我正在尝试弄清楚如何使用 Azure Active Directory 的图形 API 从组或用户中删除 AppRoleAssignment
。我正在使用 .NET SDK (Microsoft.Azure.ActiveDirectory.GraphClient)。
我尝试使用每个 IEntityBase
上的标准 DeleteAsync
方法,但失败并出现错误。它发出一个如下所示的 HTTP 请求:
删除/{tenantId}/directoryObjects/{appRoleAssignment ObjectID}/Microsoft.DirectoryServices.AppRoleAssignment?api-version=1.5
失败并出现 400 Bad Request,并显示错误“不支持直接查询此资源类型。”
根据 this Microsoft blog post,这不是使用 Graph API 删除 AppRoleAssignments 的正确方法。这表明您需要执行如下所示的 HTTP 请求:
删除/{tenantId}/users/{用户对象 ID}/appRoleAssignments/{appRoleAs}?api-version=1.5
如果我使用该 URL 格式使用 HttpClient 执行手动 HTTP 请求,它可以工作,但我想知道如何在 .NET 库的范围内执行此操作,而不是自己执行手动 HTTP 请求。
如何通过 .NET 库删除 AppRoleAssignments?
最佳答案
虽然尚未修复,但您可以手动发出 HTTP 请求,但仍使用 Azure AD SDK 来获取 token 。像这样的事情:
var tenantId = "<guid> tenant id";
var appId = "<guid> your Azure app id";
var appKey = "your app key";
var authority = "i.e. https://login.windows.net/mycompany.onmicrosoft.com";
var graphUrl = "https://graph.windows.net/";
public async Task RemoveRoleFromUser(Guid userId, string roleObjectId) {
var uri = string.Format("{0}/users/{1}/appRoleAssignments/{2}?api-version=1.5", tenantId, userId, roleObjectId);
await ExecuteRequest<object>(uri, HttpMethod.Delete);
}
private async Task<T> ExecuteRequest<T>(string uri, HttpMethod method = null, Object body = null) where T : class {
if (method == null) method = HttpMethod.Get;
T response;
var token = await AcquireTokenAsyncForApplication();
using (var httpClient = new HttpClient { BaseAddress = getServicePointUri() }) {
var request = new HttpRequestMessage(method, uri);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
if (body != null) {
request.Content = new StringContent(JsonConvert.SerializeObject(body), Encoding.UTF8, "application/json");
}
var responseMessage = await httpClient.SendAsync(request).ConfigureAwait(false);
responseMessage.EnsureSuccessStatusCode();
response = await responseMessage.Content.ReadAsAsync<T>();
}
return response;
}
private async Task<string> AcquireTokenAsyncForApplication() {
ClientCredential clientCred = new ClientCredential(appId, appKey);
var authenticationContext = new AuthenticationContext(authority, false);
AuthenticationResult authenticationResult = authenticationContext.AcquireToken(graphUrl, clientCred);
return authenticationResult.AccessToken;
}
private Uri getServicePointUri() {
Uri servicePointUri = new Uri(graphUrl);
Uri serviceRoot = new Uri(servicePointUri, tenantId);
return serviceRoot;
}
关于c# - 如何使用 Azure Active Directory .NET SDK 删除 AppRoleAssignment?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/29460012/