尝试使用Azure AD Graph API尝试获取已登录用户的组成员身份时权限不足错误 [英] Insufficient privileges error when trying to fetch signed in user's group membership using Azure AD Graph API
问题描述
我需要能够获得已登录用户的组成员身份,以便我可以验证他是否属于特定组.但是我获得的权限不足,无法完成操作.使用Azure AD图API客户端库的异常.
I need to be able to get the signed in user's group membership so that I can verify whether he is part of a specific group. However I am getting "Insufficient privileges to complete the operation." exception using the Azure AD graph API client library.
我是订阅的共同管理员,并且创建了一个新的Azure AD应用程序以针对默认目录进行身份验证,并配置了其他应用程序的权限"部分,如下面的屏幕快照所示.
I am a co-admin of a subscription and I have created a new Azure AD application to authenticate against the default directory and configured the "Permission to Other application" section as in the below screenshot.
我能够获取已登录的用户详细信息,但是当我尝试调用MemberOf函数时,我得到了上面的异常.请让我知道我在这里想念的东西.预先感谢!
I am able to fetch the signed in user details, but when I try to call MemberOf function, then I get the above exception. Please let me know what I am missing here. Thanks in advance!
string objectId = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value; // object id of the signed in user
ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
IUser user = await client.Users.GetByObjectId(objectId).ExecuteAsync();
var userFetcher = (IUserFetcher)user; // able to fetch the signed in user
IPagedCollection<IDirectoryObject> pagedCollection = await userFetcher.MemberOf.ExecuteAsync(); // getting error here - "Insufficient privileges to complete the operation."
推荐答案
这里的问题是我选择了个人范围"之外的权限(以登录用户的身份访问目录,读取目录数据).
The problem here was that I had selected the permissions outside the 'personal scope' (Access the directory as the signed in user, Read directory data).
因此,它需要与该目录关联的订阅的服务管理员的同意.管理员登录到应用并批准同意屏幕后,代码应停止提供权限不足异常.
这篇关于尝试使用Azure AD Graph API尝试获取已登录用户的组成员身份时权限不足错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
