我遇到了在azure活动目录中添加用户应用程序角色的问题。 在用户模型中,有一个名为ApproleAssignment的属性,我认为我可以为用户设置应用程序角色。但是当我这样做时,它没有分配。任何人都可以帮助我吗?
我在应用程序模型中使用App角色添加了应用程序角色。我可以在创建用户时填充下拉列表。下面显示了创建用户的部分。 什么应该作为AppRoleAssignment中的ResourceId给出?
[HttpPost]
public async Task<ActionResult> Create(UserModel user)
{
ActiveDirectoryClient client = null;
try
{
client = AuthenticationHelper.GetActiveDirectoryClient();
}
catch (Exception e)
{
if (Request.QueryString["reauth"] == "True")
{
//
// Send an OpenID Connect sign-in request to get a new set of tokens.
// If the user still has a valid session with Azure AD, they will not be prompted for their credentials.
// The OpenID Connect middleware will return to this controller after the sign-in response has been handled.
//
HttpContext.GetOwinContext()
.Authentication.Challenge(OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
//
// The user needs to re-authorize. Show them a message to that effect.
//
ViewBag.ErrorMessage = "AuthorizationRequired";
return View();
}
try
{
User mappedUser = MapToUser(user);
await client.Users.AddUserAsync(mappedUser);
await AddUserRole(mappedUser, user);
return RedirectToAction("Index");
}
catch (Exception exception)
{
ModelState.AddModelError("", exception.Message);
return View();
}
}
/// <summary>
/// Adds the user role.
/// </summary>
/// <param name="mappedUser">The mapped user.</param>
/// <param name="model">The model.</param>
/// <returns></returns>
private async Task AddUserRole(User mappedUser, UserModel model)
{
ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
IPagedCollection<IUser> pagedCollection = await client.Users.ExecuteAsync();
var currentUser = pagedCollection.CurrentPage.Where(x => x.UserPrincipalName.Equals(mappedUser.UserPrincipalName)).FirstOrDefault();
var appRoleAssignment = new AppRoleAssignment();
appRoleAssignment.Id = model.AppRoleId;
appRoleAssignment.PrincipalId = Guid.Parse(currentUser.ObjectId);
appRoleAssignment.ResourceId = Guid.Parse(clientId);
////((ClaimsIdentity)ClaimsPrincipal.Current.Identity).AddClaim(
//// new Claim(ClaimTypes.Role, "Manager", ClaimValueTypes.String, "GRAPH"));
await currentUser.UpdateAsync();
////Remaining have to be completed.
}
/// <summary>
/// Maps to user.
/// </summary>
/// <param name="model">The model.</param>
/// <returns></returns>
private Microsoft.Azure.ActiveDirectory.GraphClient.User MapToUser(UserModel model)
{
var user = new User();
user.UserPrincipalName = model.UserPrincipalName;
user.AccountEnabled = model.AccountEnabled;
user.PasswordProfile = model.PasswordProfile;
user.MailNickname = model.MailNickname;
user.DisplayName = model.DisplayName;
user.GivenName = model.GivenName;
user.Surname = model.Surname;
user.JobTitle = model.JobTitle;
user.Department = model.Department;
return user;
}
答案 0 :(得分:3)
抱歉,我很难跟踪您的代码,因为其中一些代码遗失了(比如您对应用程序的定义及其声明的任何应用程序角色)。在高级别,应用程序将定义一系列应用程序角色(appRoles)。一旦用户同意该应用程序,代表该应用程序的应用程序实例将出现在同意的租户中。如果要将用户分配给该应用程序,则在其中一个指定的应用程序角色中,您需要在用户上设置appRoleAssignment(选择应用程序角色ID和资源ID - 应用程序的ID)。 appRoleAssignment及其属性在此处描述:https://msdn.microsoft.com/en-us/library/azure/dn835128.aspx和此处描述的REST API示例http://blogs.msdn.com/b/aadgraphteam/archive/2014/12/12/announcing-the-new-version-of-graph-api-api-version-1-5.aspx。
此外,我们还有一个控制台示例,其中显示了在应用程序上创建appRole,以及将应用程序(在声明的应用程序角色中)分配给用户。你可以在github上找到它:https://github.com/AzureADSamples/ConsoleApp-GraphAPI-DotNet
HTHs,
答案 1 :(得分:1)
您的代码中的资源ID是错误的:
appRoleAssignment.ResourceId = Guid.Parse(clientId);
图表应用使用的资源是与应用程序关联的服务原则的ID。您可以阅读有关应用程序和服务原则here之间的区别,但简要说一下clientID是应用程序定义的ID,而服务原则,据我所知,是一个活动实例它。因此,您需要的ID是进行角色分配的服务原则的 objectID 。获取服务原则ID的一些测试代码如下:
var servicePrincipleList = await client.ServicePrincipals.Where(e => e.AppId == clientId).ExecuteAsync();
var roleResourceUpdateID = servicePrincipleList.CurrentPage.First().ObjectId;
,这是您需要在角色分配中使用的对象ID。