Microsoft Graph 登录审核日志 API:对于某些登录,内部用户显示为访客用户类型
Posted
技术标签:
【中文标题】Microsoft Graph 登录审核日志 API:对于某些登录,内部用户显示为访客用户类型【英文标题】:Microsoft Graph Sign-Ins Audit Logs API : Internal Users are shown as Guest User type for certain logins 【发布时间】:2021-11-06 05:20:20 【问题描述】:我正在使用 MS Graph 登录 REST API 来检索来宾用户登录我的租户。但是我已经检索到某些登录,这些登录在用户类型属性中将内部用户显示为访客。 也吸收了 HomeTenantId 和 ResourceTenantId 也不同。
某些时候,在登录 Azure AD 门户时,会登录之前登录的租户的目录。在这种情况下,TenantId 可能不同,并且 userType 属性显示为 Guest。但对于 SharePoint,我不确定用户类型 guest
这有点令人困惑。关于内部用户为何显示为访客用户的任何想法
请求:https://graph.microsoft.com/beta/auditLogs/signIns
示例响应:
"id": "$$$$$$",
"createdDateTime": "2021-08-29T10:22:06Z",
"userDisplayName": "user",
"userPrincipalName": "user@cortana.onmicrosoft.com",
"userId": "$$$$$",
"appId": "08e18876-6177-487e-b8b5-cf950c1e598c",
"appDisplayName": "SharePoint Online Web Client Extensibility",
"ipAddress": "$$$$$$",
"ipAddressFromResourceProvider": null,
"clientAppUsed": "",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
"correlationId": "*********",
"conditionalAccessStatus": "notApplied",
"originalRequestId": "",
"isInteractive": true,
"tokenIssuerName": "",
"tokenIssuerType": "AzureAD",
"processingTimeInMilliseconds": 173,
"riskDetail": "none",
"riskLevelAggregated": "none",
"riskLevelDuringSignIn": "none",
"riskState": "none",
"riskEventTypes": [],
"riskEventTypes_v2": [],
"resourceDisplayName": "Office 365 SharePoint Online",
"resourceId": "$$$$$$$",
"resourceTenantId": "$$$$$$$$$",
"homeTenantId": "#########",
"authenticationMethodsUsed": [],
"authenticationRequirement": "singleFactorAuthentication",
"alternateSignInName": "", "signInIdentifier": "",
"signInIdentifierType": null,
"servicePrincipalName": null,
"signInEventTypes": ["interactiveUser"],
"servicePrincipalId": "",
"userType": "guest",
"flaggedForReview": false,
"isTenantRestricted": false,
"autonomousSystemNumber": 45609,
"crossTenantAccessType": "b2bCollaboration",
"servicePrincipalCredentialKeyId": null,
"servicePrincipalCredentialThumbprint": "",
"mfaDetail": null,
"status":
"errorCode": 0,
"failureReason": "Other.",
"additionalDetails": null ,
"deviceDetail":
"deviceId": "",
"displayName": "",
"operatingSystem": "Windows 10",
"browser": "Chrome 92.0.4515",
"isCompliant": false,
"isManaged": false,
"trustType": ""
, "location":
"city": "Kallimandayam",
"state": "Tamil Nadu",
"countryOrRegion": "IN",
"geoCoordinates":
"altitude": null,
"latitude": "",
"longitude": ""
, "appliedConditionalAccessPolicies": [],
"authenticationProcessingDetails": [
"key": "Login Hint Present",
"value": "True" ,
"key": "User certificate authentication level",
"value": "singleFactorAuthentication" ],
"networkLocationDetails": [],
"authenticationDetails": [],
"authenticationRequirementPolicies": [],
"sessionLifetimePolicies": [],
"privateLinkDetails":
"policyId": "",
"policyName": "",
"resourceId": "",
"policyTenantId": ""
【问题讨论】:
我可以重现您的情况。查看signIn resource type properties 上的文档,文档中不包含userType
字段。我建议您关注已记录的字段,因为 Beta API 尚未准备好。
【参考方案1】:
这是设计使然。这是一种预期的行为,考虑到当用户访问用户是来宾(邀请租户)的租户时,您也将在您的身边登录此身份验证。当用户作为访客被邀请到另一个目录时,用户将使用其主租户的凭据进行身份验证,如下面的链接中所述。
参考 - 由来宾用户的身份提供者执行身份验证 - https://docs.microsoft.com/en-us/azure/active-directory/external-identities/user-properties
【讨论】:
同意这个答案。检查活动字段"crossTenantAccessType"
:(在您的情况下为"b2bCollaboration"
)以上是关于Microsoft Graph 登录审核日志 API:对于某些登录,内部用户显示为访客用户类型的主要内容,如果未能解决你的问题,请参考以下文章
Microsoft Graph API - 列出用户登录的所有权限/范围
使用 microsoft graph api c# 创建在线会议时出现 404 错误,但未登录 AzureActiveDirectory
为啥大多数 Microsoft Graph 功能仅限于用户访问
AWS Amplify SPA React + Cognito(已启用 Microsoft Azure Ad Enterprise SSO)+ Microsoft Graph API