B2C Graph API-即使启用Directory.ReadWrite.All，权限也不足 [英] B2C Graph API - insufficient permissions even when Directory.ReadWrite.All is enabled

问题描述

我正在尝试通过邮递员运行更改密码".

I am trying to run 'change password' via Postman.

我使用应用程序ID和密码获取令牌

I get token using app id and secret

我可以从用户个人资料中读取数据没问题

I can read data from the user profile no problem

我在Azure门户中授予Graph API权限

I grant permissions to Graph API in Azure portal

我再次生成令牌，在jwt.io中对其进行查看，示例

I generate the token again, review it in jwt.io, sample

"Device.ReadWrite.All",
"Member.Read.Hidden",
"Directory.ReadWrite.All",
"Domain.ReadWrite.All",
"Application.ReadWrite.OwnedBy",
"Application.ReadWrite.All"
],

我发送

"password": "Test123456",
"forceChangePasswordNextLogin": false

到https://graph.windows.net/[tenant]/users/[user]api-version=1.6.

我仍然无法通过以下操作:

I still get a fail with the following:

    "code": "Authorization_RequestDenied",
    "message": {
        "lang": "en",
        "value": "Insufficient privileges to complete the operation."
    }

推荐答案

更改密码权限的启用方式与AD Graph API上的其他权限不同.

The change password permission isn't enabled in the same manner as the other permissions on the AD Graph API.

您需要在B2C租户本地设置一个租户管理员，然后按以下详细说明运行powershell命令:

You need to set up a tenant admin local to the B2C tenant and then run the powershell commands as detailed here: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet.

这篇关于B2C Graph API-即使启用Directory.ReadWrite.All，权限也不足的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！