权限不足，无法在Graph API中列出组成员 [英] Insufficient privileges to list group members in Graph API

问题描述

我正在构建一个由SPA(角度)调用的API.使用Azure AD对用户进行身份验证，并且API使用AzureAdBearer进行身份验证.

I'm building an API which is called by a SPA (angular). The user is authenticated using Azure AD and the API uses AzureAdBearer for its authentication.

我需要后端代表用户调用图api才能列出广告组的成员.

I need the backend to call graph api on behalf of the user to list members of an AD Group.

According to this documentation, I need one of these permissions:

User.ReadBasic.All, User.Read.All, Group.Read.All, Directory.Read.All

因此，我已将User.ReadBasic.All添加到后端的应用程序注册中的api权限列表中.

So I have added User.ReadBasic.All to my api permissions list in the app registration of my backend.

我使用IAuthenticationProvider来使用以下代码来处理身份验证:

I used an IAuthenticationProvider to handle the authentication using this code:

var app = ConfidentialClientApplicationBuilder.Create("{my client id}")
                 .WithAuthority("https://login.microsoftonline.com/{my tenant id}")
                 .WithClientSecret({my backend secret})
                 .WithLogging(Log, Microsoft.Identity.Client.LogLevel.Info, true)
                 .Build();

var token = await _httpContextAccessor.HttpContext.GetTokenAsync("access_token");

var userAssertion = new UserAssertion(token);
var result = await app.AcquireTokenOnBehalfOf(new[] { "https://graph.microsoft.com/.default" }, userAssertion)
                      .ExecuteAsync();

request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);

结果成功，当我使用jwt.ms检查我的令牌时，一切似乎都正确，这是它的一部分:

The result is successful, when I check my token using jwt.ms everything seems correct, here is an extract of it:

"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/{my tenant id}/",
[...]
"app_displayname": "My app",
"appid": "{my client id}",
[...]
"scp": "User.ReadBasic.All profile openid email",
[...]

但是在此通话中使用GraphApiClient:

However on this call using the GraphApiClient:

var client = new GraphServiceClient(authProvider);
var users = await client.Groups["group guid"].Members.Request().GetAsync();

我收到此错误:

Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.

推荐答案

此调用var users = await client.Groups["group guid"].Members.Request().GetAsync();需要您只有 查看全文