Azure AAD和Graph API:权限不足，无法完成操作 [英] Azure AAD and Graph API: Insufficient privileges to complete the operation

问题描述

上下文:我有一个控制台应用程序，想要使用Graph API与AAD进行通信，以检查租户中是否存在特定的userId.

Context: I've a console app which wants to use Graph API to talk to AAD to check if a particular userId exists in the tenant or not.

我一直在这里遵循以下准则:

I've been following the guidelines here: https://docs.microsoft.com/en-us/graph/auth-v2-service?view=graph-rest-1.0

我可以使用以下方式生成令牌:

I'm able to generate a token using this:

https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id=x
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=x
&grant_type=client_credentials

但是当我调用图形API时，出现此错误:

But when I call the graph API I get this ERROR:

https://graph.microsoft.com/v1.0/users/12345678-73a6-4952-a53a-e9916737ff7f
{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "request-id": "x",
            "date": "x"
        }
    }
}

我的AAD应用拥有以下所有权限:

My AAD App has all the permissions from:

1. Microsoft Graph
2. Windows Azure Active Directory

我尝试将范围更改为

scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read

但这是我生成令牌时得到的错误:

But this is the error I get while generating token:

The provided value for the input parameter 'scope' is not valid. The scope https://graph.microsoft.com/user.read is not valid.

我尝试将"User.Read"，"User.Basic.Read"等组合使用，但是没有任何效果.

I've tried combinations of "User.Read", "User.Basic.Read", etc. but nothing works.

推荐答案

此方法不起作用的最可能原因是，实际上您尚未将应用程序注册配置为 require 的权限由组织的管理员授予.

The most likely reason why this is not working is because the permission which you have configured your app registration to require have not actually been granted by an administrator of your organization.

在您的代码中，您的应用程序仅作为应用程序进行身份验证 .没有登录用户参与其中，它要求您的应用程序使用并保密用于身份验证的密钥(client_secret参数).

In your code, your app is authenticating as an application only. There is no signed-in user involved, and it requires your app to use and keep confidential a key used to authenticate (the client_secret parameter).

在这种情况下，请求范围https://graph.microsoft.com/.default是正确的方法.您对Azure AD的意思是:请为已授予此应用程序的所有应用程序权限提供访问令牌".请求范围https://graph.microsoft.com/User.Read是不正确的方法，因为没有具有该名称的 application 权限.

In this scenario, requesting the scope https://graph.microsoft.com/.default is the correct approach. What you're saying to Azure AD is: "please provide an access token for all the application permissions this app has been granted". Requesting the scope https://graph.microsoft.com/User.Read is not the correct approach because there is no application permission with that name.

这篇关于Azure AAD和Graph API:权限不足，无法完成操作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！