管理应用程序身份验证操作

项目
03/21/2024

应用程序对象的 authenticationBehaviors 属性允许配置与令牌颁发相关的中断性变更行为。应用程序可以通过启用行为来采用新的中断性变更 (将行为设置为 true) ，或者通过将行为设置为 false) 来禁用它 (来继续使用预先存在的行为。

注意

应用程序对象的 authenticationBehaviors 属性当前仅在中 beta 。

读取应用程序的 authenticationBehaviors 设置

authenticationBehaviors 属性仅在请求上$select返回，如下所示。

若要读取租户中所有应用的属性和其他指定属性，请运行以下示例请求。请求返回 200 OK 仅显示所选属性的应用程序对象的响应代码和 JSON 表示形式。

GET https://graph.microsoft.com/beta/applications?$select=id,displayName,appId,authenticationBehaviors


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications.GetAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Select = new string []{ "id","displayName","appId","authenticationBehaviors" };
});



mgc-beta applications list --select "id,displayName,appId,authenticationBehaviors"



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphapplications "github.com/microsoftgraph/msgraph-beta-sdk-go/applications"
	  //other-imports
)

requestParameters := &graphapplications.ApplicationsRequestBuilderGetQueryParameters{
	Select: [] string {"id","displayName","appId","authenticationBehaviors"},
}
configuration := &graphapplications.ApplicationsRequestBuilderGetRequestConfiguration{
	QueryParameters: requestParameters,
}

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().Get(context.Background(), configuration)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ApplicationCollectionResponse result = graphClient.applications().get(requestConfiguration -> {
	requestConfiguration.queryParameters.select = new String []{"id", "displayName", "appId", "authenticationBehaviors"};
});


const options = {
	authProvider,
};

const client = Client.init(options);

let applications = await client.api('/applications')
	.version('beta')
	.select('id,displayName,appId,authenticationBehaviors')
	.get();


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Applications\ApplicationsRequestBuilderGetRequestConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestConfiguration = new ApplicationsRequestBuilderGetRequestConfiguration();
$queryParameters = ApplicationsRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->select = ["id","displayName","appId","authenticationBehaviors"];
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->applications()->get($requestConfiguration)->wait();


Import-Module Microsoft.Graph.Beta.Applications

Get-MgBetaApplication -Property "id,displayName,appId,authenticationBehaviors"


from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.applications.applications_request_builder import ApplicationsRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration

graph_client = GraphServiceClient(credentials, scopes)

query_params = ApplicationsRequestBuilder.ApplicationsRequestBuilderGetQueryParameters(
		select = ["id","displayName","appId","authenticationBehaviors"],
)

request_configuration = RequestConfiguration(
query_parameters = query_params,
)

result = await graph_client.applications.get(request_configuration = request_configuration)

若要仅读取单个应用的 authenticationBehaviors 属性，请运行以下示例请求。

GET https://graph.microsoft.com/beta/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors

Snippet not available

Snippet not available

Snippet not available

Snippet not available


const options = {
	authProvider,
};

const client = Client.init(options);

let authenticationBehaviors = await client.api('/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors')
	.version('beta')
	.get();

Snippet not available

Snippet not available

Snippet not available

还可以使用 appId 属性，如下所示：

GET https://graph.microsoft.com/beta/applications(appId='37bf1fd4-78b0-4fea-ac2d-6c82829e9365')/authenticationBehaviors

阻止向未经验证的域所有者发出电子邮件声明

如 Microsoft 安全公告Microsoft Entra应用程序中特权提升的潜在风险中所述，应用绝不应将电子邮件声明用于授权目的。如果应用程序将电子邮件声明用于授权或主要用户标识目的，则会受到帐户和特权提升攻击。在以下情况下，特别会发现这种未经授权的访问风险：

当用户对象的 mail 属性包含具有未经验证的域所有者的电子邮件地址时
对于多租户应用，其中一个租户中的用户可以通过修改其邮件属性来升级其权限以访问另一个租户中的资源

有关在租户中识别这些情况的详细信息，请参阅迁移，不使用电子邮件声明进行用户标识或授权。

目前，默认行为是在声明中删除具有未经验证的域所有者的电子邮件地址，但单租户应用和多租户应用除外，这些应用以前具有未验证电子邮件的登录活动。如果你的应用属于上述任一例外，并且你想要删除未经验证的电子邮件地址，请将 authenticationBehaviors 的 removeUnverifiedEmailClaim 属性设置为 true ，如以下示例所示。请求会返回 204 No Content 响应代码。

