如何使用microsoft graph api为azure ad中的用户分配角色
[英]How to use microsoft graph api for assigning role to the user in azure ad
问题描述
I have created below role in the app registration manifest :
我在app registration manifest创建了以下角色:
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Student",
"id": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f",
"isEnabled": true,
"description": "Student",
"value": "Student"
}
],
Now I am using appRoleAssignment api to assign a role to the user.现在我使用appRoleAssignment api 为用户分配角色。 I am following this documentation .我正在关注此文档。 In this page, it says that we need to use below api with the json body:在这个页面中,它说我们需要使用下面的 api 和 json 主体:
POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignments
Content-Type: application/json
Content-Length: 110
{
"principalId": "principalId-value",
"resourceId": "resourceId-value",
"appRoleId": "appRoleId-value"
}
I am unable to understand what I should use in principalId , resourceId and appRoleId .我无法理解我应该在principalId 、 resourceId和appRoleId使用什么。 As per that page, it says that:根据该页面,它说:
principalId: The id of the client service principal to which you are assigning the app role.
resourceId: The id of the resource servicePrincipal (the API) which has defined the app role (the application permission).
appRoleId: The id of the appRole (defined on the resource service principal) to assign to the client service principal.
But what I could understand is that principalId is the ID of the user I have in the active directory for which I want to assign the role.但我能理解的是, principalId is the ID of the user I have in the active directory for which I want to assign the role.
which in my case is the ObjectId in below photo:在我的情况下是下面照片中的 ObjectId:
is this correct.?这样对吗。?
resourceId is the tennant id and appRoleId is the id I used while creating the app role above which is d1c2ade8-98f8-45fd-aa4a-6d06b947c66f resourceId是appRoleId ID, appRoleId是我在创建上面的应用程序角色时使用的 ID,即d1c2ade8-98f8-45fd-aa4a-6d06b947c66f
Putting it all together if I make a request in python如果我在 python 中提出请求,就把它们放在一起
token = get_token()
headers = {'Authorization': 'Bearer ' + token, 'Content-Type': 'application/json'}
user_data = {
"principalId": "1bc79085-12qw-4fad-8da8-647f4b4b2927",
"resourceId": "c01b6482-3ccd-4533-8c98-a7c5e8067cc8",
"appRoleId": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f"
}
j_data = json.dumps(user_data)
conn = http.client.HTTPSConnection('graph.microsoft.com')
conn.request("POST", "/v1.0/servicePrincipals/1bc79085-12qw-4fad-8da8-647f4b4b2927/appRoleAssignments", j_data, headers)
response = conn.getresponse()
rdata = response.read()
I am getting below response:我得到以下回应:
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource '1bc79085-12qw-4fad-8da8-647f4b4b2927' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"date": "2020-10-26T05:16:35",
"request-id": "1c87a140-7bc9-499d-82dd-bc1dcb54e075",
"client-request-id": "1c87a140-7bc9-499d-82dd-bc1dcb54e075"
}
}
}
Can anyone please help me debug this.任何人都可以帮我调试这个。 Please help.请帮忙。 Thanks谢谢
EDIT:编辑:
Error:错误:
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource '261eda4b-6eee-45ba-a176-259960603409' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"date": "2020-10-26T07:09:38",
"request-id": "8dc2ea73-63e5-45b5-8127-445df777c1e1",
"client-request-id": "8dc2ea73-63e5-45b5-8127-445df777c1e1"
}
}
}
Json:杰森:
{
"principalId": "f923e078-ca9d-4611-a80e-bebb712ad7d1",
"resourceId": "261eda4b-6eee-45ba-a176-259960603409",
"appRoleId": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f"
}
Post URL: https://graph.microsoft.com/v1.0/servicePrincipals/261eda4b-6eee-45ba-a176-259960603409/appRoleAssignments帖子网址: https : //graph.microsoft.com/v1.0/servicePrincipals/261eda4b-6eee-45ba-a176-259960603409/appRoleAssignments
GET Url to get the object id: https://graph.microsoft.com/v1.0/serviceprincipals?$select=id&$filter=displayName eq '{useracces}' GET Url 获取对象 ID: https ://graph.microsoft.com/v1.0/serviceprincipals?$select=id & $filter=displayName eq '{useracces}'
1 个解决方案
解决方案1
2 已采纳 2020-10-26 05:53:04
POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
Content-Type: application/json
Content-Length: 110
{
"principalId": "principalId-value",
"resourceId": "resourceId-value",
"appRoleId": "appRoleId-value"
}
In this example, {id} and {resourceId-value} would both be the object id of the resource service principal, which is the enterprise app associated with the Azure AD app you have created appRoles in.在此示例中, {id}和{resourceId-value}都是资源服务主体的对象 ID,这是与您在其中创建 appRoles 的 Azure AD 应用关联的企业应用。
And {principalId-value} would be the object id of the user.而{principalId-value}将是用户的对象 ID。
{appRoleId-value} is the id of the app role you created in manifest. {appRoleId-value}是您在清单中创建的应用角色的 ID。
UPDATE:更新:
The steps you get the object id of service principal are correct.获取服务主体对象ID的步骤是正确的。
If you want to get it using Graph API, you can do it like this:如果你想使用 Graph API 获取它,你可以这样做:
GET https://graph.microsoft.com/v1.0/serviceprincipals?$select=id&$filter=displayName eq '{app name}'
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.