以下请求可用于使用 Microsoft Graph API 检索建议和受影响的资源。 若要使用 Microsoft Graph API,你需要 DirectoryRecommendations.Read.All 和 DirectoryRecommendations.ReadWrite.All 权限。 有关详细信息,请参阅如何使用标识建议。
使用 Microsoft Graph 续订服务主体凭据时,需要运行查询来获取服务主体的密码凭据,添加新的密码凭据,然后删除旧凭据。
- 登录到图形资源管理器。
- 从下拉列表中选择 GET 作为 HTTP 方法。
若要检索针对你的租户的所有建议:
GET https://graph.microsoft.com/beta/directory/recommendations
在响应中,找到与以下模式匹配的建议的 ID:{tenantId}_Microsoft.Identity.IAM.Insights.servicePrincipalKeyExpiry。
若要确认受影响的资源:
GET https://graph.microsoft.com/beta/directory/recommendations/{tenantId}_Microsoft.Identity.IAM.Insights.servicePrincipalKeyExpiry
若要根据资源的状态筛选资源列表(例如仅限标记为 active 的资源):
https://graph.microsoft.com/beta/directory/recommendations/{tenantId}_Microsoft.Identity.IAM.Insights. servicePrincipalKeyExpiry/impactedResources?$filter=status eq Microsoft.Graph.recommendationStatus'active'
- 记下
AppId、CredentialId 以及要移除的凭据的源。
- 使用这些 Microsoft Graph API 添加新的密码或密钥凭据:
- 使用以下 Microsoft Graph API 移除旧凭据:
示例响应
{
"id": "536279f6-15cc-45f2-be2d-61e352b51eef_Microsoft.Identity.IAM.Insights.ServicePrincipalKeyExpiry",
"recommendationType": "servicePrincipalKeyExpiry",
"createdDateTime": "2022-05-29T00:11:17Z",
"impactStartDateTime": "2022-05-29T00:11:17Z",
"postponeUntilDateTime": null,
"lastModifiedDateTime": "2024-07-26T12:31:58Z",
"lastModifiedBy": "System",
"displayName": "Renew expiring service principal credentials",
"featureAreas": [
"applications"
],
"insights": "Your tenant has service principals with credentials that will expire soon.",
"benefits": "Renewing the service principal credential(s) before expiration ensures the application continues to function and reduces the possibility of downtime due to an expired credential.",
"category": "identityBestPractice",
"status": "completedBySystem",
"priority": "high",
"requiredLicenses": "microsoftEntraWorkloadId",
"impactType": "apps",
"actionSteps": [
{
"stepNumber": 1,
"text": "1. Navigate to the Enterprise applications section and locate the Enterprise application for which the credential needs to be rotated."
},
{
"stepNumber": 2,
"text": "2. Navigate to the “Single sign-on” blade."
},
{
"stepNumber": 3,
"text": "3. Edit the 'SAML signing certificate' section and follow prompts to add a new certificate."
},
{
"stepNumber": 4,
"text": "4. After adding the certificate, change its properties to make certificate active. This will make the previous certificate inactive."
},
{
"stepNumber": 5,
"text": "5. Once the certificate is successfully added and activated, validate that your service is working with the new credential, and remove the old credential."
},
{
"stepNumber": 6,
"text": "6. If the service principal does not show any credentials after navigating to the enterprise apps blade, we recommend checking the 'passwordCredentials' and 'keyCredentials' property of the service principal object using PowerShell or Microsoft Graph service principal API and use the Microsoft Graph API to rotate credentials."
}
]
}
