51CTO博客地址:https://blog.51cto.com/1396817
博客园博客地址:https://www.cnblogs.com/bxapollo
Microsoft Graph 是一个RESTful web API,可以通过它来访问Microsoft 云服务器资源,注册应用程序并获取用户或服务的身份验证令牌后,可以向Microsoft Graph API请求。
默认的情况下,Deltalinks(Token)是一个用户范围的API,可用于类似同步的行为,比如可以获取一个完整的权限枚举来验证,Delta尝试将基于权限的更改范围限定为Caller相关的更改,如果caller的访问权限没有因权限更改而改变,则该项可能不会包含在增量结果中。
获取权限的前提条件:确保遵守aca.ms/scanguidance中的建议,否则将导致获取权限更改范围的缩小。
获取权限的方法:
- 对sites.fullcontrol使用使用仅适用于应用程序的身份验证
- 所有范围和pass header “preferred"="deltashowsharingchanges.hierarchicalsharing"
实现步骤:
1. 在AAD创建一个应用程序,并且有sites.fullcontrol等如下权限
2. 采用如下powershell脚本生成access token和delta token link:
cls
$host.Runspace.ThreadOptions = "ReuseThread"
Write-Host "STARTED at" (Get-Date).ToString() -f Green
$ClientID = "fa9737d5-5a3e-4fab-0000-000000000000"
$ClientSecret = "1JOe:M8HBBUz-0000000000000000000"
$scope= "https://graph.microsoft.com/.default"
$POSTURI = "https://login.microsoftonline.com/d6f932a7-5f74-0000-0000-000000000000/oauth2/v2.0/token"
$body = @{grant_type="client_credentials";client_id=$ClientID;client_secret=$ClientSecret;scope=$scope}
$oauth = Invoke-RestMethod -Method Post -Uri $POSTURI -Body $body $graphAccessToken = $oauth.access_token
Write-Host "Access token: $($graphAccessToken)"
$requestHeader = @{
"Authorization" = "Bearer $graphAccessToken"
"Content-Type" = "application/json"
"Prefer" = "deltashowsharingchanges,hierarchicalsharing,deltatraversepermissiongaps,deltashowremovedasdeleted"
}
$Uri = "https://graph.microsoft.com/v1.0/sites/spotenant.sharepoint.com,df6ba610-b132-0000-0000-000000000000,e0dbcdc6-0637-4246-0000-000000000000/drive/root/delta?latest"
$Result = (Invoke-RestMethod -Method Get -Headers $requestheader -Uri $Uri)
$deltaUri = $Result.'@odata.deltaLink'
Write-Host $deltaUri
Write-Host "DONE at" (Get-Date).ToString() -f Green
3. 从上面的脚本复制access token 和deltauri值输出,并在下面的示例powershell脚本中使用它们来检索完整的权限更改集。
cls
$host.Runspace.ThreadOptions = "ReuseThread"
Write-Host "STARTED at" (Get-Date).ToString() -f Green
$graphAccessToken = "copied from output of above sample powershell script" $requestHeader = @{
"Authorization" = "Bearer $graphAccessToken"
"Content-Type" = "application/json"
"Prefer" = "deltashowsharingchanges,hierarchicalsharing"
}
Write-Host
$deltaUri = "copied from output of above sample powershell script" #should look like sample below: https://graph.microsoft.com/v1.0/sites/spotenant.sharepoint.com,df6ba610-b132-4fc7-0000-000000000000,e0dbcdc6-0637-4246-0000-000000000000/drive/root/delta?token=MzslMjM0OyUyMzE7Mzs3NDlhZjc4NC0zOWU0LTRlOTEtYmJkNy0wNzI5MjAxNTNlMGY7NjM3MzM2NDU1MzMyNDcwMDAwOzMxOTY4OTE4MjslMjM7JTIzOyUyMzA" $deltaResult = (Invoke-RestMethod -Method Get -Headers $requestheader -Uri $deltaUri) Write-Host $deltaResult.value
Write-Host
Write-Host "DONE at" (Get-Date).ToString() -f Green
相关参考资料: