以下请求可用于使用 Microsoft 图形 API 检索建议和受影响的资源。 若要使用Microsoft图形 API,需要拥有 DirectoryRecommendations.Read.All 和 DirectoryRecommendations.ReadWrite.All 权限。 有关详细信息,请参阅 如何使用标识建议。
- 登录到图形资源管理器。
- 从下拉列表中选择 GET 作为 HTTP 方法。
检索租户的所有建议:
GET https://graph.microsoft.com/beta/directory/recommendations
在响应中,找到与以下模式匹配的建议的 ID: {tenantId}_Microsoft.Identity.IAM.Insights.ApplicationCredentialExpiry
若要确定受影响的资源,请执行以下操作:
GET https://graph.microsoft.com/beta/directory/recommendations/{tenantId}_Microsoft.Identity.IAM.Insights.ApplicationCredentialExpiry
若要根据资源的状态筛选资源(例如 活动 资源):
GET https://graph.microsoft.com/beta/directory/recommendations/536279f6-15cc-45f2-be2d-61e352b51eef_Microsoft.Identity.IAM.Insights. ApplicationCredentialExpiry’/impactedResources?$filter=status eq Microsoft.Graph.recommendationStatus'active'
记下要删除的 AppId凭据 CredentialId和 Origin 凭据。 若要删除凭据,请使用以下 Microsoft Graph 指南:
示例响应
{
"id": "536279f6-15cc-45f2-be2d-61e352b51eef_Microsoft.Identity.IAM.Insights.ApplicationCredentialExpiry",
"recommendationType": "applicationCredentialExpiry",
"createdDateTime": "2022-06-08T00:08:01Z",
"impactStartDateTime": "2022-06-08T00:08:01Z",
"postponeUntilDateTime": null,
"lastModifiedDateTime": "2024-07-29T12:03:16Z",
"lastModifiedBy": "System",
"displayName": "Renew expiring application credentials",
"featureAreas": [
"applications"
],
"insights": "Your tenant has applications with credentials that will expire soon.",
"benefits": "Renewing the app credential(s) before its expiration ensures the application continues to function and reduces the possibility of downtime due to an expired credential.",
"category": "identityBestPractice",
"status": "active",
"priority": "high",
"requiredLicenses": "microsoftEntraWorkloadId",
"impactType": "apps",
"actionSteps": [
{
"stepNumber": 1,
"text": "1. Navigate to the App registration section and locate the application for which the credential needs to be rotated."
},
{
"stepNumber": 2,
"text": "2. Navigate to the “Certificates & Secrets” blade of the app registration."
},
{
"stepNumber": 3,
"text": "3. Pick the credential type that you want to rotate and navigate to either “Certificates” or “Client Secret” tab and follow the prompts.",
"actionUrl": null
},
{
"stepNumber": 4,
"text": "4. Once the certificate or secret is successfully added, update the service code to ensure it works with the new credential and has no negative customer impact. You should use Microsoft Entra ID’s sign-in logs to validate that the thumbprint of the certificate matches the one that was just uploaded.",
"actionUrl": null
},
{
"stepNumber": 5,
"text": "5. After validating the new credential, navigate back to the Certificates and Secrets blade for the app and remove the old credential.",
"actionUrl": null
}
]
}
