如何在c#中使用Azure Active Directory图形客户端创建角色分配

本文关键字:图形 Directory 客户端 创建 分配 角色 Active Azure | 更新日期: 2023-09-27 18:04:31

我正在使用这个库:Microsoft.Azure.ActiveDirectory.GraphClient类别:ActiveDirectoryClient .

我想给一个应用程序(我有appID)"所有者"访问某些订阅。我该怎么做呢?由于

如何在c#中使用Azure Active Directory图形客户端创建角色分配

这个问题的整个前提都是错误的。GraphClient不是管理此类授权的合适客户端。合适的API库是Microsoft.Azure.Management.AuthorizationAuthorizationManagementClient类。

我会在实际调用顺序上附加注释。

***更新***********

下面是示例代码: 
    public static async Task<IServicePrincipal> GetServicePrincipalAsync(string accessToken, string tenantId, string clientId)
    {
        var graphClient = NewActiveDirectoryClient(accessToken, tenantId);
        var matches = await graphClient.ServicePrincipals.Where(sp => sp.AppId == clientId).ExecuteAsync();
        return matches.CurrentPage.ToList().FirstOrDefault();
    }
    private static ActiveDirectoryClient NewActiveDirectoryClient(string accessToken, string tenantId)
    {
        TaskCompletionSource<string> tcs = new TaskCompletionSource<string>();
        tcs.SetResult(accessToken);
        return new ActiveDirectoryClient(
            new Uri($"{GraphApiBaseUrl}{tenantId}"),
            async () => { return await tcs.Task; });
    }

首先,您需要获得要添加的主体的ObjectId。对于serviceprincipal,我有一个函数从目录中获取它,如下所示:

然后使用它和一个范围("/subscriptions/{my_subscription_id}"对于整个订阅),您可以创建一个RoleAssignment:

    public static async Task AssignRoleToPrincipalAsync(
        string accessToken, 
        string subscriptionId, 
        string scope, 
        string roleName,
        string principalObjectId)
    {
        using (var client = NewAuthorizationManagementClient(accessToken, subscriptionId))
        {
            RoleDefinition roleDef = (await FindRoleDefinitionAsync(accessToken, subscriptionId, scope, roleName)).FirstOrDefault();
            if (roleDef == null)
                throw new Exception($"Role was not found: {roleName}");
            var props = new RoleAssignmentProperties()
            {
                PrincipalId = principalObjectId,
                RoleDefinitionId = roleDef.Id
            };
            await client.RoleAssignments.CreateAsync(scope, Guid.NewGuid().ToString("N"), props);
        }
    }
    private static AuthorizationManagementClient NewAuthorizationManagementClient(string accessToken, string subscriptionId)
    {
        return new AuthorizationManagementClient(new TokenCredentials(accessToken)) { SubscriptionId = subscriptionId};
    }

*****更新*****
使用Azure获取令牌。标识您可以使用以下代码片段

var accessToken = await new AzureCliCredential().GetTokenAsync(  
  new TokenRequestContext(new[] { "https://management.azure.com/.default" }));
var client = new AuthorizationManagementClient(  
  new TokenCredentials(accessToken.Token))
  {
      SubscriptionId = subscription.Data.SubscriptionId
  };
相关文章: