权限未正确应用 [英] Permissions not applying correctly
问题描述
我正在以编程方式提取Active Directory组的列表.我想作为应用程序而不是用户来执行此操作.我在下面概述了如何创建应用程序以及获得的结果.注意:所有这些操作都使用 管理员帐户.
I am working on programatically extracting out a list of Active Directory groups. I want to do this as an application, and not as a user. I outline below how I went about creating the application and the result I get. Note: All of this is done using the admin account.
创建应用
- 导航到Azure Active Directory->应用注册->新的应用程序注册
- 为其提供一个< name>和回调网址
- 进入设置"->所需权限
- 单击"Windows Azure Active Directory"
- 授予权限"
- Navigate to Azure Active Directory -> App registrations -> new application registration
- Give it a <name> and callback url
- Go into Settings -> Required Permissions
- Click 'Windows Azure Active Directory'
- Enable 'Read all groups' option
- Save
- 'grant permissions'
将应用添加到订阅
- 导航至仪表板->订阅-> <您希望应用程序在其中运行的订阅> ->访问控制(IAM)
- 添加"
- 角色:读取器,选择:< name>
- 保存
获取API密钥
- Azure Active Directory->应用注册-> <名称> ->设置->按键
- 添加按键
现在记下以下内容
(在上一步中生成的)App KEY
The App KEY (generated in the previous step)
应用程序ID(在设置页面中找到)
Application ID (found in the settings page)
租户ID(可在Azure Active Directory中找到->应用程序注册->端点),您需要从url中提取uuid
Tenant ID (Found in Azure Active Directory -> App registrations -> Endpoints), you need to extract the uuid from the url
所有设置,权限都已正确设置,我们只需要使用API密钥来获取auth令牌,然后使用该令牌来查询Azure AD API.
All set, permissions are setup correctly, we just need to use the API key to grab an auth token, then use that token to query the Azure AD API.
我在此处包括脚本的副本:https://gist.github.com/hamhut1066/e71b356a2010677a0862320ccbc60cc8酌情填写变量.
I include a copy of the script here: https://gist.github.com/hamhut1066/e71b356a2010677a0862320ccbc60cc8 fill in the variables as appropriate.
运行脚本输出(实际):
Running the script output (Actual):
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}预期:
[{name:"group-1",...},{name:"group-2"},...]
---
我找到了解决问题的方法,但是为什么解决却没有意义.
I found a way to solve the issue, but it doesn't make sense why it solves it.
如果您返回(广告->应用程序注册-><名称>->设置->权限)
If you go back to (AD -> App registration -> <name> -> Settings -> Permissions)
-进入"Active Directory"部分并启用所有权限
- go into the Active Directory section and enable all permissions
-保存并授予权限
-返回"Active Directory"部分,并禁用除登录"和& 全部列出组"
- go back into Active Directory section and disable all settings except 'sign in' & 'group list all'
-保存并授予权限
现在,如果您再次运行上述脚本,一切都将按预期工作.
Now if you run the above mentioned script again, everything should work as expected.
我不确定为什么会这样,我猜是在启用特定权限之前(然后随后禁用)某些隐式开关不会被切换.
I am unsure why this is the case, my guess is some implicit switch isn't switched until a certain permission is enabled (then subsequently disabled).
感谢您对此问题的反馈.
Feedback on this issue is appreciated.
亲切的问候,
Hamish
推荐答案
脚本请求并仅使用应用程序令牌.
The script requests and application only token.
请确保您设置的权限范围不是已删除"的权限范围. 登录"是委托作用域,在这种情况下不使用.
Make sure the permissions scopes your are setting are NOT DELEGATED permission scopes. "Sign In" is a delegated scope, and is not used in this scenario.
如果您可以重现该问题,请发布时间戳记和相关性ID/请求ID,然后我将在操作日志中进行快速查看以确认正在发生的情况.
If you can reproduce the issue, post the time stamp and correlation ID/Request ID and i'll take a very quick look in the operations logs to verify what is occurring.
再次,使用应用程序权限范围,而不是委派权限范围.
Again, use application permission scope, not delegated permissions scopes.
此致,
MaxV(MSFT)
Regards,
MaxV ( MSFT)
这篇关于权限未正确应用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
