如何访问Azure APIM策略中的Active Directory用户/组?
我已将Azure Active Directory身份提供程序添加到我的APIM(从另一个租户中的AAD).
I have added an Azure Active Directory Identity Provider to my APIM (from an AAD in a different tenant).
我已经使用它成功地将Azure Active Directory组添加到我的APIM.
I have used that to successful add an Azure Active Directory Group to my APIM.
我现在要检查用户是否属于该组.
I now want to check if the user is part of that group.
当我使用APIM用户/组时,可以使用此策略进行检查,但是当我使用Active Directory时,此策略始终失败,并显示401.
When I use APIM Users/Groups I can do that check with this policy, but when I use Active Directory this policy always fails with a 401.
<policies>
<inbound>
<choose>
<when condition="@(context.User.Groups.Select(g => g.Name).Contains("org1"))">
<set-backend-service base-url="https://abc-apim.azure-api.net/org1app" />
</when>
<when condition="@(context.User.Groups.Select(g => g.Name).Contains("org2"))">
<set-backend-service base-url="https://abc-apim.azure-api.net/org2app" />
</when>
<otherwise>
<return-response>
<set-status code="401" reason="Unauthorized" />
<set-header name="WWW-Authenticate" exists-action="override">
<value>Bearer error="Invalid user group"</value>
</set-header>
</return-response>
</otherwise>
</choose>
<base />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
该策略应如何检查用户是否属于Active Directory中的组?
What should the policy look like to check if the user belongs to a group in Active Directory?
APIM默认不会拉入所有AAD组.有权访问APIM中的AAD组成员身份的唯一方法是将AAD组添加到APIM:
APIM will not pull in all AAD groups by default. The only way to have access to AAD group membership in APIM is to add AAD group to APIM: https://docs.microsoft.com/bs-cyrl-ba/azure/api-management/api-management-howto-aad#add-an-external-azure-ad-group That way you'll create mapping between APIM group and AAD group.