如何在c#中使用Azure Active Directory图形客户端创建角色分配
本文关键字:图形 Directory 客户端 创建 分配 角色 Active Azure | 更新日期: 2023-09-27 18:04:31
我正在使用这个库:Microsoft.Azure.ActiveDirectory.GraphClient
类别:ActiveDirectoryClient
.
我想给一个应用程序(我有appID)"所有者"访问某些订阅。我该怎么做呢?由于
这个问题的整个前提都是错误的。GraphClient
不是管理此类授权的合适客户端。合适的API库是Microsoft.Azure.Management.Authorization
和AuthorizationManagementClient
类。
我会在实际调用顺序上附加注释。
***更新***********
下面是示例代码: public static async Task<IServicePrincipal> GetServicePrincipalAsync(string accessToken, string tenantId, string clientId)
{
var graphClient = NewActiveDirectoryClient(accessToken, tenantId);
var matches = await graphClient.ServicePrincipals.Where(sp => sp.AppId == clientId).ExecuteAsync();
return matches.CurrentPage.ToList().FirstOrDefault();
}
private static ActiveDirectoryClient NewActiveDirectoryClient(string accessToken, string tenantId)
{
TaskCompletionSource<string> tcs = new TaskCompletionSource<string>();
tcs.SetResult(accessToken);
return new ActiveDirectoryClient(
new Uri($"{GraphApiBaseUrl}{tenantId}"),
async () => { return await tcs.Task; });
}
首先,您需要获得要添加的主体的ObjectId。对于serviceprincipal,我有一个函数从目录中获取它,如下所示:
然后使用它和一个范围("/subscriptions/{my_subscription_id}"对于整个订阅),您可以创建一个RoleAssignment:
public static async Task AssignRoleToPrincipalAsync(
string accessToken,
string subscriptionId,
string scope,
string roleName,
string principalObjectId)
{
using (var client = NewAuthorizationManagementClient(accessToken, subscriptionId))
{
RoleDefinition roleDef = (await FindRoleDefinitionAsync(accessToken, subscriptionId, scope, roleName)).FirstOrDefault();
if (roleDef == null)
throw new Exception($"Role was not found: {roleName}");
var props = new RoleAssignmentProperties()
{
PrincipalId = principalObjectId,
RoleDefinitionId = roleDef.Id
};
await client.RoleAssignments.CreateAsync(scope, Guid.NewGuid().ToString("N"), props);
}
}
private static AuthorizationManagementClient NewAuthorizationManagementClient(string accessToken, string subscriptionId)
{
return new AuthorizationManagementClient(new TokenCredentials(accessToken)) { SubscriptionId = subscriptionId};
}
*****更新*****
使用Azure获取令牌。标识您可以使用以下代码片段
var accessToken = await new AzureCliCredential().GetTokenAsync(
new TokenRequestContext(new[] { "https://management.azure.com/.default" }));
var client = new AuthorizationManagementClient(
new TokenCredentials(accessToken.Token))
{
SubscriptionId = subscription.Data.SubscriptionId
};