以下请求可用于使用 Microsoft Graph API 检索建议和受影响的资源。 若要使用 Microsoft Graph API,你需要 DirectoryRecommendations.Read.All 和 DirectoryRecommendations.ReadWrite.All 权限。 有关详细信息,请参阅如何使用标识建议。
- 登录到图形资源管理器。
- 从下拉列表中选择 GET 作为 HTTP 方法。
若要检索针对你的租户的所有建议:
GET https://graph.microsoft.com/beta/directory/recommendations
在响应中,找到与以下模式匹配的建议的 ID:{tenantId}_Microsoft.Identity.IAM.Insights.ApplicationCredentialExpiry。
若要确认受影响的资源:
GET https://graph.microsoft.com/beta/directory/recommendations/{tenantId}_Microsoft.Identity.IAM.Insights.ApplicationCredentialExpiry
若要根据资源的状态筛选资源(例如,“活动”资源):
GET https://graph.microsoft.com/beta/directory/recommendations/536279f6-15cc-45f2-be2d-61e352b51eef_Microsoft.Identity.IAM.Insights. ApplicationCredentialExpiry’/impactedResources?$filter=status eq Microsoft.Graph.recommendationStatus'active'
记下要移除的凭据的 AppId、CredentialId 和 Origin。 若要移除凭据,请使用以下 Microsoft Graph 指南:
示例响应
{
"id": "536279f6-15cc-45f2-be2d-61e352b51eef_Microsoft.Identity.IAM.Insights.ApplicationCredentialExpiry",
"recommendationType": "applicationCredentialExpiry",
"createdDateTime": "2022-06-08T00:08:01Z",
"impactStartDateTime": "2022-06-08T00:08:01Z",
"postponeUntilDateTime": null,
"lastModifiedDateTime": "2024-07-29T12:03:16Z",
"lastModifiedBy": "System",
"displayName": "Renew expiring application credentials",
"featureAreas": [
"applications"
],
"insights": "Your tenant has applications with credentials that will expire soon.",
"benefits": "Renewing the app credential(s) before its expiration ensures the application continues to function and reduces the possibility of downtime due to an expired credential.",
"category": "identityBestPractice",
"status": "active",
"priority": "high",
"requiredLicenses": "microsoftEntraWorkloadId",
"impactType": "apps",
"actionSteps": [
{
"stepNumber": 1,
"text": "1. Navigate to the App registration section and locate the application for which the credential needs to be rotated."
},
{
"stepNumber": 2,
"text": "2. Navigate to the “Certificates & Secrets” blade of the app registration."
},
{
"stepNumber": 3,
"text": "3. Pick the credential type that you want to rotate and navigate to either “Certificates” or “Client Secret” tab and follow the prompts.",
"actionUrl": null
},
{
"stepNumber": 4,
"text": "4. Once the certificate or secret is successfully added, update the service code to ensure it works with the new credential and has no negative customer impact. You should use Microsoft Entra ID’s sign-in logs to validate that the thumbprint of the certificate matches the one that was just uploaded.",
"actionUrl": null
},
{
"stepNumber": 5,
"text": "5. After validating the new credential, navigate back to the Certificates and Secrets blade for the app and remove the old credential.",
"actionUrl": null
}
]
}
