使用 Microsoft Graph 管理 Azure AD B2CManage Azure AD B2C with Microsoft Graph

利用 Microsoft Graph,你可以管理 Azure AD B2C 租户中的许多资源,包括客户用户帐户和自定义策略。Microsoft Graph allows you to manage many of the resources within your Azure AD B2C tenant, including customer user accounts and custom policies. 通过编写调用 Microsoft Graph API 的脚本或应用程序,你可以自动执行租户管理任务,例如:By writing scripts or applications that call the Microsoft Graph API, you can automate tenant management tasks like:

  • 将现有用户存储迁移到 Azure AD B2C 租户Migrate an existing user store to an Azure AD B2C tenant
  • 使用 Azure DevOps 中的 Azure 管道部署自定义策略,以及管理自定义策略密钥Deploy custom policies with an Azure Pipeline in Azure DevOps, and manage custom policy keys
  • 在你自己的页面上托管用户注册,并在后台在 Azure AD B2C 目录中创建用户帐户Host user registration on your own page, and create user accounts in your Azure AD B2C directory behind the scenes
  • 自动执行应用程序注册Automate application registration
  • 获取审核日志Obtain audit logs

以下各部分可帮助你为使用 Microsoft Graph API 自动管理 Azure AD B2C 目录中的资源做准备。The following sections help you prepare for using the Microsoft Graph API to automate the management of resources in your Azure AD B2C directory.

Microsoft Graph API 交互模式Microsoft Graph API interaction modes

使用 Microsoft Graph API 管理 Azure AD B2C 租户中的资源时,可以使用两种通信模式:There are two modes of communication you can use when working with the Microsoft Graph API to manage resources in your Azure AD B2C tenant:

  • 交互式 - 适用于运行一次的任务,你可以使用 B2C 租户中的管理员帐户执行管理任务。Interactive - Appropriate for run-once tasks, you use an administrator account in the B2C tenant to perform the management tasks. 此模式要求管理员在调用 Microsoft Graph API 之前使用其凭据进行登录。This mode requires an administrator to sign in using their credentials before calling the Microsoft Graph API.

  • 自动化 - 对于计划的或连续运行的任务,此方法使用你为其配置了执行管理任务所需权限的服务帐户。Automated - For scheduled or continuously run tasks, this method uses a service account that you configure with the permissions required to perform management tasks. 通过以下方式在 Azure AD B2C 中创建“服务帐户”:注册一个应用程序,并让你的应用程序和脚本使用其应用程序(客户端)ID 和 OAuth 2.0 客户端凭据授权通过该应用程序进行身份验证。You create the "service account" in Azure AD B2C by registering an application that your applications and scripts use for authenticating using its Application (Client) ID and the OAuth 2.0 client credentials grant. 在这种情况下,应用程序以自己的身份调用 Microsoft Graph API,而不是如前面的交互方式中所述使用管理员用户的身份。In this case, the application acts as itself to call the Microsoft Graph API, not the administrator user as in the previously described interactive method.

可以通过创建以下各部分中所示的应用程序注册来启用 自动化 交互方案。You enable the Automated interaction scenario by creating an application registration shown in the following sections.

尽管 Azure AD B2C 身份验证服务目前不直接支持 OAuth 2.0 客户端凭据授权流,但你可以使用 Azure AD 和 Microsoft 标识平台/令牌终结点为 Azure AD B2C 租户中的应用程序设置客户端凭据流。Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. Azure AD B2C 租户与 Azure AD 企业租户共享某些功能。An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants.

注册管理应用程序Register management application

你必须先在 Azure AD B2C 租户中创建授予所需 API 权限的应用程序注册,你的脚本和应用程序才能与 Microsoft Graph API 进行交互来管理 Azure AD B2C 资源。Before your scripts and applications can interact with the Microsoft Graph API to manage Azure AD B2C resources, you need to create an application registration in your Azure AD B2C tenant that grants the required API permissions.

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 在门户工具栏中选择“目录 + 订阅”图标,然后选择包含 Azure AD B2C 租户的目录。Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
  3. 在 Azure 门户中,搜索并选择“Azure AD B2C”。In the Azure portal, search for and select Azure AD B2C.
  4. 选择“应用注册”,然后选择“新建注册” 。Select App registrations, and then select New registration.
  5. 输入应用程序的“名称”。Enter a Name for the application. 例如,managementapp1For example, managementapp1.
  6. 选择“仅此组织目录中的帐户”。Select Accounts in this organizational directory only.
  7. 在“权限”下,清除“授予对 openid 和 office_access 权限的管理员许可”复选框。Under Permissions, clear the Grant admin consent to openid and offline_access permissions check box.
  8. 选择“注册”。Select Register.
  9. 记下应用“概述”页上显示的“应用程序(客户端) ID”。Record the Application (client) ID that appears on the application overview page. 在稍后的步骤中会使用此值。You use this value in a later step.

