appRoleAssignment 资源类型appRoleAssignment resource type

命名空间:microsoft.graphNamespace: microsoft.graph

用于记录何时将用户、组或服务主体分配给应用的应用角色。Used to record when a user, group, or service principal is assigned an app role for an app.

应用角色分配是分配的主体(用户、组或服务主体)、资源应用程序(应用的服务主体)与在资源应用程序上定义的应用角色之间的关系。An app role assignment is a relationship between the assigned principal (a user, a group, or a service principal), a resource application (the app's service principal) and an app role defined on the resource application.

如果已分配给主体的 应用角色 属性不为空,则将其包含在主题是分配的主体的令牌(例如 SAML 响应、ID 令牌、标识已登录用户的访问令牌或者标识服务主体的访问令牌)的 角色 声明中。When the app role which has been assigned to a principal has a non-empty value property, this will be included in the roles claim of tokens where the subject is the assigned principal (e.g. SAML responses, ID tokens, access tokens identifying a signed-in user, or an access token identifying a service principal). 应用程序和 API 会将这些声明用作其授权逻辑的一部分。Applications and APIs use these claims as part of their authorization logic.

可直接向用户分配应用角色。A user can be assigned an app role directly. 如果将某应用角色分配给组,则该组的直接成员也将被视为已分配了该应用角色。If an app role is assigned to a group, direct members of the group are also considered to have been assigned the app role. 向用户分配应用程序的应用角色后,该应用程序的磁贴将显示在用户的 MyApps 门户Microsoft 365 应用启动器中。When a user is assigned an app role for an application, a tile for that application is displayed in the user's MyApps portal and Microsoft 365 app launcher.

所分配主体是服务主体的应用角色分配是仅应用权限授予。An app role assignment where the assigned principal is a service principal is an app-only permission grant. 当用户或管理员同意仅应用权限时,将创建一个应用角色分配,其中分配的主体是客户端应用程序的服务主体,并且资源是目标 API 的服务主体。When a user or admin consents to an app-only permission, an app role assignment is created where the assigned principal is the service principal for the client application, and the resource is the target API's service principal.


属性Property 类型Type 说明Description
idid 字符串String appRoleAssignment 键的唯一标识符。A unique identifier for the appRoleAssignment Key. 不可为空。Not nullable. 只读。Read-only.
createdDateTimecreatedDateTime DateTimeOffsetDateTimeOffset 创建应用角色分配的时间。时间戳类型表示使用 ISO 8601 格式的日期和时间信息,并且始终处于 UTC 时间。The time when the app role assignment was created.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. 例如,2014 年 1 月 1 日午夜 UTC 为 2014-01-01T00:00:00ZFor example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. 只读。Read-only.
principalIdprincipalId GuidGuid 被授予应用角色的 用户服务主体的唯一标识符 (id)。The unique identifier (id) for the user, group or service principal being granted the app role. 创建时为必需项。Required on create.
principalTypeprincipalType 字符串String 已分配的主体的类型。The type of the assigned principal. 这可以是 UserGroupServicePrincipalThis can either be User, Group or ServicePrincipal. 只读。Read-only.
principalDisplayNameprincipalDisplayName 字符串String 已被授予应用角色分配的用户、组或服务主体的显示名称。The display name of the user, group, or service principal that was granted the app role assignment. 只读。Read-only. 支持 $filtereqstartswith)。Supports $filter (eq and startswith).
resourceIdresourceId GuidGuid 已为其分配的资源 服务主体的唯一标识符 (id)。The unique identifier (id) for the resource service principal for which the assignment is made. 创建时为必需项。Required on create. 支持 $filter(仅 eq)。Supports $filter (eq only).
resourceDisplayNameresourceDisplayName 字符串String 已为其分配的资源应用的服务主体的显示名称。The display name of the resource app's service principal to which the assignment is made.
appRoleIdappRoleId GuidGuid 分配给主体的 应用角色的标识符 (id)。The identifier (id) for the app role which is assigned to the principal. 必须在资源应用程序的服务主体 (resourceId) 上的 appRoles 属性中公开此应用角色。This app role must be exposed in the appRoles property on the resource application's service principal (resourceId). 如果资源应用程序尚未声明任何应用角色,则可以指定默认应用角色 ID 00000000-0000-0000-0000-000000000000,以表示将主体分配给资源应用,但没有任何特定应用角色。If the resource application has not declared any app roles, a default app role ID of 00000000-0000-0000-0000-000000000000 can be specified to signal that the principal is assigned to the resource app without any specific app roles. 创建时为必需项。Required on create.

JSON 表示形式JSON representation

下面是资源的 JSON 表示形式。Here is a JSON representation of the resource

  "id": "string",
  "createdDateTime": "String (timestamp)",
  "principalDisplayName": "string",
  "principalId": "guid",
  "principalType": "string",
  "resourceDisplayName": "string",
  "resourceId": "guid",
  "appRoleId": "guid"