使用 Azure Resource Graph 获取其他用户的资源
[英]Using Azure Resource Graph to get other user's Resources
问题描述
I am trying to query with an app ID all the resources a user has.
我正在尝试使用应用程序 ID 查询用户拥有的所有资源。 My current implementation is to get all the resources my app has access to, and then query the RBAC of each one of those resources to see if the user has access.我当前的实现是获取我的应用程序有权访问的所有资源,然后查询每个资源的 RBAC 以查看用户是否有权访问。 It seems to be way too many calls for something it can be done for my current user using Azure Resource Graph.使用 Azure Resource Graph 为我当前的用户可以完成的事情似乎太多了。 Is there a way to use Azure Resource Graph but specify which user I want to get the resources for (assuming my app has reader access to all resources in the tenant)?有没有办法使用 Azure Resource Graph 但指定我想要为其获取资源的用户(假设我的应用程序具有对租户中所有资源的读者访问权限)?
1 个解决方案
解决方案1
1 已采纳 2020-03-17 07:10:03
From your description, want you need to find is the role assignments in your subscription, its resource type is Microsoft.Authorization/roleAssignments , which is not included in the Azure Resource Graph.从您的描述中,您需要查找的是订阅中的角色分配,其资源类型为Microsoft.Authorization/roleAssignments ,未包含在 Azure 资源图中。
Your option is to use the REST API - Role Assignments - List , filter with the ObjectId of the user in Azure AD.您可以选择使用 REST API - Role Assignments - List ,并使用 Azure AD 中用户的ObjectId进行筛选。 To get the access token to call the REST API with the AD App(the AppId you mentioned), you need to use the client credential flow, refer to this link .要获取访问令牌以使用 AD App(您提到的 AppId)调用 REST API,您需要使用客户端凭据流,请参阅此链接。
Sample :样品:
Check the scope in the response, they are the resources the user can access.检查响应中的scope ,它们是用户可以访问的资源。
GET https://management.azure.com/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleAssignments?$filter=principalId eq '<object-id>'&api-version=2018-09-01-preview
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.