从声明中删除具有未经验证的域所有者的电子邮件地址

选项 1

PATCH https://graph.microsoft.com/beta/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors
Content-Type: application/json

{
    "removeUnverifiedEmailClaim": true
}

Snippet not available

Snippet not available

Snippet not available

Snippet not available


const options = {
	authProvider,
};

const client = Client.init(options);

const authenticationBehaviors = {
    removeUnverifiedEmailClaim: true
};

await client.api('/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors')
	.version('beta')
	.update(authenticationBehaviors);

Snippet not available

Snippet not available

Snippet not available

选项 2

PATCH https://graph.microsoft.com/beta/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e
Content-Type: application/json

{
    "authenticationBehaviors": {
        "removeUnverifiedEmailClaim": true
    }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new Application
{
	AuthenticationBehaviors = new AuthenticationBehaviors
	{
		RemoveUnverifiedEmailClaim = true,
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);



mgc-beta applications patch --application-id {application-id} --body '{\
    "authenticationBehaviors": {\
        "removeUnverifiedEmailClaim": true\
    }\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()
authenticationBehaviors := graphmodels.NewAuthenticationBehaviors()
removeUnverifiedEmailClaim := true
authenticationBehaviors.SetRemoveUnverifiedEmailClaim(&removeUnverifiedEmailClaim) 
requestBody.SetAuthenticationBehaviors(authenticationBehaviors)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
AuthenticationBehaviors authenticationBehaviors = new AuthenticationBehaviors();
authenticationBehaviors.setRemoveUnverifiedEmailClaim(true);
application.setAuthenticationBehaviors(authenticationBehaviors);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);


const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
    authenticationBehaviors: {
        removeUnverifiedEmailClaim: true
    }
};

await client.api('/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e')
	.version('beta')
	.update(application);


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Application;
use Microsoft\Graph\Beta\Generated\Models\AuthenticationBehaviors;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$authenticationBehaviors = new AuthenticationBehaviors();
$authenticationBehaviors->setRemoveUnverifiedEmailClaim(true);
$requestBody->setAuthenticationBehaviors($authenticationBehaviors);

$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Beta.Applications

$params = @{
	authenticationBehaviors = @{
		removeUnverifiedEmailClaim = $true
	}
}

Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params


from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.application import Application
from msgraph_beta.generated.models.authentication_behaviors import AuthenticationBehaviors

graph_client = GraphServiceClient(credentials, scopes)

request_body = Application(
	authentication_behaviors = AuthenticationBehaviors(
		remove_unverified_email_claim = True,
	),
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

接受声明中未经验证的域所有者的电子邮件地址

选项 1

PATCH https://graph.microsoft.com/beta/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors
Content-Type: application/json

{
    "removeUnverifiedEmailClaim": false
}

Snippet not available

Snippet not available

Snippet not available

Snippet not available


const options = {
	authProvider,
};

const client = Client.init(options);

const authenticationBehaviors = {
    removeUnverifiedEmailClaim: false
};

await client.api('/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors')
	.version('beta')
	.update(authenticationBehaviors);

Snippet not available

Snippet not available

Snippet not available

选项 2

PATCH https://graph.microsoft.com/beta/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e
Content-Type: application/json

{
    "authenticationBehaviors": {
        "removeUnverifiedEmailClaim": false
    }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new Application
{
	AuthenticationBehaviors = new AuthenticationBehaviors
	{
		RemoveUnverifiedEmailClaim = false,
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);



mgc-beta applications patch --application-id {application-id} --body '{\
    "authenticationBehaviors": {\
        "removeUnverifiedEmailClaim": false\
    }\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()
authenticationBehaviors := graphmodels.NewAuthenticationBehaviors()
removeUnverifiedEmailClaim := false
authenticationBehaviors.SetRemoveUnverifiedEmailClaim(&removeUnverifiedEmailClaim) 
requestBody.SetAuthenticationBehaviors(authenticationBehaviors)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
AuthenticationBehaviors authenticationBehaviors = new AuthenticationBehaviors();
authenticationBehaviors.setRemoveUnverifiedEmailClaim(false);
application.setAuthenticationBehaviors(authenticationBehaviors);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);


const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
    authenticationBehaviors: {
        removeUnverifiedEmailClaim: false
    }
};

await client.api('/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e')
	.version('beta')
	.update(application);


