Programmatically assign users to Azure AD Applicat

2019-05-16 17:07发布

I am trying to write a script to assign users to an Azure AD application (servicePrincipal) using Graph API. I am testing this in my sandbox, where I have defined the app and assigned users to it. However, when I query the servicePrincipal, I don't see the users anywhere in the response.

Questions:

  1. Based on the documentation, shouldn't there be appRoleAssignment?

  2. The documentation says this field is read-only, so how are you supposed to assign users?

1条回答
SAY GOODBYE
2楼-- · 2019-05-16 17:12

You can get the appRoleAssignments of a user via the navigation property when querying the Graph API:

https://graph.windows.net/tenant-id/users/user-id/appRoleAssignments?api-version=1.6

You can create assignments by making an HTTP POST to:

https://graph.windows.net/tenant-id/users/user-id/appRoleAssignments?api-version=1.6

The object that you need to send looks like this:

{
  "id": "id-of-role",
  "principalId": "objectId-of-user",
  "resourceId": "objectId-of-service-principal"
}

If your app does not have any roles, but you still want to assign a user, it seems you can just set the id to all zeros:

Where the resource does not declare any permissions, a default id (zero GUID) must be specified.

So something like:

{
  "id":"00000000-0000-0000-0000-000000000000",
  "resourceId": "a27d8321-3dc6-44a1-bf19-2546a9f2806e",
  "principalId": "c4f810b8-2ea1-4580-9595-30275a28c2a2"
}
查看更多
登录 后发表回答