fei*_*i0x 3 azure-ad-graph-api azure-ad-b2c
我们希望在azure ad b2c目录中查询用户,并以编程方式为所有类型的用户提取登录电子邮件.我们理解为:
使用azure广告图表资源管理器运行api调用时:
https://graph.windows.net/myorganization/users?api-version=1.6
我们可以看到所有这些用户.(数据有点消毒)
示例标准用户
{
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"objectId": "8b7c468b-fec4-4ff2-b448-64f99f3fa9ff",
"deletionTimestamp": null,
"accountEnabled": true,
"assignedLicenses": [],
"assignedPlans": [],
"city": null,
"companyName": null,
"country": null,
"creationType": null,
"department": null,
"dirSyncEnabled": null,
"displayName": "Global User",
"employeeId": null,
"facsimileTelephoneNumber": null,
"givenName": null,
"immutableId": null,
"isCompromised": null,
"jobTitle": null,
"lastDirSyncTime": null,
"mail": null,
"mailNickname": "global.user",
"mobile": null,
"onPremisesDistinguishedName": null,
"onPremisesSecurityIdentifier": null,
"otherMails": [],
"passwordPolicies": null,
"passwordProfile": null,
"physicalDeliveryOfficeName": null,
"postalCode": null,
"preferredLanguage": null,
"provisionedPlans": [],
"provisioningErrors": [],
"proxyAddresses": [],
"refreshTokensValidFromDateTime": "2017-10-31T17:20:29Z",
"showInAddressList": null,
"signInNames": [],
"sipProxyAddress": null,
"state": null,
"streetAddress": null,
"surname": null,
"telephoneNumber": null,
"usageLocation": null,
"userIdentities": [],
"userPrincipalName": "global.user@qa2clientb2ctheaccesshub.onmicrosoft.com",
"userType": "Member"
}
示例访客用户
{
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"objectId": "6458e1fc-c27b-40cb-b83d-2124f0999130",
"deletionTimestamp": null,
"accountEnabled": true,
"assignedLicenses": [],
"assignedPlans": [],
"city": null,
"companyName": null,
"country": null,
"creationType": null,
"department": null,
"dirSyncEnabled": null,
"displayName": "displayname",
"employeeId": null,
"facsimileTelephoneNumber": null,
"givenName": "givenname",
"immutableId": null,
"isCompromised": null,
"jobTitle": null,
"lastDirSyncTime": null,
"mail": null,
"mailNickname": "qa_theaccesshub.com#EXT#",
"mobile": null,
"onPremisesDistinguishedName": null,
"onPremisesSecurityIdentifier": null,
"otherMails": [
"qa@theaccesshub.com"
],
"passwordPolicies": null,
"passwordProfile": null,
"physicalDeliveryOfficeName": null,
"postalCode": null,
"preferredLanguage": null,
"provisionedPlans": [],
"provisioningErrors": [],
"proxyAddresses": [],
"refreshTokensValidFromDateTime": "2017-10-31T15:36:22Z",
"showInAddressList": null,
"signInNames": [],
"sipProxyAddress": null,
"state": null,
"streetAddress": null,
"surname": "surname",
"telephoneNumber": null,
"usageLocation": null,
"userIdentities": [],
"userPrincipalName": "qa_theaccesshub.com#EXT#@qa2clientb2ctheaccesshub.onmicrosoft.com",
"userType": "Member"
}
本地用户示例
{
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"objectId": "a941e75d-2c1b-4383-9d6c-783c1d008479",
"deletionTimestamp": null,
"accountEnabled": true,
"assignedLicenses": [],
"assignedPlans": [],
"city": null,
"companyName": null,
"country": null,
"creationType": "LocalAccount",
"department": null,
"dirSyncEnabled": null,
"displayName": "Display Name",
"employeeId": null,
"facsimileTelephoneNumber": null,
"givenName": "Glen",
"immutableId": null,
"isCompromised": null,
"jobTitle": null,
"lastDirSyncTime": null,
"mail": null,
"mailNickname": "98c4f2cf-a452-46a4-a33f-6fb451bc3f59",
"mobile": null,
"onPremisesDistinguishedName": null,
"onPremisesSecurityIdentifier": null,
"otherMails": [],
"passwordPolicies": "DisablePasswordExpiration",
"passwordProfile": null,
"physicalDeliveryOfficeName": null,
"postalCode": null,
"preferredLanguage": null,
