得到403:“特权不足以完成操作."尝试查询Graph API时 [英] Getting 403: "Insufficient privileges to complete the operation." when attempting to query Graph API
问题描述
我们已经迁移到我在这里工作的新租户.因此,我们试图将应用程序重新添加到Azure AD中.我们有一个经过记录的流程,该流程过去一直在工作,目的是为我们的MVC和WebAPI项目添加应用程序.但是,尝试查询Graph API时遇到错误.在示例应用程序中,我们使用了此处的代码来创建自定义的授权属性,该属性允许我们对基于组的身份验证.调试/Utilities/GraphHelper.cs后,我们确定该应用程序的状态错误为403,并显示一条消息:权限不足,无法完成操作."
We've migrated to a new tenant where I work. As such we are trying to re-add our applications into Azure AD. We have a documented process that has worked in the past in order to add applications for our MVC and WebAPI projects. However, we've been getting errors when attempting to query the Graph API. In the example application we've used the code from here to create a custom authorize attribute that allows us to group based authentication. After debugging the /Utilities/GraphHelper.cs we've determined that the application is getting a Status Error of 403 with a message that states: "Insufficient privileges to complete the operation."
经过一些研究,我能够在Fiddler中复制身份验证过程.
After doing a bit of research I was able to replicate the Authentication process in Fiddler.
操作方法:开机自检
URL: https://login.windows.net/[tennantName]/oauth2/token?api-version=1.0
标题栏:
Content-Type: application/x-www-form-urlencoded
Host: login.windows.net
Content-Length: 180
Expect: 100-continue
Connection: Keep-Alive
RequestBody:
RequestBody:
grant_type=client_credentials&resource=https%3a%2f%2fgraph.windows.net&client_id=[clientId]&client_secret=[urlencoded client secret]
我从此请求中获取了一个令牌,然后尝试使用提琴手再次从graphapi查询联合目录:
I get back a token from this request and then attempt to query the federated directory from the graphapi again with fiddler:
操作方法:GET
URL: https://graph.windows.net/[federated 域]/directoryObjects/{group-guid}
URL: https://graph.windows.net/[federated domain]/directoryObjects/{group-guid}
标题栏:
Content-Type: application/json
Host: graph.windows.net
Authorization: Bearer [token from login response]
我收到身体的403回复:
I receive and 403 response with the body:
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
在Azure Active Directory的该应用程序的应用程序注册"下,清单已由具有公司管理员"角色的用户修改:
In Azure Active Directory, Under App Registrations for this application the manifest has been modified by a user with Company Admin Role for:
"groupMembershipClaims": "SecurityGroup", ...
"oauth2AllowImplicitFlow": true,
已生成一个应用程序密钥,该应用程序密钥用于获取令牌以访问图形API. 具有应用程序权限的必需权限"下的读取目录数据"和读取所有隐藏的成员资格"已由具有公司管理员"角色的用户检查.
An Application Key was generated that is used for fetching a token to access the graph API. Under Required Permissions for Application Permissions Read directory data, and Read all hidden memberships were checked by a user with Company Admin Role.
我的主意是一切都应该正常进行.
I'm out of ideas everything should be working.
推荐答案
我称Azure支持MSFT,显然portal.azure.com分配权限存在问题.通过转到经典门户并重新分配权限,我能够解决此问题.
I called MSFT support for Azure, apparently there is an issue with portal.azure.com assigning permissions. I was able to resolve this by going to the classic portal and getting the permissions reassigned.
这篇关于得到403:“特权不足以完成操作."尝试查询Graph API时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
