通过 REST API 获取 Azure 用户
Get Azure users via REST APIs
我想通过 REST API 获取 Azure 活跃用户列表及其权限(角色)集。
到目前为止,我无法直接获取它们。我试图使用 Active Directory 找出它们,但到目前为止没有成功。
这里是 documentation 的 Azure REST API
提前致谢。
您可以通过查询订阅的角色分配来获取用户的角色。
示例URL:
https://management.azure.com/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleAssignments?$filter=atScope()&api-version=2015-07-01
当然,您需要将您的订阅 ID 放在那里:)
$filter=atScope() 是仅获取订阅角色所必需的,否则还需要 returns 资源组和资源的角色。
示例响应:
{
"value": [
{
"properties": {
"roleDefinitionId": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleDefinitions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"principalId": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"scope": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"createdOn": "2018-03-04T19:38:21.9632037Z",
"updatedOn": "2018-03-04T19:38:21.9632037Z",
"createdBy": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"updatedBy": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
},
"id": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleAssignments/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"type": "Microsoft.Authorization/roleAssignments",
"name": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
}
]
}
principalId 将是分配给此角色的服务主体、组或用户的 objectId。
您还需要找出每个角色的 ID 是什么。
在这里,我得到了 roleDefinitionId 并使用它通过另一个查询来获取角色的定义,例如:
https://management.azure.com/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleDefinitions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa?api-version=2015-07-01
它的回应是:
{
"properties": {
"roleName": "Contributor",
"type": "BuiltInRole",
"description": "Lets you manage everything except access to resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action"
]
}
],
"createdOn": "0001-01-01T08:00:00.0000000Z",
"updatedOn": "2016-12-14T02:04:45.1393855Z",
"createdBy": null,
"updatedBy": null
},
"id": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleDefinitions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
}
您也可以通过省略 id 来获取所有角色。
Microsoft 引入了 Graph APIs 来获取用户详细信息和附加的角色。
用户详细信息 API:
https://graph.windows.net//用户数?api-version=1.6
授权:访问令牌
访问令牌 您可以使用资源作为 https://graph.windows.net/ 和身份验证端点作为 https://login.microsoftonline.com/.
注意:您还必须具有 Microsoft Graph API 权限。
下面是一些其他图表 API 端点:
https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/directoryroles-operations
目录角色:
https://graph.windows.net/myorganization/directoryRoles?api-version=1.6
列出具有角色的用户:
https://graph.windows.net/myorganization/directoryRoles/ce8c598b-20eb-42b6-89c6-cf6c184ba416/$links/members?api-version=1.6
我想通过 REST API 获取 Azure 活跃用户列表及其权限(角色)集。
到目前为止,我无法直接获取它们。我试图使用 Active Directory 找出它们,但到目前为止没有成功。
这里是 documentation 的 Azure REST API
提前致谢。
您可以通过查询订阅的角色分配来获取用户的角色。
示例URL:
https://management.azure.com/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleAssignments?$filter=atScope()&api-version=2015-07-01
当然,您需要将您的订阅 ID 放在那里:)
$filter=atScope() 是仅获取订阅角色所必需的,否则还需要 returns 资源组和资源的角色。
示例响应:
{
"value": [
{
"properties": {
"roleDefinitionId": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleDefinitions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"principalId": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"scope": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"createdOn": "2018-03-04T19:38:21.9632037Z",
"updatedOn": "2018-03-04T19:38:21.9632037Z",
"createdBy": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"updatedBy": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
},
"id": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleAssignments/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"type": "Microsoft.Authorization/roleAssignments",
"name": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
}
]
}
principalId 将是分配给此角色的服务主体、组或用户的 objectId。
您还需要找出每个角色的 ID 是什么。
在这里,我得到了 roleDefinitionId 并使用它通过另一个查询来获取角色的定义,例如:
https://management.azure.com/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleDefinitions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa?api-version=2015-07-01
它的回应是:
{
"properties": {
"roleName": "Contributor",
"type": "BuiltInRole",
"description": "Lets you manage everything except access to resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action"
]
}
],
"createdOn": "0001-01-01T08:00:00.0000000Z",
"updatedOn": "2016-12-14T02:04:45.1393855Z",
"createdBy": null,
"updatedBy": null
},
"id": "/subscriptions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/providers/Microsoft.Authorization/roleDefinitions/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
}
您也可以通过省略 id 来获取所有角色。
Microsoft 引入了 Graph APIs 来获取用户详细信息和附加的角色。 用户详细信息 API:
https://graph.windows.net//用户数?api-version=1.6
授权:访问令牌
访问令牌 您可以使用资源作为 https://graph.windows.net/ 和身份验证端点作为 https://login.microsoftonline.com/.
注意:您还必须具有 Microsoft Graph API 权限。
下面是一些其他图表 API 端点:
https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/directoryroles-operations
目录角色:
https://graph.windows.net/myorganization/directoryRoles?api-version=1.6
列出具有角色的用户:
https://graph.windows.net/myorganization/directoryRoles/ce8c598b-20eb-42b6-89c6-cf6c184ba416/$links/members?api-version=1.6