"provisionedPlans": [],
"provisioningErrors": [],
"proxyAddresses": [],
"refreshTokensValidFromDateTime": "2017-11-03T18:18:36Z",
"showInAddressList": null,
"signInNames": [
{
"type": "emailAddress",
"value": "login.email@example.com"
}
],
"sipProxyAddress": null,
"state": null,
"streetAddress": null,
"surname": "Martin",
"telephoneNumber": null,
"usageLocation": null,
"userIdentities": [],
"userPrincipalName": "98c4f2cf-a452-46a4-a33f-6fb451bc3f59@qa2clientb2ctheaccesshub.onmicrosoft.com",
"userType": "Member"
}
示例社交用户
{
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"objectId": "917bddd5-40d8-4a25-9a6e-8317a6949b48",
"deletionTimestamp": null,
"accountEnabled": false,
"assignedLicenses": [],
"assignedPlans": [],
"city": null,
"companyName": null,
"country": null,
"creationType": null,
"department": null,
"dirSyncEnabled": null,
"displayName": "Display Name",
"employeeId": null,
"facsimileTelephoneNumber": null,
"givenName": "GivenName",
"immutableId": null,
"isCompromised": null,
"jobTitle": null,
"lastDirSyncTime": null,
"mail": null,
"mailNickname": "unknown",
"mobile": null,
"onPremisesDistinguishedName": null,
"onPremisesSecurityIdentifier": null,
"otherMails": [
"another.login.email@example.com"
],
"passwordPolicies": null,
"passwordProfile": {
"password": null,
"forceChangePasswordNextLogin": true,
"enforceChangePasswordPolicy": false
},
"physicalDeliveryOfficeName": null,
"postalCode": null,
"preferredLanguage": null,
"provisionedPlans": [],
"provisioningErrors": [],
"proxyAddresses": [],
"refreshTokensValidFromDateTime": "2017-11-02T13:48:09Z",
"showInAddressList": null,
"signInNames": [],
"sipProxyAddress": null,
"state": null,
"streetAddress": null,
"surname": "Surname",
"telephoneNumber": null,
"usageLocation": null,
"userIdentities": [],
"userPrincipalName": "cpim_662effe2-cd73-4f4a-8b42-2af5f68b2db1@qa2clientb2ctheaccesshub.onmicrosoft.com",
"userType": "Member"
}
总之,我们注意到:
标准用户
访客用户
本地用户
社交用户
虽然我们可以看到一些趋势,但我们宁愿不做出猜测或错误的假设.所以我们有以下问题:
1)了解我们正在查看的四种用户中哪一种最好的方法是什么?
2)是否有更简单的方法来获取登录(理想情况下,作为一个字段,我们正在尝试将其构建为一个简单的映射)?以外 :
If signInNames[0].value is not null use signInNames[0].value
Elseif otherMails[0] is not null use otherMails[0]
Else userPrincipalName
3)其他社交用户的行为有何不同?(到目前为止我们只完成了Facebook.)
4)对于社交用户,了解使用哪个身份提供者的最佳方式是什么?
更新11/8:
5)为什么LocalAccount用户没有获得otherMail值?
6)为什么非LocalAccount用户不能获得登录名?我想这是专门为B2C添加的?
7)另外我猜最终用户今天真的无法关联社交帐户和本地帐户吗?(除非使用利用图表的应用程序).
更新11/8#2:
8)是否安全(暂时)假设我可以消除B2C注册个人的歧义,该个人只能使用以下标准登录社交帐户:
或者会有更好的方法吗?
1)这些不是互斥的属性.例如,本地帐户,访客或会员用户还可以将他们的多个社交个人资料链接到他们的帐户.基础数据(通过Graph API提供)不做任何假设.
了解帐户是否是本地用户的最可靠方法是查看creationType属性.您还可以查看signInNames.话虽如此,这并不意味着用户将来不会将他们的社交档案链接起来.只是在B2C标准策略中没有公开此功能.
2)signInNames肯定用于登录用户.但是,就signInName目录而言,用户也可以拥有多个.这就是为什么signInNames是一个集合.因此,公用事业公司或银行可能拥有帐户ID和电子邮件地址signInNames.
otherMails不是用于登录用户的属性.所以你可能想跳过它.可以将其otherMails视为目录中未用于任何关键功能的电子邮件地址(例如,它不用于登录或密码重置等)
您将userPrincipalName用于工作帐户.
3)所有社交帐户都被视为外部用户身份,并以相同的方式进行映射.它们尚未通过Graph API提供,但是当它们存在时,它们也将显示为集合,因为用户可能链接到多个社交帐户.
4)今天不可能,但未来.
更新11/8以回答其他问题
5)仅仅因为B2C标准流程中没有电子邮件地址可以otherMails为本地帐户用户添加.他们用于注册的电子邮件地址已经在signInNames财产中.通过Graph API,您可以添加otherMails,并且在发出令牌时,emails即使是本地帐户用户,它也会显示在声明中.
6)非本地帐户用户没有获得a,signInName因为他们不需要使用a登录signInNames.工作帐户使用userPrincipalName可以与Office 365,Exchange或内部部署AD绑定的工作帐户.社会国内流离失所者有外在身份.因此,signInNames至少在今天,没有已知的场景需要用于非本地帐户.
7)是的,今天不可能通过标准政策将社交帐户与本地帐户相关联,但可以通过自定义政策来完成.它还无法通过Graph API实现(因为外部身份尚未公开),但将来可能会暴露API.
更新11/24:
8)如果你看用户主要名称,你会发现它是随机的.cpim_可以随时删除,它不是合同的一部分.事实上,恕我直言,它应该被删除,所以应用程序不依赖它.
为了正确地确定这一点,我们期望在用户帐户上公布新的"userIdentities"属性,使用该属性可以确定哪些社交IDP是链接到的用户帐户.这将是最好的方法.
| 归档时间: |
|
| 查看次数: |
666 次 |
| 最近记录: |