• AAD Service Principal获取azure user list (Microsoft Graph API)


    本段代码是个通用性很强的sample code,不仅能够操作AAD本身,也能通过Azure Service Principal的授权来访问和控制Azure的订阅资源。(Azure某种程度上能看成是两个层级:AAD+Subscription)

    下文中的代码是演示的screenshot中的红字2的部分。红字1的部分的permission实质上是赋予AAD service principal操作订阅的权限(这个需要切换var resource = “https://management.core.chinacloudapi.cn/“)

    预先准备

    1. 注册一个Azure AD application
    2. 对这个aad application赋予适当的权限

    sample code 如下:

      1 using Microsoft.IdentityModel.Clients.ActiveDirectory;
      2 using Newtonsoft.Json;
      3 using Newtonsoft.Json.Linq;
      4 using System;
      5 using System.Collections.Generic;
      6 using System.Collections.Specialized;
      7 using System.IO;
      8 using System.Linq;
      9 using System.Net;
     10 using System.Net.Http;
     11 using System.Net.Http.Headers;
     12 using System.Text;
     13 using System.Threading.Tasks;
     14  
     15 namespace AadGraphApi
     16 {
     17     class Program
     18     {
     19         static void Main(string[] args)
     20         {
     21             //Demo below AAD graph api
     22             //1. List All users in AAD
     23             //2. Check user existence
     24             //3. Get AppRoleAssignment
     25             //4. implement the appRoleAssignment
     26  
     27             //Test MoonCake Azure
     28             //Task task = CnTest();
     29  
     30             //Test Global Azure
     31             Task task = CnTest();
     32             var x = task;
     33             Console.WriteLine("**--------done-------**");
     34             Console.ReadLine();
     35         }
     36         // using Http Request to get Token
     37         private static async Task<string> CnAppAuthenticationAsync()
     38         {
     39             // Using in Mooncake Azure
     40             // Constants
     41             var tenant = "";
     42             var resource = "https://graph.chinacloudapi.cn";
     43             //var resource = "https://management.core.chinacloudapi.cn/";
     44             var clientID = "";
     45             var secret = "";
     46             // Ceremony
     47             var authority = $"https://login.chinacloudapi.cn/{tenant}";
     48             var authContext = new AuthenticationContext(authority);
     49             var credentials = new ClientCredential(clientID, secret);
     50             var authResult = await authContext.AcquireTokenAsync(resource, credentials);
     51             return authResult.AccessToken;
     52         }
     53  
     54         private static async Task CnTest()
     55         {
     56             var token = await CnAppAuthenticationAsync();
     57  
     58             using (var client = new HttpClient())
     59             {
     60                 //
     61                 //be careful for the specific parameters in the URI . replace it with yours
     62                 //
     63                 client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
     64  
     65                 var apiUriUserExist = new Uri("https://graph.chinacloudapi.cn/{yourtenantid}/users/**.partner.onmschina.cn?api-version=1.6");
     66                 var apiUriListAllUser = new Uri("https://graph.chinacloudapi.cn/**.partner.onmschina.cn/users?api-version=1.6");
     67                 var apiUriGetAppRoleAssignment = new Uri("https://graph.chinacloudapi.cn/**。partner.onmschina.cn/users/**.partner.onmschina.cn/appRoleAssignments?api-version=1.6");
     68  
     69                 //var userExist = await DoesUserExistsAsync(client, apiUriUserExist);
     70                 //Console.WriteLine($"Does user exists? {userExist}");
     71  
     72                 var userLists = await ListAllUsers(client, apiUriListAllUser);
     73                 Console.WriteLine(userLists);
     74                 /*
     75                 var appRoleList = await GetAppRoleAssignment(client, apiUriGetAppRoleAssignment);
     76                 Console.WriteLine(appRoleList);
     77  
     78                 //post request for AAD appRoleAssignment
     79                 await CnPostAppRoleAssignment(client);
     80                 //
     81                 */
     82             }
     83         }
     84  
     85         private static async Task<bool> DoesUserExistsAsync(HttpClient client, Uri apiUri)
     86         {
     87             try
     88             {
     89                 var payload = await client.GetStringAsync(apiUri);
     90                 return true;
     91             }
     92             catch (HttpRequestException)
     93             {
     94                 return false;
     95             }
     96         }
     97  
     98         private static async Task<string> ListAllUsers(HttpClient client, Uri apiUri)
     99         {
    100             try
    101             {
    102                 var payload = await client.GetStringAsync(apiUri);
    103                 return payload;
    104             }
    105             catch (HttpRequestException ex)
    106             {
    107                 return ex.ToString();
    108             }
    109         }
    110     }
    111 }

    本段代码通过授权去拿Azure AD 中的user。还有很多其他的操作,比如delete user, list all user , Azure提供了一系列的Graph API 
    同理我们也能通过Managment授权发送操作资源的http请求达到代码控制Azure订阅资源的目的。

  • 相关阅读:
    hdu4930 Fighting the Landlords(模拟 多校6)
    hdu4888 多校B 最大流以及最大流唯一推断+输出方案
    xUtils介绍 -- DbUtils、ViewUtils、HttpUtils、BitmapUtils
    java 读取properties文件
    poj1062昂贵的聘礼
    杭电 HDU 2717 Catch That Cow
    iOS使用自己定义字体
    Elasticsearch 2014年10月简报
    html 上下左右都居中
    Linux 比较判断运算(if else)
  • 原文地址:https://www.cnblogs.com/yangwenbo214/p/9836313.html
Copyright © 2020-2023  润新知