Administración de asignaciones de atributos de seguridad personalizados
Artículo
Los atributos de seguridad personalizados de Microsoft Entra ID son atributos específicos de la empresa (pares clave-valor) que puede definir y asignar a Microsoft Entra objetos. Estos atributos se pueden usar para almacenar información, clasificar objetos o aplicar un control de acceso específico sobre recursos específicos de Azure mediante el control de acceso basado en atributos de Azure (ABAC de Azure).
Los atributos de seguridad personalizados solo se admiten para usuarios y entidades de servicio. En este artículo se proporcionan ejemplos de cómo asignar, actualizar, enumerar o quitar diferentes tipos de atributos de seguridad personalizados para usuarios y aplicaciones mediante Microsoft Graph.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new User
{
CustomSecurityAttributes = new CustomSecurityAttributeValue
{
AdditionalData = new Dictionary<string, object>
{
{
"Engineering" , new
{
OdataType = "#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
ProjectDate = "2022-10-01",
}
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users["{user-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
User user = new User();
CustomSecurityAttributeValue customSecurityAttributes = new CustomSecurityAttributeValue();
HashMap<String, Object> additionalData = new HashMap<String, Object>();
engineering = new ();
engineering.setOdataType("#Microsoft.DirectoryServices.CustomSecurityAttributeValue");
engineering.setProjectDate("2022-10-01");
additionalData.put("Engineering", engineering);
customSecurityAttributes.setAdditionalData(additionalData);
user.setCustomSecurityAttributes(customSecurityAttributes);
User result = graphClient.users().byUserId("{user-id}").patch(user);
Ejemplo 2: Asignar un atributo de seguridad personalizado con un valor de cadena a una entidad de servicio
En el ejemplo siguiente se muestra cómo usar update servicePrincipal API para asignar un atributo de seguridad personalizado con un valor de cadena a una entidad de servicio.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ServicePrincipal
{
CustomSecurityAttributes = new CustomSecurityAttributeValue
{
AdditionalData = new Dictionary<string, object>
{
{
"Engineering" , new
{
OdataType = "#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
ProjectDate = "2022-10-01",
}
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipal servicePrincipal = new ServicePrincipal();
CustomSecurityAttributeValue customSecurityAttributes = new CustomSecurityAttributeValue();
HashMap<String, Object> additionalData = new HashMap<String, Object>();
engineering = new ();
engineering.setOdataType("#Microsoft.DirectoryServices.CustomSecurityAttributeValue");
engineering.setProjectDate("2022-10-01");
additionalData.put("Engineering", engineering);
customSecurityAttributes.setAdditionalData(additionalData);
servicePrincipal.setCustomSecurityAttributes(customSecurityAttributes);
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").patch(servicePrincipal);
Ejemplo 3: Asignación de un atributo de seguridad personalizado con un valor de cadena múltiple a un usuario
En el ejemplo siguiente se muestra cómo usar update user API para asignar un atributo de seguridad personalizado con un valor de cadena múltiple a un usuario.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new User
{
CustomSecurityAttributes = new CustomSecurityAttributeValue
{
AdditionalData = new Dictionary<string, object>
{
{
"Engineering" , new
{
OdataType = "#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
ProjectOdataType = "#Collection(String)",
Project = new List<string>
{
"Baker",
"Cascade",
},
}
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users["{user-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
User user = new User();
CustomSecurityAttributeValue customSecurityAttributes = new CustomSecurityAttributeValue();
HashMap<String, Object> additionalData = new HashMap<String, Object>();
engineering = new ();
engineering.setOdataType("#Microsoft.DirectoryServices.CustomSecurityAttributeValue");
engineering.setProjectOdataType("#Collection(String)");
LinkedList<String> project = new LinkedList<String>();
project.add("Baker");
project.add("Cascade");
engineering.setProject(project);
additionalData.put("Engineering", engineering);
customSecurityAttributes.setAdditionalData(additionalData);
user.setCustomSecurityAttributes(customSecurityAttributes);
User result = graphClient.users().byUserId("{user-id}").patch(user);
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new User
{
CustomSecurityAttributes = new CustomSecurityAttributeValue
{
AdditionalData = new Dictionary<string, object>
{
{
"Engineering" , new
{
OdataType = "#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
NumVendorsOdataType = "#Int32",
NumVendors = 4,
}
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users["{user-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
User user = new User();
CustomSecurityAttributeValue customSecurityAttributes = new CustomSecurityAttributeValue();
HashMap<String, Object> additionalData = new HashMap<String, Object>();
engineering = new ();
engineering.setOdataType("#Microsoft.DirectoryServices.CustomSecurityAttributeValue");
engineering.setNumVendorsOdataType("#Int32");
engineering.setNumVendors(4);
