根据电子邮件地址将应用程序分配给用户

Question

在我们学校，我们使用Azure AD。目前，我们有两个自定义应用A和B。

我们应该将应用A分配给邮件地址为*@student.example.com的所有用户和@example.com到应用B的用户。

如何在不手动操作的情况下根据此条件分配用户？

Answer 1

您可以使用Graph API自动执行此过程。这是我编写的使用Graph API的PowerShell脚本。

Add-Type -Path 'C:\Program Files\Microsoft Azure Active Directory Connect\Microsoft.IdentityModel.Clients.ActiveDirectory.dll'

# Some common fields to log into your tenant.
$tenantID = "<your tenantID>"
$loginEndpoint = "https://login.windows.net/"

# The default redirect URI and client id.
# No need to change them.
$redirectURI = New-Object System.Uri ("urn:ietf:wg:oauth:2.0:oob")
$clientID = "1950a258-227b-4e31-a9cf-717495945fc2"

$username = "<a global user of your tenant>"

$email_prefix1 = "*@student.example.com"
$email_prefix2 = "*@example.com"

# The display name of your AD apps, It's better if one does not contain another,
# because I am using the filter "startwith".
$apps1 = "<the display name of you first AD application>"
$apps2 = "<the display name of you second AD application>"

$resource = "https://graph.windows.net/"

# logging into your tenant to get the authorization header.
$authString = $loginEndpoint + $tenantID

$authenticationContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext ($authString, $false)

$promptBehaviour = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto

$userIdentifierType = [Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifierType]::RequiredDisplayableId

$userIdentifier = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier ($username, $userIdentifierType)

$authenticationResult = $authenticationContext.AcquireToken($resource, $clientID, $redirectURI, $promptBehaviour, $userIdentifier); 

# construct authorization header for the REST API.
$authHeader = $authenticationResult.AccessTokenType + " " + $authenticationResult.AccessToken
$headers = @{"Authorization"=$authHeader; "Content-Type"="application/json"}

# getting the service principal object id of the 2 AD apps.
$uri = "https://graph.windows.net/$tenantID/servicePrincipals?api-version=1.5&`$filter=startswith(displayName,'$apps1')"

$apps = Invoke-RestMethod -Method Get -Uri $uri -Headers $headers

$app1_objectId = $apps.value[0].objectId

$uri = "https://graph.windows.net/$tenantID/servicePrincipals?api-version=1.5&`$filter=startswith(displayName,'$apps2')"

$apps = Invoke-RestMethod -Method Get -Uri $uri -Headers $headers

$app2_objectId = $apps.value[0].objectId

# getting the users in the tenant.
$uri = "https://graph.windows.net/$tenantID/users?api-version=1.5"

$users = Invoke-RestMethod -Method Get -Uri $uri -Headers $headers

# loop through the whole user list to assign the AD apps.
foreach ($user in $users.value){
    $userID = $user.objectId

    if ($user.otherMails[0] -like $email_prefix1){
        $resourceId = $app1_objectId
    }
    elseif ($user.otherMails[0] -like $email_prefix2){
        $resourceId = $app2_objectId
    }
    else{
        continue
    }

    # Leave the id to be 00000000-0000-0000-0000-000000000000.
    # This is exactly how Azure Classic Portal handles user assigning.
    # That means if you assign a user to an AD application in the portal,
    # the appRoleAssignment will have the id 00000000-0000-0000-0000-000000000000.
    $body = @"
{"id":  "00000000-0000-0000-0000-000000000000",
 "principalId":  "$userID",
 "resourceId":  "$resourceId"
}
"@


    $uri = "https://graph.windows.net/$tenantID/users/$userID/appRoleAssignments?api-version=1.5"
    Invoke-RestMethod -Method Post -Uri $uri -Headers $headers -Body $body
}

请注意，我在otherMails中使用电子邮件地址。如果您使用的是Live ID，则该电子邮件地址只是用户的实时ID。如果您使用的是组织ID，则可以将其设置在经典门户中作为字段备用电子邮件地址。