AAD Service Principal获取azure user list (Microsoft Graph API)

本段代码是个通用性很强的sample code,不仅能够操作AAD本身,也能通过Azure Service Principal的授权来访问和控制Azure的订阅资源。(Azure某种程度上能看成是两个层级:AAD+Subscription)

下文中的代码是演示的screenshot中的红字2的部分。红字1的部分的permission实质上是赋予AAD service principal操作订阅的权限(这个需要切换var resource = “https://management.core.chinacloudapi.cn/“)

预先准备

  1. 注册一个Azure AD application
  2. 对这个aad application赋予适当的权限

sample code 如下:

  1 using Microsoft.IdentityModel.Clients.ActiveDirectory;
  2 using Newtonsoft.Json;
  3 using Newtonsoft.Json.Linq;
  4 using System;
  5 using System.Collections.Generic;
  6 using System.Collections.Specialized;
  7 using System.IO;
  8 using System.Linq;
  9 using System.Net;
 10 using System.Net.Http;
 11 using System.Net.Http.Headers;
 12 using System.Text;
 13 using System.Threading.Tasks;
 14  
 15 namespace AadGraphApi
 16 {
 17     class Program
 18     {
 19         static void Main(string[] args)
 20         {
 21             //Demo below AAD graph api
 22             //1. List All users in AAD
 23             //2. Check user existence
 24             //3. Get AppRoleAssignment
 25             //4. implement the appRoleAssignment
 26  
 27             //Test MoonCake Azure
 28             //Task task = CnTest();
 29  
 30             //Test Global Azure
 31             Task task = CnTest();
 32             var x = task;
 33             Console.WriteLine("**--------done-------**");
 34             Console.ReadLine();
 35         }
 36         // using Http Request to get Token
 37         private static async Task<string> CnAppAuthenticationAsync()
 38         {
 39             // Using in Mooncake Azure
 40             // Constants
 41             var tenant = "";
 42             var resource = "https://graph.chinacloudapi.cn";
 43             //var resource = "https://management.core.chinacloudapi.cn/";
 44             var clientID = "";
 45             var secret = "";
 46             // Ceremony
 47             var authority = $"https://login.chinacloudapi.cn/{tenant}";
 48             var authContext = new AuthenticationContext(authority);
 49             var credentials = new ClientCredential(clientID, secret);
 50             var authResult = await authContext.AcquireTokenAsync(resource, credentials);
 51             return authResult.AccessToken;
 52         }
 53  
 54         private static async Task CnTest()
 55         {
 56             var token = await CnAppAuthenticationAsync();
 57  
 58             using (var client = new HttpClient())
 59             {
 60                 //
 61                 //be careful for the specific parameters in the URI . replace it with yours
 62                 //
 63                 client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
 64  
 65                 var apiUriUserExist = new Uri("https://graph.chinacloudapi.cn/{yourtenantid}/users/**.partner.onmschina.cn?api-version=1.6");
 66                 var apiUriListAllUser = new Uri("https://graph.chinacloudapi.cn/**.partner.onmschina.cn/users?api-version=1.6");
 67                 var apiUriGetAppRoleAssignment = new Uri("https://graph.chinacloudapi.cn/**。partner.onmschina.cn/users/**.partner.onmschina.cn/appRoleAssignments?api-version=1.6");
 68  
 69                 //var userExist = await DoesUserExistsAsync(client, apiUriUserExist);
 70                 //Console.WriteLine($"Does user exists? {userExist}");
 71  
 72                 var userLists = await ListAllUsers(client, apiUriListAllUser);
 73                 Console.WriteLine(userLists);
 74                 /*
 75                 var appRoleList = await GetAppRoleAssignment(client, apiUriGetAppRoleAssignment);
 76                 Console.WriteLine(appRoleList);
 77  
 78                 //post request for AAD appRoleAssignment
 79                 await CnPostAppRoleAssignment(client);
 80                 //
 81                 */
 82             }
 83         }
 84  
 85         private static async Task<bool> DoesUserExistsAsync(HttpClient client, Uri apiUri)
 86         {
 87             try
 88             {
 89                 var payload = await client.GetStringAsync(apiUri);
 90                 return true;
 91             }
 92             catch (HttpRequestException)
 93             {
 94                 return false;
 95             }
 96         }
 97  
 98         private static async Task<string> ListAllUsers(HttpClient client, Uri apiUri)
 99         {
100             try
101             {
102                 var payload = await client.GetStringAsync(apiUri);
103                 return payload;
104             }
105             catch (HttpRequestException ex)
106             {
107                 return ex.ToString();
108             }
109         }
110     }
111 }

本段代码通过授权去拿Azure AD 中的user。还有很多其他的操作,比如delete user, list all user , Azure提供了一系列的Graph API 
同理我们也能通过Managment授权发送操作资源的http请求达到代码控制Azure订阅资源的目的。

 

posted @ 2018-10-23 14:08  杨文波  阅读(657)  评论(0编辑  收藏  举报