【Azure Developer】AAD API如何获取用户“Block sign in”信息(accountEnabled)
问题描述
使用API获取所有Azure AD中的用户列表,API所参考的文档:https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http,如果想过滤出“Block sign in”为no的人,如何获取?
解决办法
在对Azure AD User的属性进行分析后, Block Sign In就是accountEnabled属性。所以是可以通过$filter参数来进行筛选。
accountEnabled | Boolean | true if the account is enabled; otherwise, false. This property is required when a user is created. Supports $filter . |
如果单独使用accountEnabled属性作为过滤条件的完整URL为:https://microsoftgraph.chinacloudapi.cn/beta/users?$filter=accountEnabled eq false
通常,在使用$filter时,都是需要多个条件,如accountEnabled和userPrincipalName的endsWith条件结合使用,当启用到endsWith等filter函数时,需要注意以下两点:
- 和$count=true搭配使用
-
在Request Header中添加ConsistencyLevel:eventual
Python的示例代码如:
import http.client conn = http.client.HTTPSConnection("microsoftgraph.chinacloudapi.cn") payload = '' headers = { 'ConsistencyLevel': 'eventual', 'Authorization': 'Bearer ' } conn.request("GET", "/v1.0/users?$filter=endswith(userPrincipalName,'n')%20and%20accountEnabled%20eq%20false&$count=true", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
参考资料
Get a user account using a sign-in name: https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http#example-2-get-a-user-account-using-a-sign-in-name
User resource properties: https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0#properties
Unable to filter with endswith: https://github.com/microsoftgraph/microsoft-graph-docs/issues/4331
当在复杂的环境中面临问题,格物之道需:浊而静之徐清,安以动之徐生。 云中,恰是如此!