通过REST API获取Azure用户

时间:2018-03-03 09:01:30

标签: azure azure-api-management

我想通过REST API获取Azure活动用户列表及其权限集(角色)。

到目前为止,我无法直接获取它们。我试图使用Active目录找出它们但到目前为止没有运气。

以下是Azure REST API的documentation

提前致谢。

2 个答案:

答案 0 :(得分:0)

您可以通过查询订阅的角色分配来获取用户的角色。

示例网址:

https://management.azure.com/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleAssignments?$filter=atScope()&api-version=2015-07-01

您当然需要将订阅的ID放在那里:)

$filter=atScope()只需要获取订阅的角色,否则请求也会返回资源组和资源的角色。

回复示例:

{
  "value": [
    {
      "properties": {
        "roleDefinitionId": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleDefinitions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
        "principalId": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
        "scope": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
        "createdOn": "2018-03-04T19:38:21.9632037Z",
        "updatedOn": "2018-03-04T19:38:21.9632037Z",
        "createdBy": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
        "updatedBy": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
      },
      "id": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleAssignments/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
      "type": "Microsoft.Authorization/roleAssignments",
      "name": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
    }
  ]
}

principalId将是分配此角色的服务主体,组或用户的objectId

您还需要了解每个角色的ID。 在这里,我获得了roleDefinitionId并使用它来获取角色的定义,使用另一个查询:

https://management.azure.com/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleDefinitions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa?api-version=2015-07-01

并回复:

{
    "properties": {
        "roleName": "Contributor",
        "type": "BuiltInRole",
        "description": "Lets you manage everything except access to resources.",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "*"
                ],
                "notActions": [
                    "Microsoft.Authorization/*/Delete",
                    "Microsoft.Authorization/*/Write",
                    "Microsoft.Authorization/elevateAccess/Action"
                ]
            }
        ],
        "createdOn": "0001-01-01T08:00:00.0000000Z",
        "updatedOn": "2016-12-14T02:04:45.1393855Z",
        "createdBy": null,
        "updatedBy": null
    },
    "id": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleDefinitions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
    "type": "Microsoft.Authorization/roleDefinitions",
    "name": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
}

您也可以通过忘记身份来获得所有角色。

答案 1 :(得分:0)

Microsoft引入了Graph API,用于获取附加的用户详细信息和角色。 用户详细信息API:

https://graph.windows.net/ /用户?API-版本= 1.6

授权:访问令牌

访问令牌您可以使用 https://graph.windows.net/ 和身份验证端点作为 https://login.microsoftonline.com/ 生成资源。

注意:您还必须具有Microsoft Graph API权限。

以下是一些其他图形API端点:

https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/directoryroles-operations

目录角色:

https://graph.windows.net/myorganization/directoryRoles?api-version=1.6

列出具有角色的用户:

https://graph.windows.net/myorganization/directoryRoles/ce8c598b-20eb-42b6-89c6-cf6c184ba416/ $链接/成员?API-版本= 1.6