B2C Graph API-即使启用Directory.ReadWrite.All,权限也不足 [英] B2C Graph API - insufficient permissions even when Directory.ReadWrite.All is enabled
问题描述
我正在尝试通过邮递员运行更改密码".
I am trying to run 'change password' via Postman.
我使用应用程序ID和密码获取令牌
I get token using app id and secret
我可以从用户个人资料中读取数据没问题
I can read data from the user profile no problem
我在Azure门户中授予Graph API权限
I grant permissions to Graph API in Azure portal
我再次生成令牌,在jwt.io中对其进行查看,示例
I generate the token again, review it in jwt.io, sample
"Device.ReadWrite.All",
"Member.Read.Hidden",
"Directory.ReadWrite.All",
"Domain.ReadWrite.All",
"Application.ReadWrite.OwnedBy",
"Application.ReadWrite.All"
],
我发送
"password": "Test123456",
"forceChangePasswordNextLogin": false
到https://graph.windows.net/[tenant]/users/[user]api-version=1.6
.
我仍然无法通过以下操作:
I still get a fail with the following:
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
推荐答案
更改密码权限的启用方式与AD Graph API上的其他权限不同.
The change password permission isn't enabled in the same manner as the other permissions on the AD Graph API.
您需要在B2C租户本地设置一个租户管理员,然后按以下详细说明运行powershell命令:
You need to set up a tenant admin local to the B2C tenant and then run the powershell commands as detailed here: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet.
这篇关于B2C Graph API-即使启用Directory.ReadWrite.All,权限也不足的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!