根据电子邮件地址将应用程序分配给用户

Assign application to user based on e-mail address

我们学校使用 Azure AD。目前我们有两个自定义应用程序 AB.

我们应该将应用程序 A 分配给邮件地址为 *@student.example.com 的所有用户,将 @example.com 的用户分配给应用程序 B

我们如何根据此标准分配用户而不手动执行?

您可以使用 Graph API 来自动执行此过程。这是我为使用图表 API.

而编写的 PowerShell 脚本
Add-Type -Path 'C:\Program Files\Microsoft Azure Active Directory Connect\Microsoft.IdentityModel.Clients.ActiveDirectory.dll'

# Some common fields to log into your tenant.
$tenantID = "<your tenantID>"
$loginEndpoint = "https://login.windows.net/"

# The default redirect URI and client id.
# No need to change them.
$redirectURI = New-Object System.Uri ("urn:ietf:wg:oauth:2.0:oob")
$clientID = "1950a258-227b-4e31-a9cf-717495945fc2"

$username = "<a global user of your tenant>"

$email_prefix1 = "*@student.example.com"
$email_prefix2 = "*@example.com"

# The display name of your AD apps, It's better if one does not contain another,
# because I am using the filter "startwith".
$apps1 = "<the display name of you first AD application>"
$apps2 = "<the display name of you second AD application>"

$resource = "https://graph.windows.net/"

# logging into your tenant to get the authorization header.
$authString = $loginEndpoint + $tenantID

$authenticationContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext ($authString, $false)

$promptBehaviour = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto

$userIdentifierType = [Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifierType]::RequiredDisplayableId

$userIdentifier = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier ($username, $userIdentifierType)

$authenticationResult = $authenticationContext.AcquireToken($resource, $clientID, $redirectURI, $promptBehaviour, $userIdentifier); 

# construct authorization header for the REST API.
$authHeader = $authenticationResult.AccessTokenType + " " + $authenticationResult.AccessToken
$headers = @{"Authorization"=$authHeader; "Content-Type"="application/json"}

# getting the service principal object id of the 2 AD apps.
$uri = "https://graph.windows.net/$tenantID/servicePrincipals?api-version=1.5&`$filter=startswith(displayName,'$apps1')"

$apps = Invoke-RestMethod -Method Get -Uri $uri -Headers $headers

$app1_objectId = $apps.value[0].objectId

$uri = "https://graph.windows.net/$tenantID/servicePrincipals?api-version=1.5&`$filter=startswith(displayName,'$apps2')"

$apps = Invoke-RestMethod -Method Get -Uri $uri -Headers $headers

$app2_objectId = $apps.value[0].objectId

# getting the users in the tenant.
$uri = "https://graph.windows.net/$tenantID/users?api-version=1.5"

$users = Invoke-RestMethod -Method Get -Uri $uri -Headers $headers

# loop through the whole user list to assign the AD apps.
foreach ($user in $users.value){
    $userID = $user.objectId

    if ($user.otherMails[0] -like $email_prefix1){
        $resourceId = $app1_objectId
    }
    elseif ($user.otherMails[0] -like $email_prefix2){
        $resourceId = $app2_objectId
    }
    else{
        continue
    }

    # Leave the id to be 00000000-0000-0000-0000-000000000000.
    # This is exactly how Azure Classic Portal handles user assigning.
    # That means if you assign a user to an AD application in the portal,
    # the appRoleAssignment will have the id 00000000-0000-0000-0000-000000000000.
    $body = @"
{"id":  "00000000-0000-0000-0000-000000000000",
 "principalId":  "$userID",
 "resourceId":  "$resourceId"
}
"@


    $uri = "https://graph.windows.net/$tenantID/users/$userID/appRoleAssignments?api-version=1.5"
    Invoke-RestMethod -Method Post -Uri $uri -Headers $headers -Body $body
}

请注意,我正在使用 otherMails 中的电子邮件地址。如果您使用的是实时 ID,则该电子邮件地址就是用户的实时 ID。如果您使用的是组织 ID,则可以在经典门户中将其设置为备用电子邮件地址字段。