问题描述
我在app registration manifest中创建了以下角色:
"appRoles": [
{
"allowedMemberTypes": [
"User"
],"displayName": "Student","id": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f","isEnabled": true,"description": "Student","value": "Student"
}
],现在我正在使用appRoleAssignment api向用户分配角色。我正在关注此documentation。在此页面中,它说我们需要在json主体下使用以下api:
POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignments
Content-Type: application/json
Content-Length: 110
{
"principalId": "principalId-value","resourceId": "resourceId-value","appRoleId": "appRoleId-value"
}
我无法理解应在principalId,resourceId和appRoleId中使用什么。在该页面上,它说:
principalId: The id of the client service principal to which you are assigning the app role.
resourceId: The id of the resource servicePrincipal (the API) which has defined the app role (the application permission).
appRoleId: The id of the appRole (defined on the resource service principal) to assign to the client service principal.
但是我能理解的是principalId is the ID of the user I have in the active directory for which I want to assign the role.
在我的情况下,是下图中的ObjectId:
这是正确的吗?
resourceId是租户ID,appRoleId是我在上面创建应用程序角色时使用的ID,d1c2ade8-98f8-45fd-aa4a-6d06b947c66f
如果我在python中发出请求,将所有内容放在一起
token = get_token()
headers = {'Authorization': 'Bearer ' + token,'Content-Type': 'application/json'}
user_data = {
"principalId": "1bc79085-12qw-4fad-8da8-647f4b4b2927","resourceId": "c01b6482-3ccd-4533-8c98-a7c5e8067cc8","appRoleId": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f"
}
j_data = json.dumps(user_data)
conn = http.client.HTTPSConnection('graph.microsoft.com')
conn.request("POST","/v1.0/servicePrincipals/1bc79085-12qw-4fad-8da8-647f4b4b2927/appRoleAssignments",j_data,headers)
response = conn.getresponse()
rdata = response.read()
我得到以下回应:
{
"error": {
"code": "Request_ResourceNotFound","message": "Resource '1bc79085-12qw-4fad-8da8-647f4b4b2927' does not exist or one of its queried reference-property objects are not present.","innerError": {
"date": "2020-10-26T05:16:35","request-id": "1c87a140-7bc9-499d-82dd-bc1dcb54e075","client-request-id": "1c87a140-7bc9-499d-82dd-bc1dcb54e075"
}
}
}
谁能帮我调试一下。请帮忙。谢谢
编辑:
错误:
{
"error": {
"code": "Request_ResourceNotFound","message": "Resource '261eda4b-6eee-45ba-a176-259960603409' does not exist or one of its queried reference-property objects are not present.","innerError": {
"date": "2020-10-26T07:09:38","request-id": "8dc2ea73-63e5-45b5-8127-445df777c1e1","client-request-id": "8dc2ea73-63e5-45b5-8127-445df777c1e1"
}
}
}
Json:
{
"principalId": "f923e078-ca9d-4611-a80e-bebb712ad7d1","resourceId": "261eda4b-6eee-45ba-a176-259960603409","appRoleId": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f"
}
获取用于获取对象ID的网址:https://graph.microsoft.com/v1.0/serviceprincipals?$select=id&$filter=displayName eq'{useracces}'
解决方法
POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
Content-Type: application/json
Content-Length: 110
{
"principalId": "principalId-value","resourceId": "resourceId-value","appRoleId": "appRoleId-value"
}
在此示例中,{id}和{resourceId-value}都将是资源服务主体的对象ID,资源主体是与您在其中创建appRoles的Azure AD应用程序关联的企业应用程序。
{principalId-value}是用户的对象ID。
{appRoleId-value}是您在清单中创建的应用角色的ID。
更新:
获取服务主体的对象ID的步骤正确。
如果要使用Graph API来获取它,可以这样做:
GET https://graph.microsoft.com/v1.0/serviceprincipals?$select=id&$filter=displayName eq '{app name}'