additionalData.put("Engineering", engineering);
customSecurityAttributes.setAdditionalData(additionalData);
user.setCustomSecurityAttributes(customSecurityAttributes);
User result = graphClient.users().byUserId("{user-id}").patch(user);
Ejemplo 5: Asignación de un atributo de seguridad personalizado con un valor de varios enteros a un usuario
En el ejemplo siguiente se muestra cómo usar update user API para asignar un atributo de seguridad personalizado con un valor de varios enteros a un usuario.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new User
{
CustomSecurityAttributes = new CustomSecurityAttributeValue
{
AdditionalData = new Dictionary<string, object>
{
{
"Engineering" , new
{
OdataType = "#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
CostCenterOdataType = "#Collection(Int32)",
CostCenter = new List<Number>
{
1001,
1003,
},
}
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users["{user-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
User user = new User();
CustomSecurityAttributeValue customSecurityAttributes = new CustomSecurityAttributeValue();
HashMap<String, Object> additionalData = new HashMap<String, Object>();
engineering = new ();
engineering.setOdataType("#Microsoft.DirectoryServices.CustomSecurityAttributeValue");
engineering.setCostCenterOdataType("#Collection(Int32)");
LinkedList<Number> costCenter = new LinkedList<Number>();
costCenter.add(1001);
costCenter.add(1003);
engineering.setCostCenter(costCenter);
additionalData.put("Engineering", engineering);
customSecurityAttributes.setAdditionalData(additionalData);
user.setCustomSecurityAttributes(customSecurityAttributes);
User result = graphClient.users().byUserId("{user-id}").patch(user);
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new User
{
CustomSecurityAttributes = new CustomSecurityAttributeValue
{
AdditionalData = new Dictionary<string, object>
{
{
"Engineering" , new
{
OdataType = "#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
Certification = true,
}
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users["{user-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
User user = new User();
CustomSecurityAttributeValue customSecurityAttributes = new CustomSecurityAttributeValue();
HashMap<String, Object> additionalData = new HashMap<String, Object>();
engineering = new ();
engineering.setOdataType("#Microsoft.DirectoryServices.CustomSecurityAttributeValue");
engineering.setCertification(true);
additionalData.put("Engineering", engineering);
customSecurityAttributes.setAdditionalData(additionalData);
user.setCustomSecurityAttributes(customSecurityAttributes);
User result = graphClient.users().byUserId("{user-id}").patch(user);
Actualización de asignaciones de atributos de seguridad personalizados
Ejemplo 1: Actualización de una asignación de atributo de seguridad personalizada con un valor entero para un usuario
En el ejemplo siguiente se muestra cómo usar update user API para actualizar una asignación de atributos de seguridad personalizada con un valor entero para un usuario.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new User
{
CustomSecurityAttributes = new CustomSecurityAttributeValue
{
AdditionalData = new Dictionary<string, object>
{
{
"Engineering" , new
{
OdataType = "#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
NumVendorsOdataType = "#Int32",
NumVendors = 8,
}
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users["{user-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
User user = new User();
CustomSecurityAttributeValue customSecurityAttributes = new CustomSecurityAttributeValue();
HashMap<String, Object> additionalData = new HashMap<String, Object>();
engineering = new ();
engineering.setOdataType("#Microsoft.DirectoryServices.CustomSecurityAttributeValue");
engineering.setNumVendorsOdataType("#Int32");
engineering.setNumVendors(8);
additionalData.put("Engineering", engineering);
customSecurityAttributes.setAdditionalData(additionalData);
user.setCustomSecurityAttributes(customSecurityAttributes);
User result = graphClient.users().byUserId("{user-id}").patch(user);
Ejemplo 2: Actualización de una asignación de atributo de seguridad personalizada con un valor booleano para un usuario
En el ejemplo siguiente se muestra cómo usar update user API para actualizar una asignación de atributos de seguridad personalizada con un valor booleano para un usuario.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new User
{
CustomSecurityAttributes = new CustomSecurityAttributeValue
{
AdditionalData = new Dictionary<string, object>
{
{
"Engineering" , new
{
OdataType = "#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
Certification = false,
}
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users["{user-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
User user = new User();
CustomSecurityAttributeValue customSecurityAttributes = new CustomSecurityAttributeValue();
HashMap<String, Object> additionalData = new HashMap<String, Object>();
engineering = new ();
engineering.setOdataType("#Microsoft.DirectoryServices.CustomSecurityAttributeValue");
engineering.setCertification(false);
additionalData.put("Engineering", engineering);
customSecurityAttributes.setAdditionalData(additionalData);
user.setCustomSecurityAttributes(customSecurityAttributes);
User result = graphClient.users().byUserId("{user-id}").patch(user);
