如何使用Azure Active Directory .NET SDK删除AppRoleAssignment?
我想弄清楚如何使用Azure Active Directory的图形API从组或用户中删除AppRoleAssignment。我正在使用.NET SDK(Microsoft.Azure.ActiveDirectory.GraphClient)。如何使用Azure Active Directory .NET SDK删除AppRoleAssignment?
我试过使用每IEntityBase标准DeleteAsync方法,但它失败并报错。它的发行,看起来像这样的HTTP请求:
DELETE /{tenantId}/directoryObjects/{appRoleAssignment ObjectID}/Microsoft.DirectoryServices.AppRoleAssignment?api-version=1.5
其失败与错误400错误的请求“直接查询,此资源类型不被支持。”
这并不是删除使用根据图形API AppRoleAssignments到this Microsoft blog post正确的方法它说你需要做的,看起来HTTP请求,如:
DELETE /{tenantId}/users/{user object ID}/appRoleAssignments/{appRoleAs}?api-version=1.5
如果我做一个手动的HTTP请求使用HttpClient使用该URL格式,它可以工作,但我想知道如何在.NET库的范围内执行此操作,而不是自己手动执行HTTP请求。
如何通过.NET库删除AppRoleAssignments?
ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
user = (User) await client.Users.GetByObjectId(objectId).ExecuteAsync();
var roleId = "";
await user.AppRoleAssignments.Where(t=>t.ObjectId==roleId).FirstOrDefault().DeleteAsync();
下列网站可能会有所帮助:
https://github.com/AzureADSamples/WebApp-RoleClaims-DotNet https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet
虽然是不固定的,你可以手动HTTP请求,但仍然使用Azure的AD SDK来acqure令牌。像这样的:
var tenantId = "<guid> tenant id";
var appId = "<guid> your Azure app id";
var appKey = "your app key";
var authority = "i.e. https://login.windows.net/mycompany.onmicrosoft.com";
var graphUrl = "https://graph.windows.net/";
public async Task RemoveRoleFromUser(Guid userId, string roleObjectId) {
var uri = string.Format("{0}/users/{1}/appRoleAssignments/{2}?api-version=1.5", tenantId, userId, roleObjectId);
await ExecuteRequest<object>(uri, HttpMethod.Delete);
}
private async Task<T> ExecuteRequest<T>(string uri, HttpMethod method = null, Object body = null) where T : class {
if (method == null) method = HttpMethod.Get;
T response;
var token = await AcquireTokenAsyncForApplication();
using (var httpClient = new HttpClient { BaseAddress = getServicePointUri() }) {
var request = new HttpRequestMessage(method, uri);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
if (body != null) {
request.Content = new StringContent(JsonConvert.SerializeObject(body), Encoding.UTF8, "application/json");
}
var responseMessage = await httpClient.SendAsync(request).ConfigureAwait(false);
responseMessage.EnsureSuccessStatusCode();
response = await responseMessage.Content.ReadAsAsync<T>();
}
return response;
}
private async Task<string> AcquireTokenAsyncForApplication() {
ClientCredential clientCred = new ClientCredential(appId, appKey);
var authenticationContext = new AuthenticationContext(authority, false);
AuthenticationResult authenticationResult = authenticationContext.AcquireToken(graphUrl, clientCred);
return authenticationResult.AccessToken;
}
private Uri getServicePointUri() {
Uri servicePointUri = new Uri(graphUrl);
Uri serviceRoot = new Uri(servicePointUri, tenantId);
return serviceRoot;
}
谢谢,但你的例子不起作用。哪里不是关闭user.AppRoleAssignments的扩展方法,因为它是一个IPagedCollection,即使您重复该操作,也不会加载任务。尝试从IUserFetcher(来自Users.GetByObjectId)的.Expand加载它们会导致异常。我已经在AppRoleAssignment实例上尝试过DeleteAsync(它实现了IEntityBase),它也会导致异常,因为它会发出不正确的请求(请参阅问题)。 – 2015-04-21 13:02:29
对不起,在这里延迟响应丹尼尔。我们在客户端库中存在一个问题,我们正在跟踪此问题 - 正如您发现通过DeleteAsync()方法目前不可能这样。我们希望我们很快能够解决这个问题,以便删除应用程序角色分配。 – 2015-04-22 17:41:51
@丹克肖可以让我们知道它的解决与否。我试图通过库删除,但仍然无法正常工作。 – 2016-08-15 13:00:09