1. 技术文章
  2. Azure AD - Retrieve a On-Prem AD Group Common Name

Azure AD - Retrieve a On-Prem AD Group Common Name

风格不统一 提交于 2019-12-23 05:25:13

问题


I have an application that needs to filter permissions based on their on-prem AD common name. Couple of notes:

  • Azure AD Connect is syncing data between OnPrem AD and Azure
  • I am successfully retrieving the logged on user's group information from Azure Graph API into the Web Application.

The problem I'm having is the data returned from Graph API is not what I need or I have not properly configured Azure AD Connect properly. The Graph API JSON return object for groups is documented here.

Here is the Group object returned from Graph API: 

{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Group/@Element",
  "odata.type": "Microsoft.DirectoryServices.Group",
  "objectType": "Group",
  "objectId": "b4bda672-1fba-4711-8fb1-5383c40b2c14",
  "deletionTimestamp": null,
  "description": "Marketing Department",
  "dirSyncEnabled": null,
  "displayName": "Marketing",
  "lastDirSyncTime": null,
  "mail": null,
  "mailNickname": "BposMailNickName",
  "mailEnabled": false,
  "onPremisesSecurityIdentifier": null,
  "provisioningErrors": [],
  "proxyAddresses": [],
  "securityEnabled": true
}

The closest thing I can find is "Display Name" but this is not the Common Name. An option, one I don't want to use, is make all of the "Display Names" the same as the group CN.

TLDR; Is a user groups CN accessible through Graph API and if so, how can I get to this data?

-Update: I'm using the Graph API endpoint getObjectsByObjectIds to hit Graph API once I have retrieve all of the Users Group Ids.


回答1:


CN is not accessible through Graph API (AAD or Microsoft Graph). If you are looking for a common unique identifier between on-premises and the cloud the you could use the on-premises group SID (in the cloud onPremisesSecurityIdentifier). This property is filterable.

The only other option I can think of (if that's not acceptable and you really need CN) is to use directory schema extensions, to extend the group entity with an additional CN property. Schema extensions are also filterable. Please also take a look at the latest AD Connect versions, as I believe they offer the ability to create/configure AAD cloud schema extensions and map from on-premises.

Hope this helps,



来源:https://stackoverflow.com/questions/35878421/azure-ad-retrieve-a-on-prem-ad-group-common-name

标签
azure
azure-active-directory
microsoft-graph
azure-ad-graph-api
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!