我的要求是在Azure AD中创建一个组,并在创建组时通过Graph API将服务主体添加为该组的所有者。
参考文档: https://docs.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http
参考上述文档,我能够创建组,但显示的响应对象不允许将服务主体添加为所有者。
身体:
{ “ description”:“ Testing 123”, “ displayName”:“ SG-test-ei”,
“ mailEnabled”:否, “ mailNickname”:“ SGP-test-ei”, “ securityEnabled”:是, “ owners@odata.bind”:[
"https://graph.microsoft.com/v1.0/users/qwbhty-cdd0-4c42-b857-5b8ce0ae6a9e"
],
"members@odata.bind": [
"https://graph.microsoft.com/v1.0/users/7f3f587a-c40a-4a63-82b1-202f35c828ee"
]
}
似乎https://graph.microsoft.com/v1.0/users无法识别服务主体的ObjectID。
我的问题是,我应该在主体中使用什么owner@odata.bind或API将服务主体作为所有者添加到Azure AD中的安全组。
答案 0 :(得分:0)
link中的示例使用/users。
POST https://graph.microsoft.com/v1.0/groups
Content-Type: application/json
{
"description": "Group with designated owner and members",
"displayName": "Operations group",
"groupTypes": [
"Unified"
],
"mailEnabled": true,
"mailNickname": "operations2019",
"securityEnabled": false,
"owners@odata.bind": [
"https://graph.microsoft.com/v1.0/users/26be1845-4119-4801-a799-aea79d09f1a2"
],
"members@odata.bind": [
"https://graph.microsoft.com/v1.0/users/ff7cb387-6688-423c-8188-3da9532a73cc",
"https://graph.microsoft.com/v1.0/users/69456242-0067-49d3-ba96-9de6f2728e14"
]
}
用下面的/servicePrincipals代替它:
"owners@odata.bind": [
"https://graph.microsoft.com/v1.0/servicePrincipals/00964c82-a7c2-4675-bbed-54bcf16328b3"
]