以下请求可用于使用 Microsoft 图形 API 检索建议和受影响的资源。 若要使用Microsoft图形 API,需要拥有 DirectoryRecommendations.Read.All 和 DirectoryRecommendations.ReadWrite.All 权限。 有关详细信息,请参阅 如何使用标识建议。
使用 Microsoft Graph 续订服务主体凭据时,需要运行查询来获取服务主体的密码凭据,添加新的密码凭据,然后删除旧凭据。
- 登录到图形资源管理器。
- 从下拉列表中选择 GET 作为 HTTP 方法。
检索租户的所有建议:
GET https://graph.microsoft.com/beta/directory/recommendations
在响应中,找到与以下模式匹配的建议的 ID: {tenantId}_Microsoft.Identity.IAM.Insights.servicePrincipalKeyExpiry
若要确定受影响的资源,请执行以下操作:
GET https://graph.microsoft.com/beta/directory/recommendations/{tenantId}_Microsoft.Identity.IAM.Insights.servicePrincipalKeyExpiry
若要根据资源的状态筛选资源列表,例如,仅标记为 active:
https://graph.microsoft.com/beta/directory/recommendations/{tenantId}_Microsoft.Identity.IAM.Insights. servicePrincipalKeyExpiry/impactedResources?$filter=status eq Microsoft.Graph.recommendationStatus'active'
- 记下
AppId要删除的凭据 CredentialId和源。
- 使用这些Microsoft图形 API 添加新的密码或密钥凭据:
- 使用以下Microsoft图形 API 删除旧凭据:
示例响应
{
"id": "536279f6-15cc-45f2-be2d-61e352b51eef_Microsoft.Identity.IAM.Insights.ServicePrincipalKeyExpiry",
"recommendationType": "servicePrincipalKeyExpiry",
"createdDateTime": "2022-05-29T00:11:17Z",
"impactStartDateTime": "2022-05-29T00:11:17Z",
"postponeUntilDateTime": null,
"lastModifiedDateTime": "2024-07-26T12:31:58Z",
"lastModifiedBy": "System",
"displayName": "Renew expiring service principal credentials",
"featureAreas": [
"applications"
],
"insights": "Your tenant has service principals with credentials that will expire soon.",
"benefits": "Renewing the service principal credential(s) before expiration ensures the application continues to function and reduces the possibility of downtime due to an expired credential.",
"category": "identityBestPractice",
"status": "completedBySystem",
"priority": "high",
"requiredLicenses": "microsoftEntraWorkloadId",
"impactType": "apps",
"actionSteps": [
{
"stepNumber": 1,
"text": "1. Navigate to the Enterprise applications section and locate the Enterprise application for which the credential needs to be rotated."
},
{
"stepNumber": 2,
"text": "2. Navigate to the “Single sign-on” blade."
},
{
"stepNumber": 3,
"text": "3. Edit the 'SAML signing certificate' section and follow prompts to add a new certificate."
},
{
"stepNumber": 4,
"text": "4. After adding the certificate, change its properties to make certificate active. This will make the previous certificate inactive."
},
{
"stepNumber": 5,
"text": "5. Once the certificate is successfully added and activated, validate that your service is working with the new credential, and remove the old credential."
},
{
"stepNumber": 6,
"text": "6. If the service principal does not show any credentials after navigating to the enterprise apps blade, we recommend checking the 'passwordCredentials' and 'keyCredentials' property of the service principal object using PowerShell or Microsoft Graph service principal API and use the Microsoft Graph API to rotate credentials."
}
]
}
