从守护程序应用访问租户Microsoft Graph [英] Access tenants Microsoft Graph from daemon app

问题描述

我正在开发与Microsoft 365 Office Planner交互以操纵Microsoft Graph任务的守护程序.当我调用Microsoft Graph API来获取与租户相关的任务时，会收到未授权的请求异常.

我已经在Azure Active Directory中注册了我的应用程序，还授予了使用Microsoft Graph的权限.

我根据来自此处的过程请求访问令牌:

但是，使用相同权限的委托令牌成功调用了该请求:

作为一种解决方法，您可以检查 OAuth2代码授予流是否对您的情况有用.

其他用户提出了有关使用仅应用程序令牌列出任务的反馈，您可以从https://graph.microsoft.io/en-us/docs/authorization/app_only

I am able to get a token from the Azure Active Directory v2.0 endpoint. The request code is the following:

 new KeyValuePair<string, string>("grant_type", "client_credentials"),
         new KeyValuePair<string, string>("client_id", "<clent id>"),
         new KeyValuePair<string, string>("client_secret", "<client secret>"),
         new KeyValuePair<string, string>("resource", @"https://graph.microsoft.com")
     var content = new FormUrlEncodedContent(pairs);

     var response = client.PostAsync("https://login.microsoftonline.com/<tenant id>/oauth2/token", content).Result;

When I use this access token to perform a request as follow:

     client.DefaultRequestHeaders.Authorization= new AuthenticationHeaderValue("Bearer", token);

     client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/x-www-form-urlencoded"));

     var response = client.GetAsync(@"https://graph.microsoft.com/beta/tasks").Result;         

I get a status code 401 Unauthorized with the following response message:

Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.

Is there any authorization process I have not performed to grant access to my app. Please help!!!!

Thanks in advance!!

解决方案

Based on the test, it seems that Microsoft Graph doesn't support to list tasks with app-only token. After I grant the Group.ReadAll app permission to the app, I got the error like below with the request:

GET:https://graph.microsoft.com/beta/tasks?$filter=createdBy+eq+'xx@xxxx.onmicrosoft.com'

However the request was called successfully with the delegate-token with same permission:

As a workaround, you may check whether the OAuth2 Code Grant flow is helpful for your scenario.

The other users have raised the feedback about listing the tasks using the app-only token, you can vote this feedback from here if you also want this feature.

这篇关于从守护程序应用访问租户Microsoft Graph的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！