Microsoft Graph API:尝试在租户上检索策略时出现403禁止错误 [英] Microsoft Graph API: 403 Forbidden error when trying to retrieve policies on tenant

问题描述

我正在尝试使用Microsoft Graph API检索在Azure AD门户上为我的租户创建的策略.据我从图API文档了解，所有策略CRUD操作都需要一个 Directory.AccessAsUser.All .

范围.

此作用域将转换为登录用户的权限访问目录，如此处所述- 添加"角色按钮也被禁用.

我不能在订阅对Azure Active Directory的访问上配置访问控制吗?如果是这样，是否还有其他方法可以使用API​​为我的租户检索策略?

在旧门户上:

对于我的应用程序，我配置了以下权限:

Microsoft Graph
Windows Azure Active Directory

我在门户网站上验证了两个API均已配置为具有 Access目录作为登录用户的权限.即使在这种情况下，当我尝试访问以下API时，我仍然收到403 Forbidden https://graph.microsoft.com/beta/policies 端点以列出我的租户上的策略.

这是我获得的访问令牌上的有效负载( https://login.microsoftonline.com/{我的租户名称}/oauth2/token )

 {
    "aud": "https://graph.microsoft.com",
    "iss": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/",
    "iat": 1491256764,
    "nbf": 1491256764,
    "exp": 1491260664,
    "aio": "Y2ZgYAi68q2XUTk0ykH7/TZzrhYbAA==",
    "app_displayname": "test-app",
    "appid": "951bb92d-5b68-45ae-bb8b-d768b2696ccc",
    "appidacr": "1",
    "idp": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/",
    "oid": "7ccea836-d389-4328-a155-67092e2805e9",
    "roles": [
        "Device.ReadWrite.All",
        "User.ReadWrite.All",
        "Directory.ReadWrite.All",
        "Group.ReadWrite.All",
        "IdentityRiskEvent.Read.All"
      ],
  "sub": "7ccea836-d389-4328-a155-67092e2805e9",
  "tid": "8b49696d-462a-4a71-9c5c-f570b2222727",
  "uti": "4fmUDNWWHkSoTn2-7gtTAA",
  "ver": "1.0"
}
 

很显然，此令牌上缺少 Directory.AccessAsUser.All 角色，这导致403错误.因此，我在这里丢失了一些东西，或者API中存在一个错误，该错误阻止了所有权限的正确配置.非常感谢任何帮助/指针！

请注意:

1. 我仅使用beta API，因为我没有在v1.0 API上找到对应的策略端点，并且Azure Graph API文档建议使用Microsoft Graph API.
2. 使用相同的配置，使用Azure Graph API终结点还会为策略终结点返回403禁止错误( https://msdn.microsoft.com/zh-cn/library/azure/ad/graph/api/policy-operations#list-policies )

解决方案

基于访问令牌中的声明，您是使用客户端凭据流来获取访问令牌的，该令牌用于委派该令牌该应用程序.这种令牌没有针对用户的此类委托权限.

要获取用户的委托权限的访问令牌，您需要使用其他流程，例如授权代码授予流程.您可以在详细信息中引用此链接.

I'm trying to retrieve the policies created for my tenant on the Azure AD portal using the Microsoft Graph API. As I understand from the graph API documentation, all the policy CRUD operations require a scope of Directory.AccessAsUser.All.

This scope translates to the permission Access directory as the signed-in user as mentioned here - https://developer.microsoft.com/en-us/graph/docs/authorization/permission_scopes

I have been trying to configure my application on the both the new Azure portal and the old one with different failure points.

On the new portal:

I have created a Web Application in my tenant following instructions on https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal.

When configuring access control, the only subscription for my tenant is Access to Azure Active Directory and I'm not able configure access control on this in the new portal. From the browser, when I select Access Control (IAM), I see the error - "Call to ARM failed with httpCode=BadRequest, errorCode=DisallowedOperation, message=The current subscription type is not permitted to perform operations on any provider namespace. Please use a different subscription., reason=Bad Request." The "Add" roles button is disabled as well.

Can I not configure Access control on the subscription Access to Azure Active Directory? If so, is there no other way to retrieve the policies for my tenant using the API?

On the old portal:

For my app, I configured permissions for:

Microsoft Graph
Windows Azure Active Directory

I verified on the portal that both the APIs are configured with the permission Access directory as the signed-in user. Even in this case, I keep getting a 403 Forbidden when I try to access the https://graph.microsoft.com/beta/policies endpoint to list the policies on my tenant.

Here is the payload on my access token I obtained (https://login.microsoftonline.com/{my tenant name}/oauth2/token)

{
    "aud": "https://graph.microsoft.com",
    "iss": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/",
    "iat": 1491256764,
    "nbf": 1491256764,
    "exp": 1491260664,
    "aio": "Y2ZgYAi68q2XUTk0ykH7/TZzrhYbAA==",
    "app_displayname": "test-app",
    "appid": "951bb92d-5b68-45ae-bb8b-d768b2696ccc",
    "appidacr": "1",
    "idp": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/",
    "oid": "7ccea836-d389-4328-a155-67092e2805e9",
    "roles": [
        "Device.ReadWrite.All",
        "User.ReadWrite.All",
        "Directory.ReadWrite.All",
        "Group.ReadWrite.All",
        "IdentityRiskEvent.Read.All"
      ],
  "sub": "7ccea836-d389-4328-a155-67092e2805e9",
  "tid": "8b49696d-462a-4a71-9c5c-f570b2222727",
  "uti": "4fmUDNWWHkSoTn2-7gtTAA",
  "ver": "1.0"
}

Obviously the Directory.AccessAsUser.All role is missing on this token which is causing the 403 error. So either I'm missing something here or there is a bug in the API that is preventing all the permissions from being correctly configured. Greatly appreciate any help/pointers on this!

Please note:

1. I'm only using the beta APIs because I didn't find the corresponding endpoint for policies on the v1.0 APIs and the Azure Graph API documentation recommends using the Microsoft Graph API.
2. With the same configuration, using the Azure Graph API endpoints also returns a 403 Forbidden error for the policies endpoint(https://msdn.microsoft.com/zh-cn/library/azure/ad/graph/api/policy-operations#list-policies)

解决方案

Based on the claims in the access token, you were acquire the access token using the client credentials flow which the token used to delegate the app. There is no such delegate permission for user in this kind of token.

To get the access token for the delegate permission for users, you need to using the other flows like Authorization code grant flow. You can refer this link for the detail.

这篇关于Microsoft Graph API:尝试在租户上检索策略时出现403禁止错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！