問題描述

有沒有辦法找到針對 tenant 存在的每個 role 和針對每個 分配的 number of users角色 使用 GraphServiceClient 或 GraphConnection 類?我正在使用 C#.

Is there a way to find each role that exists against a tenant and number of users which have been assigned against each role using GraphServiceClient or GraphConnection class? I am using C#.

推薦答案

目錄角色 - 為租戶查找所有目錄角色及其成員數量

Directory Roles - Finding all directory roles and count of their members for tenant

我已經給出了 Microsoft Graph API (https://graph.microsoft.com) 的示例代碼以及 Azure AD Graph API (https://graph.windows.net)，但它會很強大建議使用較新的 Microsoft Graph API，除非您無法從中獲得特定的東西，然后才查看 Azure AD Graph API.

I have given sample code for both Microsoft Graph API (https://graph.microsoft.com) as well as Azure AD Graph API (https://graph.windows.net), but it would be strongly recommended to use newer Microsoft Graph API unless there is something specific that you aren't able to get from it and only then look at Azure AD Graph API.

在此處查看更詳細的比較 Microsoft Graph 或 Azure AD Graph

Look here for more detailed comparisons Microsoft Graph or Azure AD Graph

這里是 nuget 包和類的詳細信息，正如您在評論中詢問的那樣:

Here are nuget package and class details, as you've asked in comments:

• Microsoft.Graph nuget 包 - 使用 Microsoft Graph API 并使用 GraphServiceClient 類.

• Microsoft.Graph nuget package - to work with Microsoft Graph API and use GraphServiceClient class.

Microsoft.Azure.ActiveDirectory.GraphClient nuget 包 - 使用 Azure AD Graph API 并使用 ActiveDirectoryClient 類.

Microsoft.Azure.ActiveDirectory.GraphClient nuget package - to work with Azure AD Graph API and use ActiveDirectoryClient class.

微軟圖形 API

API - 列出目錄角色 和 列出成員

var roles = await graphServiceClient.DirectoryRoles.Request().GetAsync();

var members = graphServiceClient.DirectoryRoles[role.Id].Members.Request().GetAsync();

Azure AD 圖形 API

API - 獲取目錄角色和獲取目錄角色的成員

var directoryRoles =  activeDirectoryClient.DirectoryRoles.ExecuteAsync();

var members = await activeDirectoryClient.DirectoryRoles[role.ObjectId].Members.ExecuteAsync();

注意:在測試代碼時，我還注意到 2 個 API 的行為略有不同.Microsoft Graph 僅在您請求目錄角色的成員時返回用戶.另一方面，Azure AD Graph 返回用戶和服務主體.有關 Azure AD Graph 的特殊檢查，請參閱我的代碼.

NOTE: While testing code I also noticed a slight difference in behavior of the 2 API's. Microsoft Graph only returns Users when you ask for members of a directory role. Azure AD Graph on the other hand returned both users and service principals. See my code for a special check in case of Azure AD Graph.

另請注意，您獲得的許多結果將是分頁集合，因此您可能需要在多頁結果的情況下處理分頁.

Also note that many of the results you get will be paginated collections, so you may need to handle pagination in case of multiple pages of results.

應用程序角色 - 查找應用程序的所有應用程序角色，然后通過應用程序角色分配找到用戶數.

Application Roles - Finding all Application Roles for an application and then finding Number of users through App Role Assignments.

應用程序角色特定于在 Azure AD 中注冊的應用程序.可以通過在租戶中瀏覽該應用程序的服務主體來讀取該應用程序的角色分配集合.

Application Roles are specific to an application registered in Azure AD. Role Assignments collection for that application can be read by going through the service principal for that application in the tenant.

Azure AD 圖形 API

應用角色

var app = activeDirectoryClient.Applications["<applicationObjectId>"].ExecuteAsync().Result;
var appRoles = app.AppRoles;

應用角色分配

ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(new Uri("https://graph.windows.net/<tenantGuid>"),
async () => await GetTokenForApplication());

var servicePrincipal = activeDirectoryClient.ServicePrincipals.Where(x => x.AppId == "<applicationId>").ExecuteAsync().Result.CurrentPage[0];
var appRoleAssignments = activeDirectoryClient.ServicePrincipals[servicePrincipal.ObjectId].AppRoleAssignedTo.ExecuteAsync().Result;
int userCountForApp = 0;
foreach(var appRoleAssignment in appRoleAssignments.CurrentPage)
{
    if (appRoleAssignment.PrincipalType == "User")
    {
        userCountForApp++;
        Console.WriteLine("Role Id = {0} and User Name = {1}", appRoleAssignment.Id, appRoleAssignment.PrincipalDisplayName);
    }
}

微軟圖形 API

讀取分配給用戶的所有應用程序特定角色(即 AppRoleAssignments)的功能僅作為 Microsoft Graph API beta 端點的一部分提供.所以它不夠穩定，無法在生產代碼中使用，而且您找不到 C# 的 Client SDK 支持.閱讀 此 SO 帖子中的更多具體點馬克·拉弗勒(Marc LaFleur)

The ability to read all application specific roles assigned to a user (i.e. AppRoleAssignments) is only available as part of Microsoft Graph API beta endpoint. So it's not stable enough to be used in production code and you won't find Client SDK support for C#. Read more specific points in this SO Post by Marc LaFleur

以下是相關的 API:

Here are the relevant API's though:

• AppRoleAssignments
• AppRoles

這篇關于使用 Graph Api 對租戶進行角色計數的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！