我需要创建一个自动化程序,该程序与处于“暂停”状态的用户列表保持同步,这些用户在Microsoft 365中被阻止访问,并将其从Azure DevOps组织中删除,包括当前和未来在365中标记为暂停的用户。
目前,我正试图通过Azure门户中的自动化帐户使用PowerShell 5.1实现这一目标。我愿意接受实现此项目的其他建议,这些建议不一定需要使用自动化帐户。
目前,Runbook运行时没有错误,但什么也没有发生-换句话说,没有从Azure DevOps组织中删除365的暂停用户。下面是当前代码:
# Microsoft 365 authentication parameters
$clientId = "ClientID"
$tenantId = "TenantID"
$clientSecret = "ClientSecret"
$scope = "https://graph.microsoft.com/.default"
# Get an access token
$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$tokenBody = @{
client_id = $clientId
scope = $scope
client_secret = $clientSecret
grant_type = "client_credentials"
}
try {
$tokenResponse = Invoke-RestMethod -Uri $tokenUrl -Method Post -Body $tokenBody
$accessToken = $tokenResponse.access_token
} catch {
Write-Output "Error obtaining access token: $_"
}
# Get suspended users
$graphUrl = "https://graph.microsoft.com/v1.0/users?$filter=accountEnabled eq false"
$graphHeaders = @{Authorization = "Bearer $accessToken"}
try {
$users = Invoke-RestMethod -Uri $graphUrl -Headers $graphHeaders
} catch {
Write-Output "Error obtaining suspended users: $_"
}
# Azure DevOps credentials
$patToken = "patToken"
$devOpsOrg = "DevOpsOrg"
# Loop through suspended users and remove them from Azure DevOps organization
foreach ($user in $users.value) {
$email = $user.mail
# Get user identity in Azure DevOps
$uri = "https://vssps.dev.azure.com/$devOpsOrg/_apis/graph/users?api-version=6.0-preview.1&subjectDescriptor=" + [System.Web.HttpUtility]::UrlEncode("aad:$($user.id)")
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f "",$patToken)))
$headers = @{Authorization=("Basic {0}" -f $base64AuthInfo)}
try {
$userToRemove = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
} catch {
Write-Output "Error getting user identity in Azure DevOps: $_"
continue
}
if ($userToRemove.Count -eq 1) {
# Remove the user from Azure DevOps organization
$uri = "https://vssps.dev.azure.com/$devOpsOrg/_apis/graph/users/" + $userToRemove[0].Id + "?api-version=6.0-preview.1"
try {
Invoke-RestMethod -Uri $uri -Headers $headers -Method Delete
Write-Output "User $email removed from Azure DevOps organization."
} catch {
Write-Output "Error removing user from Azure DevOps organization: $_"
}
}
}
# List all users in Azure DevOps organization
$uri = "https://vssps.dev.azure.com/$devOpsOrg/_apis/graph/users?api-version=6.0-preview.1"
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f "",$patToken)))
$headers = @{Authorization=("Basic {0}" -f $base64AuthInfo)}
try {
$allUsers = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
Write-Output "All users in Azure DevOps organization:"
$allUsers.value | ForEach-Object {
Write-Output ("Name: " + $_.displayName)
Write-Output ("User: " + $_.principalName)
}
} catch {
Write-Output "Error getting all users in Azure DevOps: $_"
}字符串
1条答案
按热度按时间lp0sw83n1#
要在Azure DevOps中删除用户,我们可以使用User Entitlements - Delete。您可以从User Entitlements - Search User Entitlements中找到
userId下面是我的测试脚本:
字符串