使用GraphAPI / C#在AzureAD中删除应用程序角色的问题

时间:2018-08-24 20:58:03

标签: c# api azure azure-active-directory azure-ad-graph-api

我正在尝试使用VisualStudio / C#/ GraphAPI在AzureAD中添加/删除应用程序角色。我可以成功地将用户添加到ApplicationRole中,但是Remove(或Delete)角色不起作用。

我在互联网上进行了研究,似乎AzureAD图形API本身存在问题。检查:

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/5707763c-41f7-4465-abdb-3a8d8ded153b/graph-api-apiversion15-how-to-remove-user-from-application-role-using-c-net?forum=WindowsAzureAD

但是,这是一篇过时的文章,所以不确定是否有任何解决方法。

感谢您提供任何帮助来解决此问题。

1 个答案:

答案 0 :(得分:1)

  

我可以成功地将用户添加到ApplicationRole,但是删除(或删除)角色不起作用。

我可以使用以下代码删除应用程序角色。 

var listRoles = user.AppRoleAssignments.ToList();
user.AppRoleAssignments.Remove(listRoles[0]); //just demo: you could remove the role as your wanted
user.UpdateAsync().Wait();

以下是我的详细测试演示代码

1。获取访问令牌

private static async Task<string> GetAppTokenAsync(string graphResourceId, string tenantId, string clientId, string secretKey)
        {
            string aadInstance = "https://login.microsoftonline.com/" + tenantId + "/oauth2/token";
            AuthenticationContext authenticationContext = new AuthenticationContext(aadInstance, false);
            var result = await authenticationContext.AcquireTokenAsync(graphResourceId,
                new ClientCredential(clientId, userId));
            return result.AccessToken;
        }

2。初始化graphclient。

var graphResourceId = "https://graph.windows.net";
var tenantId = "tenantId";
var clientId = "client Id";
var secretKey = "secret key";
var servicePointUri = new Uri(graphResourceId); 
var serviceRoot = new Uri(servicePointUri, tenantId);
var activeDirectoryClient = new ActiveDirectoryClient(serviceRoot, async () => await GetAppTokenAsync(graphResourceId, tenantId, clientId, secretKey));

3。创建应用程序和服务主体

 Application appObject = new Application { DisplayName = "Test-Demo App" };
 appObject.IdentifierUris.Add("https://localhost/demo/" + Guid.NewGuid());
 appObject.ReplyUrls.Add("https://localhost/demo");
 AppRole appRole = new AppRole
 {
    Id = Guid.NewGuid(),
    IsEnabled = true,
    DisplayName = "Something",
    Description = "Anything",
    Value = "policy.write"
 };

 appRole.AllowedMemberTypes.Add("User");
 appObject.AppRoles.Add(appRole);
 activeDirectoryClient.Applications.AddApplicationAsync(appObject).Wait();
 // create a new Service principal
 ServicePrincipal newServicePrincpal = new ServicePrincipal
 {
    DisplayName = appObject.DisplayName,
    AccountEnabled = true,
    AppId = appObject.AppId
 };
activeDirectoryClient.ServicePrincipals.AddServicePrincipalAsync(newServicePrincpal).Wait();

4.add角色分配

User user = (User) activeDirectoryClient.Users.GetByObjectId("userobjectId").ExecuteAsync().Result;
AppRoleAssignment appRoleAssignment = new AppRoleAssignment
{
       Id = appRole.Id,
       ResourceId = Guid.Parse(newServicePrincpal.ObjectId),
       PrincipalType = "User",
       PrincipalId = Guid.Parse(user.ObjectId),

  };
user.AppRoleAssignments.Add(appRoleAssignment);
user.UpdateAsync().Wait();

5。从用户删除角色

var listRoles = user.AppRoleAssignments.ToList();
user.AppRoleAssignments.Remove(listRoles[0]);
user.UpdateAsync().Wait();
相关问题
最新问题