Microsoft Graph 登录审核日志 API：对于某些登录，内部用户显示为访客用户类型

Posted 2023-02-19

【中文标题】Microsoft Graph 登录审核日志 API：对于某些登录，内部用户显示为访客用户类型

【英文标题】：Microsoft Graph Sign-Ins Audit Logs API : Internal Users are shown as Guest User type for certain logins

【发布时间】：2021-11-06 05:20:20

【问题描述】：

我正在使用 MS Graph 登录 REST API 来检索来宾用户登录我的租户。但是我已经检索到某些登录，这些登录在用户类型属性中将内部用户显示为访客。 也吸收了 HomeTenantId 和 ResourceTenantId 也不同。

某些时候，在登录 Azure AD 门户时，会登录之前登录的租户的目录。在这种情况下，TenantId 可能不同，并且 userType 属性显示为 Guest。但对于 SharePoint，我不确定用户类型 guest

这有点令人困惑。关于内部用户为何显示为访客用户的任何想法

请求：https://graph.microsoft.com/beta/auditLogs/signIns

示例响应：

   "id": "$$$$$$",
"createdDateTime": "2021-08-29T10:22:06Z",
"userDisplayName": "user",
"userPrincipalName": "user@cortana.onmicrosoft.com",
"userId": "$$$$$",
"appId": "08e18876-6177-487e-b8b5-cf950c1e598c",
"appDisplayName": "SharePoint Online Web Client Extensibility",
"ipAddress": "$$$$$$",
"ipAddressFromResourceProvider": null,
"clientAppUsed": "",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
"correlationId": "*********",
"conditionalAccessStatus": "notApplied",
"originalRequestId": "",
"isInteractive": true,
"tokenIssuerName": "",
"tokenIssuerType": "AzureAD",
"processingTimeInMilliseconds": 173,
"riskDetail": "none",
"riskLevelAggregated": "none",
"riskLevelDuringSignIn": "none",
"riskState": "none",
"riskEventTypes": [],
"riskEventTypes_v2": [],
"resourceDisplayName": "Office 365 SharePoint Online",
"resourceId": "$$$$$$$",
"resourceTenantId": "$$$$$$$$$",
"homeTenantId": "#########",
"authenticationMethodsUsed": [],
"authenticationRequirement": "singleFactorAuthentication",
"alternateSignInName": "",  "signInIdentifier": "",
"signInIdentifierType": null,
"servicePrincipalName": null,
"signInEventTypes": ["interactiveUser"],
"servicePrincipalId": "",
"userType": "guest", 
"flaggedForReview": false,
"isTenantRestricted": false,
"autonomousSystemNumber": 45609,
"crossTenantAccessType": "b2bCollaboration",
"servicePrincipalCredentialKeyId": null,
"servicePrincipalCredentialThumbprint": "",
"mfaDetail": null,
"status":          
    "errorCode": 0,
    "failureReason": "Other.",
    "additionalDetails": null   ,
"deviceDetail":        
    "deviceId": "",
    "displayName": "",
    "operatingSystem": "Windows 10",
    "browser": "Chrome 92.0.4515",
    "isCompliant": false,
    "isManaged": false,
    "trustType": ""
, "location": 
    "city": "Kallimandayam",
    "state": "Tamil Nadu",
    "countryOrRegion": "IN",
    "geoCoordinates": 
        "altitude": null,
        "latitude": "", 
        "longitude": "" 
    , "appliedConditionalAccessPolicies": [],
"authenticationProcessingDetails": [
        "key": "Login Hint Present",
        "value": "True"         ,
               
          "key": "User certificate authentication level",
        "value": "singleFactorAuthentication"          ],
"networkLocationDetails": [],
"authenticationDetails": [],
"authenticationRequirementPolicies": [],
"sessionLifetimePolicies": [], 
"privateLinkDetails":  
    "policyId": "",
    "policyName": "",
    "resourceId": "",
    "policyTenantId": ""  

【问题讨论】：

我可以重现您的情况。查看signIn resource type properties 上的文档，文档中不包含userType 字段。我建议您关注已记录的字段，因为 Beta API 尚未准备好。

【参考方案1】：

这是设计使然。这是一种预期的行为，考虑到当用户访问用户是来宾（邀请租户）的租户时，您也将在您的身边登录此身份验证。当用户作为访客被邀请到另一个目录时，用户将使用其主租户的凭据进行身份验证，如下面的链接中所述。

参考 - 由来宾用户的身份提供者执行身份验证 - https://docs.microsoft.com/en-us/azure/active-directory/external-identities/user-properties

【讨论】：

同意这个答案。检查活动字段"crossTenantAccessType"：（在您的情况下为"b2bCollaboration"）