GET https://graph.microsoft.com/v1.0/users/{id}?$select=customSecurityAttributes
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users["{user-id}"].GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Select = new string []{ "customSecurityAttributes" };
});
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
User result = graphClient.users().byUserId("{user-id}").get(requestConfiguration -> {
requestConfiguration.queryParameters.select = new String []{"customSecurityAttributes"};
});
Si no hay atributos de seguridad personalizados asignados al usuario o si la entidad de seguridad de llamada no tiene acceso, recibirá la siguiente respuesta:
Ejemplo 2: Enumeración de todos los usuarios con una asignación de atributo de seguridad personalizada que es igual a un valor
En el ejemplo siguiente se muestra cómo usar list users API para enumerar todos los usuarios con una asignación de atributos de seguridad personalizada que es igual a un valor. En el ejemplo se recuperan los usuarios con un atributo de seguridad personalizado denominado AppCountry con un valor que es Canadaigual a . El valor del filtro distingue mayúsculas de minúsculas. Debe agregar ConsistencyLevel=eventual en la solicitud o el encabezado . También debe incluir $count=true para asegurarse de que la solicitud se enrute correctamente.
GET https://graph.microsoft.com/v1.0/users?$count=true&$select=id,displayName,customSecurityAttributes&$filter=customSecurityAttributes/Marketing/AppCountry eq 'Canada'
ConsistencyLevel: eventual
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users.GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Count = true;
requestConfiguration.QueryParameters.Select = new string []{ "id","displayName","customSecurityAttributes" };
requestConfiguration.QueryParameters.Filter = "customSecurityAttributes/Marketing/AppCountry eq 'Canada'";
requestConfiguration.Headers.Add("ConsistencyLevel", "eventual");
});
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc users list --filter "customSecurityAttributes/Marketing/AppCountry eq 'Canada'" --count "true" --select "id,displayName,customSecurityAttributes" --consistency-level "eventual"
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UserCollectionResponse result = graphClient.users().get(requestConfiguration -> {
requestConfiguration.queryParameters.count = true;
requestConfiguration.queryParameters.select = new String []{"id", "displayName", "customSecurityAttributes"};
requestConfiguration.queryParameters.filter = "customSecurityAttributes/Marketing/AppCountry eq 'Canada'";
requestConfiguration.headers.add("ConsistencyLevel", "eventual");
});
Ejemplo 3: Enumeración de todos los usuarios con una asignación de atributos de seguridad personalizada que comienza con un valor
En el ejemplo siguiente se muestra cómo usar list users API para enumerar todos los usuarios con una asignación de atributos de seguridad personalizada que comienza con un valor. En el ejemplo se recuperan los usuarios con un atributo de seguridad personalizado denominado EmployeeId con un valor que comienza por GS. El valor del filtro distingue mayúsculas de minúsculas. Debe agregar ConsistencyLevel=eventual en la solicitud o el encabezado . También debe incluir $count=true para asegurarse de que la solicitud se enrute correctamente.
GET https://graph.microsoft.com/v1.0/users?$count=true&$select=id,displayName,customSecurityAttributes&$filter=startsWith(customSecurityAttributes/Marketing/EmployeeId,'GS')
ConsistencyLevel: eventual
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users.GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Count = true;
requestConfiguration.QueryParameters.Select = new string []{ "id","displayName","customSecurityAttributes" };
requestConfiguration.QueryParameters.Filter = "startsWith(customSecurityAttributes/Marketing/EmployeeId,'GS')";
requestConfiguration.Headers.Add("ConsistencyLevel", "eventual");
});
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc users list --filter "startsWith(customSecurityAttributes/Marketing/EmployeeId,'GS')" --count "true" --select "id,displayName,customSecurityAttributes" --consistency-level "eventual"
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UserCollectionResponse result = graphClient.users().get(requestConfiguration -> {
requestConfiguration.queryParameters.count = true;
requestConfiguration.queryParameters.select = new String []{"id", "displayName", "customSecurityAttributes"};
requestConfiguration.queryParameters.filter = "startsWith(customSecurityAttributes/Marketing/EmployeeId,'GS')";
requestConfiguration.headers.add("ConsistencyLevel", "eventual");
});
Ejemplo 4: Enumeración de todos los usuarios con una asignación de atributo de seguridad personalizada que no es igual a un valor
En el ejemplo siguiente se muestra cómo usar list users API para enumerar todos los usuarios con una asignación de atributos de seguridad personalizada que no es igual a un valor. En el ejemplo se recuperan los usuarios con un atributo de seguridad personalizado denominado AppCountry con un valor que no es igual Canadaa . El valor del filtro distingue mayúsculas de minúsculas. Debe agregar ConsistencyLevel=eventual en la solicitud o el encabezado . También debe incluir $count=true para asegurarse de que la solicitud se enrute correctamente.
