使用 Microsoft Graph SDK 访问国家云部署

默认情况下，Microsoft Graph SDK 配置为访问 Microsoft Graph 全局服务中的数据，使用 https://graph.microsoft.com 根 URL 访问 Microsoft Graph REST API。 开发人员可以重写此配置以连接到 Microsoft Graph 国家/地区云部署。

先决条件

需要以下信息才能配置 Microsoft Graph SDK 以连接到国家云部署。

• 应用程序注册详细信息，例如客户端 ID、租户 ID 和客户端密码或证书。 必须在与国家云部署相对应的Microsoft Entra 管理中心中创建应用程序注册。 有关详细信息 ，请参阅应用注册和令牌服务根终结点 。
• 国家云部署的令牌终结点。
• 国家云部署的 Microsoft Graph 服务根终结点。 有关 终结点列表，请参阅 Microsoft Graph 和 Graph 资源管理器服务根 终结点。

配置 SDK

若要连接到国家云部署，必须将 身份验证提供程序 配置为连接到正确的令牌服务终结点。 然后，必须将 SDK 客户端配置为连接到正确的 Microsoft Graph 服务根终结点。

权限范围

任何权限范围值 (包括 .default 包含 Microsoft Graph 域的范围) 都必须使用 Microsoft Graph 服务根终结点的域进行国家云部署。 缩短的权限范围名称（如 User.Read 或 Mail.Send）也有效。

• 对于 增量或动态同意， User.Read 和 https://graph.microsoft.us/User.Read 等效于美国政府 L4 国家/地区云。
• 对于 静态定义的权限，或者如果使用 客户端凭据流 获取仅限应用的权限， https://graph.microsoft.us/.default 则 为正确的 .default 范围值。

示例

以下示例使用 Microsoft Graph SDK 配置 交互式身份验证提供程序 ，以连接到适用于美国政府 L4 国家/地区云的 Microsoft Graph。

C#

// Create the InteractiveBrowserCredential using details
// from app registered in the Azure AD for US Government portal
var credential = new InteractiveBrowserCredential(
    "YOUR_TENANT_ID",
    "YOUR_CLIENT_ID",
    new InteractiveBrowserCredentialOptions
    {
        // https://login.microsoftonline.us
        AuthorityHost = AzureAuthorityHosts.AzureGovernment,
        RedirectUri = new Uri("YOUR_REDIRECT_URI"),
    });

// Create the authentication provider
var authProvider = new AzureIdentityAuthenticationProvider(
    credential,
    isCaeEnabled: true,
    scopes: ["https://graph.microsoft.us/.default"]);

// Create the Microsoft Graph client object using
// the Microsoft Graph for US Government L4 endpoint
// NOTE: The API version must be included in the URL
var graphClient = new GraphServiceClient(
    authProvider,
    "https://graph.microsoft.us/v1.0");

转到

import (
    "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
    "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
    "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
    graph "github.com/microsoftgraph/msgraph-sdk-go"
    auth "github.com/microsoftgraph/msgraph-sdk-go-core/authentication"
)

// Create the InteractiveBrowserCredential using details
// from app registered in the Azure AD for US Government portal
credential, _ := azidentity.NewInteractiveBrowserCredential(
    &azidentity.InteractiveBrowserCredentialOptions{
        ClientID: "YOUR_CLIENT_ID",
        TenantID: "YOUR_TENANT_ID",
        ClientOptions: policy.ClientOptions{
            // https://login.microsoftonline.us
            Cloud: cloud.AzureGovernment,
        },
        RedirectURL: "YOUR_REDIRECT_URL",
    })

// Create the authentication provider
authProvider, _ := auth.NewAzureIdentityAuthenticationProviderWithScopes(credential,
    []string{"https://graph.microsoft.us/.default"})

// Create a request adapter using the auth provider
adapter, _ := graph.NewGraphRequestAdapter(authProvider)

// Set the service root to the
// Microsoft Graph for US Government L4 endpoint
// NOTE: The API version must be included in the URL
adapter.SetBaseUrl("https://graph.microsoft.us/v1.0")

// Create a Graph client using request adapter
graphClient := graph.NewGraphServiceClient(adapter)

Java

// Create the InteractiveBrowserCredential using details
// from app registered in the Azure AD for US Government portal
final InteractiveBrowserCredential credential = new InteractiveBrowserCredentialBuilder()
    .clientId("YOUR_CLIENT_ID").tenantId("YOUR_TENANT_ID")
    // https://login.microsoftonline.us
    .authorityHost(AzureAuthorityHosts.AZURE_GOVERNMENT)
    .redirectUrl("YOUR_REDIRECT_URI").build();

final String[] scopes = new String[] {"https://graph.microsoft.us/.default"};

// Create the authentication provider
if (null == scopes || null == credential) {
    throw new Exception("Unexpected error");
}

final GraphServiceClient graphClient = new GraphServiceClient(credential, scopes);
// Set the service root to the
// Microsoft Graph for US Government L4 endpoint
// NOTE: The API version must be included in the URL
graphClient.getRequestAdapter().setBaseUrl("https://graph.microsoft.us/v1.0");

PHP

$scopes = ['https://graph.microsoft.us/.default'];

// Create the Microsoft Graph client object using
// the Microsoft Graph for US Government L4 endpoint
// $tokenRequestContext is one of the token context classes
// from Microsoft\Kiota\Authentication\Oauth
$graphClient = new GraphServiceClient($tokenRequestContext, $scopes, NationalCloud::US_GOV);

PowerShell

Connect-MgGraph -Environment USGov -ClientId 'YOUR_CLIENT_ID' `
  -TenantId 'YOUR_TENANT_ID' -Scopes 'https://graph.microsoft.us/.default'

Python

scopes = ['https://graph.microsoft.us/.default']

credential = InteractiveBrowserCredential(
    tenant_id='YOUR_TENANT_ID',
    client_id='YOUR_CLIENT_ID',
    redirect_uri='YOUR_REDIRECT_URI')

auth_provider = AzureIdentityAuthenticationProvider(credential, scopes=scopes)

# Create the HTTP client using
# the Microsoft Graph for US Government L4 endpoint
http_client = GraphClientFactory.create_with_default_middleware(
    host=NationalClouds.US_GOV)

adapter = GraphRequestAdapter(auth_provider, http_client)

graph_client = GraphServiceClient(request_adapter=adapter)

TypeScript

// Create the InteractiveBrowserCredential using details
// from app registered in the Azure AD for US Government portal
const credential = new InteractiveBrowserCredential({
  clientId: 'YOUR_CLIENT_ID',
  tenantId: 'YOUR_TENANT_ID',
  // https://login.microsoftonline.us
  authorityHost: AzureAuthorityHosts.AzureGovernment,
  redirectUri: 'YOUR_REDIRECT_URI',
});

// Create the authentication provider
const authProvider = new TokenCredentialAuthenticationProvider(credential, {
  scopes: ['https://graph.microsoft.us/.default'],
});

// Create the Microsoft Graph client object using
// the Microsoft Graph for US Government L4 endpoint
// NOTE: Do not include the version in the baseUrl
const graphClient = Client.initWithMiddleware({
  authProvider: authProvider,
  baseUrl: 'https://graph.microsoft.us',
});