授予 API 访问权限Grant API access

接下来,向已注册的应用程序授予权限,以允许其通过调用 Microsoft Graph API 来操作租户资源。Next, grant the registered application permissions to manipulate tenant resources through calls to the Microsoft Graph API.

  1. 在“管理”下选择“API 权限”。Under Manage, select API permissions.
  2. 在“已配置权限”下,选择“添加权限”。Under Configured permissions, select Add a permission.
  3. 选择“Microsoft API”选项卡,然后选择“Microsoft Graph”。 Select the Microsoft APIs tab, then select Microsoft Graph.
  4. 选择“应用程序权限”。Select Application permissions.
  5. 展开相应的权限组,选中要将其授予管理应用程序的权限的复选框。Expand the appropriate permission group and select the check box of the permission to grant to your management application. 例如:For example:
    • AuditLog > AuditLog.Read.All:用于读取目录的审核日志。AuditLog > AuditLog.Read.All: For reading the directory's audit logs.
    • Directory > Directory.ReadWrite.All:适用于用户迁移或用户管理方案。Directory > Directory.ReadWrite.All: For user migration or user management scenarios.
    • Policy > Policy.ReadWrite.TrustFramework:适用于持续集成/持续交付 (CI/CD) 方案。Policy > Policy.ReadWrite.TrustFramework: For continuous integration/continuous delivery (CI/CD) scenarios. 例如,使用 Azure Pipelines 进行的自定义策略部署。For example, custom policy deployment with Azure Pipelines.
  6. 选择“添加权限”。Select Add permissions. 按照指示等待几分钟,然后继续下一步。As directed, wait a few minutes before proceeding to the next step.
  7. 选择“向(租户名称)授予管理员许可”。Select Grant admin consent for (your tenant name).
  8. 如果当前没有使用全局管理员帐户登录,请使用至少分配了“云应用程序管理员”角色的 Azure AD B2C 租户中的帐户登录,然后选择“代表(你的租户名称)授予管理员许可”。If you are not currently signed-in with Global Administrator account, sign in with an account in your Azure AD B2C tenant that's been assigned at least the Cloud application administrator role and then select Grant admin consent for (your tenant name).
  9. 选择“刷新”,然后验证“状态”下是否显示“已授予...”。 Select Refresh, and then verify that "Granted for ..." appears under Status. 传播权限可能需要几分钟时间。It might take a few minutes for the permissions to propagate.

创建客户端机密Create client secret

  1. 在“管理”下,选择“证书和机密”。 Under Manage, select Certificates & secrets.
  2. 选择“新建客户端机密”。Select New client secret.
  3. 在“说明”框中输入客户端机密的说明。Enter a description for the client secret in the Description box. 例如,clientsecret1For example, clientsecret1.
  4. 在“过期时间”下,选择机密持续生效的时间,然后选择“添加”。Under Expires, select a duration for which the secret is valid, and then select Add.
  5. 记下机密的“值”。Record the secret's Value. 将该值用于后面的一个步骤中的配置。You use this value for configuration in a later step.

现在,你有了一个有权限在 Azure AD B2C 租户中创建、读取、更新和删除用户的应用程序。 You now have an application that has permission to create, read, update, and delete users in your Azure AD B2C tenant. 前进到下一部分,添加“密码更新”权限。Continue to the next section to add password update permissions.

启用用户删除和密码更新Enable user delete and password update

“读取和写入目录数据”权限 包括删除用户或更新用户帐户密码的能力。The Read and write directory data permission does NOT include the ability delete users or update user account passwords.

如果你的应用程序或脚本需要删除用户或更新其密码,请将“用户管理员”角色分配给你的应用程序:If your application or script needs to delete users or update their passwords, assign the User administrator role to your application:

  1. 登录到 Azure 门户,使用“目录 + 订阅”筛选器切换到你的 Azure AD B2C 租户。Sign in to the Azure portal and use the Directory + Subscription filter to switch to your Azure AD B2C tenant.
  2. 搜索并选择“Azure AD B2C”。Search for and select Azure AD B2C.
  3. 在“管理”下,选择“角色和管理员”。 Under Manage, select Roles and administrators.
  4. 选择“用户管理员”角色。Select the User administrator role.
  5. 选择“添加分配”。Select Add assignments.
  6. 在“选择”文本框中,输入前面注册的应用程序的名称,例如 managementapp1In the Select text box, enter the name of the application you registered earlier, for example, managementapp1. 该应用程序显示在搜索结果中后,请将它选中。Select your application when it appears in the search results.
  7. 选择“添加” 。Select Add. 可能需要几分钟才能完全传播权限。It might take a few minutes to for the permissions to fully propagate.

后续步骤Next steps

现在,你已注册了管理应用程序并向其授予了所需的权限,你的应用程序和服务(例如 Azure Pipelines)现在可以使用其凭据和权限与 Microsoft Graph API 进行交互。Now that you've registered your management application and have granted it the required permissions, your applications and services (for example, Azure Pipelines) can use its credentials and permissions to interact with the Microsoft Graph API.