Home > other >  MS graph expanding and then filtering for multiple props does not apply filter
MS graph expanding and then filtering for multiple props does not apply filter

Time:11-02

I'm trying to query graph, to get all the users in my tenant, which has access to a specific resource (i.e. my web application) and has a particular role

This is what I got so far:

https://graph.microsoft.com/v1.0/users?$select=id,givenName,surname,mail,preferredLanguage,externalUserState&$expand=appRoleAssignments($filter=resourceId eq ${resourceId} AND appRoleId eq ${appRole})

As you can see:

  • I get all my users
  • I expand my users with appRoleAssignments which should give me the application assignments for each user, and specific details for that assignment
  • I apply a filter to filter the object based on respectively resourceId AND appRoleId

The call works, but I'm returned every user in my tenant, which is definately not what I want - Preferably, I would like to get only the users returned, which has access to my resourceId and are assigned a particular appRoleId

CodePudding user response:

It's not possible using Graph API.

For example , If I want to get the users based on a license SkuId , you can use the below API :

https://graph.microsoft.com/v1.0/users?$count=true&$filter=assignedLicenses/any(s:s/skuId eq b05e124f-xxxx-xxxx-xxxx-8xxxxxxx)

And it provides the output as the Assigned Licenses are a part of the same Odata Query .

enter image description here

But if you try the same thing for the App Role Assignments , It errors out with the following:

enter image description here

As the User Context and AppRoleAssignments Context lie in different Odata Contexts. So , when you are calling the query :

https://graph.microsoft.com/v1.0/users?$select=id,givenName,surname,mail,preferredLanguage,externalUserState&$expand=appRoleAssignments($filter=resourceId eq ${resourceId} AND appRoleId eq ${appRole})

The first part upto expand succeeds and returns the value but the second part i.e. the filter on the app role assignments doesn't work out which is why you are getting the list of all users.

As a solution ,you can use PowerShell script for the same by using conditional parameters:

Connect-AzureAD
$users=Get-AzureADUser
$Name=@()
foreach ($user in $users) {
$approle=Get-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId
$resourceId= 'a19d7xx-xxxx-xxxx-xxx-c48c4d991411'
if ($approle.ResourceId -eq $resourceId){
$deviceprops = [ordered] @{
UserDisplayName = $approle.PrincipalDisplayName
}
$deviceobj = new-object -Type PSObject -Property $deviceprops
$Name  = $deviceobj
}
}
$Name

Output:

enter image description here

Reference:

Get-AzureADUser and Get-AzureADUserAppRoleAssignment and Install AzureAD Module

Page link:https//www.codepudding.com/other/176017.html

Prev:Scripting Azure authentication with Terraform on Linux using a token
Next:Can I use Azure Function to automate linux tasks
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding