配置文件数据,包括该帐户在Microsoft帐户系统中的唯一ID。 In this case you aren't signing into an Azure AD tenant at all. 在这种情况下,您根本不会登录Azure AD租户。 Microsoft Graph supports access from both personal and commercial accounts. Microsoft Graph支持从个人帐户和商业帐户进行访问。
Now, additionally, I'm guessing when you signed up for an Azure subscription, you used this personal account. 现在,此外,我猜您在注册Azure订阅时是使用此个人帐户。 When you do that, it creates an Azure AD tenant, and creates a guest user in that tenant that is (linked to) your personal account - this account is also configured as an admin account. 执行此操作时,它将创建一个Azure AD租户,并在与您的个人帐户(链接到该个人帐户)的该租户中创建一个来宾用户 -该帐户也配置为管理员帐户。 This mechanism allows you to sign in with your personal account (authenticated by the Microsoft Account system) into an Azure AD tenant, because the personal account maps to this guest user in your tenant. 通过此机制,您可以使用个人帐户(由Microsoft帐户系统验证)登录到Azure AD租户,因为该个人帐户映射到您的租户中的该来宾用户。 In your application, you are getting an app token to your Azure AD tenant. 在您的应用程序中,您将向Azure AD租户获取一个应用程序令牌。 When you query the tenant for users, you don't see any user with the same id or email address as you did with graph explorer. 当查询租户中的用户时,您不会看到具有与图浏览器相同的ID或电子邮件地址的任何用户。 However if you actually look at the userPrincipalName, you'll see it should be a mangled form of the original email address of your personal account. 但是,如果您实际上查看userPrincipalName,则会看到它应该是您个人帐户原始电子邮件地址的错误形式。 This indicates that this Azure AD user account in your tenant is a guest/external user (similar to a foreign principal). 这表明您的租户中的该Azure AD用户帐户是访客/外部用户(类似于外部委托人)。
Hope this helps, 希望这可以帮助,
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.