更改accountEnabled引发403 Authorization_RequestDenied [英] Changing accountEnabled throws 403 Authorization_RequestDenied

问题描述

我正在使用具有已定义权限Application.ReadWrite.All和User.ReadWrite.All(两者均包含在Bearer令牌中)的客户端应用程序(客户端凭据授予)，将用户的accountEnabled更改为false，例如:

I am using Client application (Client credentials grant) with defined permissions Application.ReadWrite.All and User.ReadWrite.All (both are included in Bearer token) to change accountEnabled to false for a user, like here:

{
    "accountEnabled": false,
    "city": "C234",
    "country": "AFG",
    "displayName": "Steve Rogers",
    "givenName": "Steve",
    "jobTitle": "Azure",
    "mailNickname": "steve",
    "postalCode": "Z345",
    "streetAddress": "S123",
    "surname": "Rogers",
    "userPrincipalName": "steve@***.onmicrosoft.com",
    "id": "aec...278",
    "mobilePhone": null
}

但是所有请求都以403结尾

But all requests ends with 403

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "e7a...e42",
      "date": "2019-04-10T08:21:12"
    }
  }
}

文档不包含任何限制或其他权限要求.这是Graph API中的错误吗?

Documentation doesn't contain any restrictions or requirements of additional permissions. Is it a bug in Graph API?

推荐答案

谢谢大家，我能够找到根本原因-您无法以管理员身份禁用用户.我很不幸，选择了几位用户，所有这些用户均为管理员角色. https://docs.microsoft.com/en-us/graph/permissions-reference#remarks-2

Thank you guys, I was able to find a root cause - you can't disable a user in Admin role. I was unlucky and select several users and all of them were in Admin role. https://docs.microsoft.com/en-us/graph/permissions-reference#remarks-2

这篇关于更改accountEnabled引发403 Authorization_RequestDenied的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！