AAD Service Principal获取azure user list (Microsoft Graph API)
本段代码是个通用性很强的sample code,不仅能够操作AAD本身,也能通过Azure Service Principal的授权来访问和控制Azure的订阅资源。(Azure某种程度上能看成是两个层级:AAD+Subscription)
下文中的代码是演示的screenshot中的红字2的部分。红字1的部分的permission实质上是赋予AAD service principal操作订阅的权限(这个需要切换var resource = “https://management.core.chinacloudapi.cn/“)
预先准备
- 注册一个Azure AD application
- 对这个aad application赋予适当的权限
sample code 如下:
1 using Microsoft.IdentityModel.Clients.ActiveDirectory; 2 using Newtonsoft.Json; 3 using Newtonsoft.Json.Linq; 4 using System; 5 using System.Collections.Generic; 6 using System.Collections.Specialized; 7 using System.IO; 8 using System.Linq; 9 using System.Net; 10 using System.Net.Http; 11 using System.Net.Http.Headers; 12 using System.Text; 13 using System.Threading.Tasks; 14 15 namespace AadGraphApi 16 { 17 class Program 18 { 19 static void Main(string[] args) 20 { 21 //Demo below AAD graph api 22 //1. List All users in AAD 23 //2. Check user existence 24 //3. Get AppRoleAssignment 25 //4. implement the appRoleAssignment 26 27 //Test MoonCake Azure 28 //Task task = CnTest(); 29 30 //Test Global Azure 31 Task task = CnTest(); 32 var x = task; 33 Console.WriteLine("**--------done-------**"); 34 Console.ReadLine(); 35 } 36 // using Http Request to get Token 37 private static async Task<string> CnAppAuthenticationAsync() 38 { 39 // Using in Mooncake Azure 40 // Constants 41 var tenant = ""; 42 var resource = "https://graph.chinacloudapi.cn"; 43 //var resource = "https://management.core.chinacloudapi.cn/"; 44 var clientID = ""; 45 var secret = ""; 46 // Ceremony 47 var authority = $"https://login.chinacloudapi.cn/{tenant}"; 48 var authContext = new AuthenticationContext(authority); 49 var credentials = new ClientCredential(clientID, secret); 50 var authResult = await authContext.AcquireTokenAsync(resource, credentials); 51 return authResult.AccessToken; 52 } 53 54 private static async Task CnTest() 55 { 56 var token = await CnAppAuthenticationAsync(); 57 58 using (var client = new HttpClient()) 59 { 60 // 61 //be careful for the specific parameters in the URI . replace it with yours 62 // 63 client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token); 64 65 var apiUriUserExist = new Uri("https://graph.chinacloudapi.cn/{yourtenantid}/users/**.partner.onmschina.cn?api-version=1.6"); 66 var apiUriListAllUser = new Uri("https://graph.chinacloudapi.cn/**.partner.onmschina.cn/users?api-version=1.6"); 67 var apiUriGetAppRoleAssignment = new Uri("https://graph.chinacloudapi.cn/**。partner.onmschina.cn/users/**.partner.onmschina.cn/appRoleAssignments?api-version=1.6"); 68 69 //var userExist = await DoesUserExistsAsync(client, apiUriUserExist); 70 //Console.WriteLine($"Does user exists? {userExist}"); 71 72 var userLists = await ListAllUsers(client, apiUriListAllUser); 73 Console.WriteLine(userLists); 74 /* 75 var appRoleList = await GetAppRoleAssignment(client, apiUriGetAppRoleAssignment); 76 Console.WriteLine(appRoleList); 77 78 //post request for AAD appRoleAssignment 79 await CnPostAppRoleAssignment(client); 80 // 81 */ 82 } 83 } 84 85 private static async Task<bool> DoesUserExistsAsync(HttpClient client, Uri apiUri) 86 { 87 try 88 { 89 var payload = await client.GetStringAsync(apiUri); 90 return true; 91 } 92 catch (HttpRequestException) 93 { 94 return false; 95 } 96 } 97 98 private static async Task<string> ListAllUsers(HttpClient client, Uri apiUri) 99 { 100 try 101 { 102 var payload = await client.GetStringAsync(apiUri); 103 return payload; 104 } 105 catch (HttpRequestException ex) 106 { 107 return ex.ToString(); 108 } 109 } 110 } 111 }
本段代码通过授权去拿Azure AD 中的user。还有很多其他的操作,比如delete user, list all user , Azure提供了一系列的Graph API
同理我们也能通过Managment授权发送操作资源的http请求达到代码控制Azure订阅资源的目的。
欢迎转载,注明出处。有任何问题和建议,欢迎留言讨论,也可以发我邮箱wenbya@outlook.com