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Application;
use Microsoft\Graph\Beta\Generated\Models\AuthenticationBehaviors;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$authenticationBehaviors = new AuthenticationBehaviors();
$authenticationBehaviors->setRemoveUnverifiedEmailClaim(false);
$requestBody->setAuthenticationBehaviors($authenticationBehaviors);

$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Beta.Applications

$params = @{
	authenticationBehaviors = @{
		removeUnverifiedEmailClaim = $false
	}
}

Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params


from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.application import Application
from msgraph_beta.generated.models.authentication_behaviors import AuthenticationBehaviors

graph_client = GraphServiceClient(credentials, scopes)

request_body = Application(
	authentication_behaviors = AuthenticationBehaviors(
		remove_unverified_email_claim = False,
	),
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

还原默认行为

选项 1

PATCH https://graph.microsoft.com/beta/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors
Content-Type: application/json

{
    "removeUnverifiedEmailClaim": null
}

Snippet not available

Snippet not available

Snippet not available

Snippet not available


const options = {
	authProvider,
};

const client = Client.init(options);

const authenticationBehaviors = {
    removeUnverifiedEmailClaim: null
};

await client.api('/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors')
	.version('beta')
	.update(authenticationBehaviors);

Snippet not available

Snippet not available

Snippet not available

选项 2

PATCH https://graph.microsoft.com/beta/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/
Content-Type: application/json

{
    "authenticationBehaviors": {
        "removeUnverifiedEmailClaim": null
    }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new Application
{
	AuthenticationBehaviors = new AuthenticationBehaviors
	{
		RemoveUnverifiedEmailClaim = null,
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);



mgc-beta applications patch --application-id {application-id} --body '{\
    "authenticationBehaviors": {\
        "removeUnverifiedEmailClaim": null\
    }\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()
authenticationBehaviors := graphmodels.NewAuthenticationBehaviors()
removeUnverifiedEmailClaim := null
authenticationBehaviors.SetRemoveUnverifiedEmailClaim(&removeUnverifiedEmailClaim) 
requestBody.SetAuthenticationBehaviors(authenticationBehaviors)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
AuthenticationBehaviors authenticationBehaviors = new AuthenticationBehaviors();
authenticationBehaviors.setRemoveUnverifiedEmailClaim(null);
application.setAuthenticationBehaviors(authenticationBehaviors);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);


const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
    authenticationBehaviors: {
        removeUnverifiedEmailClaim: null
    }
};

await client.api('/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/')
	.version('beta')
	.update(application);


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Application;
use Microsoft\Graph\Beta\Generated\Models\AuthenticationBehaviors;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$authenticationBehaviors = new AuthenticationBehaviors();
$authenticationBehaviors->setRemoveUnverifiedEmailClaim(null);
$requestBody->setAuthenticationBehaviors($authenticationBehaviors);

$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Beta.Applications

$params = @{
	authenticationBehaviors = @{
		removeUnverifiedEmailClaim = $null
	}
}

Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params


from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.application import Application
from msgraph_beta.generated.models.authentication_behaviors import AuthenticationBehaviors

graph_client = GraphServiceClient(credentials, scopes)

request_body = Application(
	authentication_behaviors = AuthenticationBehaviors(
		remove_unverified_email_claim = None,
	),
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

Share via

管理应用程序身份验证操作

读取应用程序的 authenticationBehaviors 设置

阻止向未经验证的域所有者发出电子邮件声明

从声明中删除具有未经验证的域所有者的电子邮件地址

选项 1

选项 2

接受声明中未经验证的域所有者的电子邮件地址

选项 1

选项 2

还原默认行为

选项 1

选项 2

反馈

反馈

其他资源

Share via

管理应用程序身份验证操作

读取应用程序的 authenticationBehaviors 设置

阻止向未经验证的域所有者发出电子邮件声明

从声明中删除具有未经验证的域所有者的电子邮件地址

选项 1

选项 2

接受声明中未经验证的域所有者的电子邮件地址

选项 1

选项 2

还原默认行为

选项 1

选项 2

相关内容

反馈

反馈

其他资源