我想通过REST API获取Azure活动用户列表及其权限集(角色)。
到目前为止,我无法直接获取它们。我试图使用Active目录找出它们但到目前为止没有运气。
以下是Azure REST API的documentation
提前致谢。
答案 0 :(得分:0)
您可以通过查询订阅的角色分配来获取用户的角色。
示例网址:
https://management.azure.com/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleAssignments?$filter=atScope()&api-version=2015-07-01
您当然需要将订阅的ID放在那里:)
$filter=atScope()
只需要获取订阅的角色,否则请求也会返回资源组和资源的角色。
回复示例:
{
"value": [
{
"properties": {
"roleDefinitionId": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleDefinitions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"principalId": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"scope": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"createdOn": "2018-03-04T19:38:21.9632037Z",
"updatedOn": "2018-03-04T19:38:21.9632037Z",
"createdBy": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"updatedBy": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
},
"id": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleAssignments/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"type": "Microsoft.Authorization/roleAssignments",
"name": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
}
]
}
principalId
将是分配此角色的服务主体,组或用户的objectId
。
您还需要了解每个角色的ID。
在这里,我获得了roleDefinitionId
并使用它来获取角色的定义,使用另一个查询:
https://management.azure.com/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleDefinitions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa?api-version=2015-07-01
并回复:
{
"properties": {
"roleName": "Contributor",
"type": "BuiltInRole",
"description": "Lets you manage everything except access to resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action"
]
}
],
"createdOn": "0001-01-01T08:00:00.0000000Z",
"updatedOn": "2016-12-14T02:04:45.1393855Z",
"createdBy": null,
"updatedBy": null
},
"id": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleDefinitions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
}
您也可以通过忘记身份来获得所有角色。
答案 1 :(得分:0)
Microsoft引入了Graph API,用于获取附加的用户详细信息和角色。 用户详细信息API:
https://graph.windows.net/ /用户?API-版本= 1.6
授权:访问令牌
访问令牌您可以使用 https://graph.windows.net/ 和身份验证端点作为 https://login.microsoftonline.com/ 生成资源。
注意:您还必须具有Microsoft Graph API权限。
以下是一些其他图形API端点:
https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/directoryroles-operations
目录角色:
https://graph.windows.net/myorganization/directoryRoles?api-version=1.6
列出具有角色的用户:
https://graph.windows.net/myorganization/directoryRoles/ce8c598b-20eb-42b6-89c6-cf6c184ba416/ $链接/成员?API-版本= 1.6