powershell Microsoft.Graph以列出分配给应用程序的用户

3pmvbmvn  于 2022-11-10  发布在  Shell
关注(0)|答案(1)|浏览(107)

我正在将Azure AD PowerShell脚本转换为使用Graph。这个剧本我没有成功地弄清楚如何转换。该脚本返回分配给应用程序的所有用户。
以下是原始的Azure AD脚本。

Get-AzureADServicePrincipal -SearchString $appName | % {

# Build a hash table of the service principal's app roles. The 0-Guid is

# used in an app role assignment to indicate that the principal is assigned

# to the default app role (or rather, no app role).

  $appRoles = @{ "$([Guid]::Empty.ToString())" = "(default)" }
  $_.AppRoles | % { $appRoles[$_.Id] = $_.DisplayName }
  # Get the app role assignments for this app, and add a field for the app role name
  Get-AzureADServiceAppRoleAssignment -ObjectId ($_.ObjectId) |
    Where-Object PrincipalType -eq "User" | % {  $_ | Add-Member "AppRoleDisplayName" $appRoles[$_.Id] -Passthru } | % { 
    $user = Get-AzureADUser -ObjectId $_.PrincipalId
    $_ | Add-Member "UserPrincipalName" $user.UserPrincipalName -Passthru  }
}

然后,使用迁移指南https://learn.microsoft.com/en-us/powershell/microsoftgraph/azuread-msoline-cmdlet-map?source=recommendations&view=graph-powershell-1.0,我将其转换为以下格式。

Get-MgServicePrincipal -Filter ("DisplayName eq '" + $appName + "'") | % {

# Build a hash table of the service principal's app roles. The 0-Guid is

# used in an app role assignment to indicate that the principal is assigned

# to the default app role (or rather, no app role).

  $appRoles = @{ "$([Guid]::Empty.ToString())" = "(default)" }
  $_.AppRoles | % { $appRoles[$_.Id] = $_.DisplayName }
  # Get the app role assignments for this app, and add a field for the app role name
  Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId ($_.Id) |
    Where-Object PrincipalType -eq "User" | % {  $_ | Add-Member "AppRoleDisplayName" $appRoles[$_.Id] -Passthru } | % { 
    $user = Get-MgUser -Id $_.PrincipalId
    $_ | Add-Member "UserPrincipalName" $user.UserPrincipalName -Passthru  }
}

当我运行它时,我没有收到任何错误。但是,它不返回任何结果。如何在MICROSOFT.GRAPH中执行此操作?
谢谢

7rtdyuoh

7rtdyuoh1#

在我看来,您当前使用的cmdlet是错误的Get-MgServicePrincipalAppRoleAssignment cmdlet does

  • 授予此服务主体的另一个应用或服务的应用角色分配。*

当您筛选PrincipalType -eq "User"时,您将不会得到任何对象。
如果您只想列出企业应用程序门户中“用户和组”下的可用对象,则可以执行以下操作:

$Assignees = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId [objectIdServicePrincipal] -all

请记住,始终指定参数-all,否则将得到max。退回100件物品。顺便说一句。您可以分配用户和组,因此我认为您还应该查找分配的组的成员(Get-MgGroupTransitiveMember/Get-MgGroupMember)

相关问题