GET https://graph.microsoft.com/v1.0/users?$count=true&$select=id,displayName,customSecurityAttributes&$filter=customSecurityAttributes/Marketing/AppCountry ne 'Canada'
ConsistencyLevel: eventual
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users.GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Count = true;
requestConfiguration.QueryParameters.Select = new string []{ "id","displayName","customSecurityAttributes" };
requestConfiguration.QueryParameters.Filter = "customSecurityAttributes/Marketing/AppCountry ne 'Canada'";
requestConfiguration.Headers.Add("ConsistencyLevel", "eventual");
});
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc users list --filter "customSecurityAttributes/Marketing/AppCountry ne 'Canada'" --count "true" --select "id,displayName,customSecurityAttributes" --consistency-level "eventual"
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UserCollectionResponse result = graphClient.users().get(requestConfiguration -> {
requestConfiguration.queryParameters.count = true;
requestConfiguration.queryParameters.select = new String []{"id", "displayName", "customSecurityAttributes"};
requestConfiguration.queryParameters.filter = "customSecurityAttributes/Marketing/AppCountry ne 'Canada'";
requestConfiguration.headers.add("ConsistencyLevel", "eventual");
});
Eliminación de asignaciones de atributos de seguridad personalizados
Ejemplo 1: Eliminación de una asignación de atributos de seguridad personalizado de un solo valor de un usuario
En el ejemplo siguiente se muestra cómo usar update user API para quitar una asignación de atributos de seguridad personalizada que admite un único valor de un usuario.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new User
{
CustomSecurityAttributes = new CustomSecurityAttributeValue
{
AdditionalData = new Dictionary<string, object>
{
{
"Engineering" , new
{
OdataType = "#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
ProjectDate = null,
}
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users["{user-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
User user = new User();
CustomSecurityAttributeValue customSecurityAttributes = new CustomSecurityAttributeValue();
HashMap<String, Object> additionalData = new HashMap<String, Object>();
engineering = new ();
engineering.setOdataType("#Microsoft.DirectoryServices.CustomSecurityAttributeValue");
engineering.setProjectDate(null);
additionalData.put("Engineering", engineering);
customSecurityAttributes.setAdditionalData(additionalData);
user.setCustomSecurityAttributes(customSecurityAttributes);
User result = graphClient.users().byUserId("{user-id}").patch(user);
Ejemplo 2: Quitar una asignación de atributos de seguridad personalizados de varios valores de un usuario
En el ejemplo siguiente se muestra cómo usar update user API para quitar una asignación de atributos de seguridad personalizada que admite varios valores de un usuario.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new User
{
CustomSecurityAttributes = new CustomSecurityAttributeValue
{
AdditionalData = new Dictionary<string, object>
{
{
"Engineering" , new
{
OdataType = "#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
Project = new List<object>
{
},
}
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users["{user-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
User user = new User();
CustomSecurityAttributeValue customSecurityAttributes = new CustomSecurityAttributeValue();
HashMap<String, Object> additionalData = new HashMap<String, Object>();
engineering = new ();
engineering.setOdataType("#Microsoft.DirectoryServices.CustomSecurityAttributeValue");
LinkedList<Object> project = new LinkedList<Object>();
engineering.setProject(project);
additionalData.put("Engineering", engineering);
customSecurityAttributes.setAdditionalData(additionalData);
user.setCustomSecurityAttributes(customSecurityAttributes);
User result = graphClient.users().byUserId("{user-id}").patch(user);
Próximamente: A lo largo de 2024 iremos eliminando gradualmente GitHub Issues como mecanismo de comentarios sobre el contenido y lo sustituiremos por un nuevo sistema de comentarios. Para más información, vea: https://aka.ms/ContentUserFeedback.