问题
I'm trying to leverage the beta api for assigning azure users to applications.
I looked at the documentation and tried a variety of attempts in a C# console app using HttpClient and WebClient and couldn't succeed. I then went to the Microsoft graph explorer https://developer.microsoft.com/en-us/graph/graph-explorer . I couldn't get it to work.
I looked at the documentation https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/approleassignment_get
The document's actual documentation of the HTTP request which doesn't match the Example. The Graph Explorer seems to hint that the example is correct, but through various attempts, I can only get a response of
{
"error": {
"code": "Request_UnsupportedQuery",
"message": "Direct queries to this resource type are not supported.",
...
}
}
My essential url is https://graph.microsoft.com/beta/appRoleAssignments/
The example says {id} but I have no idea what to put in. I put in several guids, user ids, object ids, resource ids, and none worked.
It isn't saying any access denied messages so I assume it has nothing to do with Scopes (all though the documentation is a little empty regarding that as well).
Ideally, I'd be able to see if for a given Guest Azure User has access to a particular App, then I'd be able to go and Update the assignment. I'll probably also need to delete the assignment as well.
回答1:
It looks like the Microsoft Graph API's beta endpoint doesn't currently allow you to list AppRoleAssignments. [Edit (2018-10-11): The Microsoft Graph beta endpoint now supports the ability to list AppRoleAssignments, though you should still use Azure AD Graph for any production application, until it gets to v1.0.] Fortunately, the Azure AD Graph API does work for this (plus, it's not a beta endpoint, so it's more likely to be stable).
To list all app roles a user is assigned (with Azure AD Graph and Microsoft Graph (beta)):
https://graph.windows.net/{tenant-id}/users/{id}/appRoleAssignments?api-version=1.6
https://graph.microsoft.com/beta/users/{id}/appRoleAssignments
To list all app roles a group is assigned:
https://graph.windows.net/{tenant-id}/groups/{id}/appRoleAssignments?api-version=1.6
https://graph.microsoft.com/beta/groups/{id}/appRoleAssignments
To do the reverse, and list all users or groups assigned to an app:
https://graph.windows.net/{tenant-id}/servicePrincipals/{id}/appRoleAssignedTo?api-version=1.6
https://graph.microsoft.com/beta/servicePrincipals/{id}/appRoleAssignedTo
回答2:
In the new Azure portal, under "Enterprise applications" > (your app) > "Users and groups", you'll see the list of users who are assigned to the application, as well as the app role they are assigned to. After testing , you could do the equivalent thing using Microsoft Graph API request :
https://graph.microsoft.com/beta/servicePrincipals/d0790296-0a14-4ab1-8f6c-4e4d3eb03036/appRoleAssignments
Your could get the service principal under "Enterprise applications" > (your app) >Properties>Object ID .Here is sample of the response :
id is the role id , In your scenario ,you could check whether record exists when the principalId matches the object id of the specific user , and principalType is user .
来源:https://stackoverflow.com/questions/45203126/how-to-use-approleassignment-in-graph-api