权限不足，无法在 Graph API 中列出群组成员 [英] Insufficient privileges to list group members in Graph API

问题描述

我正在构建一个由 SPA(角度)调用的 API.用户使用 Azure AD 进行身份验证，API 使用 AzureAdBearer 进行身份验证.

我需要后端代表用户调用图形 API 来列出 AD 组的成员.

我使用了一个 IAuthenticationProvider 来处理使用此代码的身份验证:

var app = ConfidentialClientApplicationBuilder.Create("{my client id}").WithAuthority("https://login.microsoftonline.com/{我的租户ID}").WithClientSecret({我的后端秘密}).WithLogging(Log, Microsoft.Identity.Client.LogLevel.Info, true).建造();var token = await _httpContextAccessor.HttpContext.GetTokenAsync("access_token");var userAssertion = new UserAssertion(token);var result = await app.AcquireTokenOnBehalfOf(new[] { "https://graph.microsoft.com/.default" }, userAssertion).ExecuteAsync();request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);

结果是成功的，当我使用 jwt.ms 检查我的令牌时，一切似乎都是正确的，这里是它的摘录:

"aud": "https://graph.microsoft.com","iss": "https://sts.windows.net/{我的租户 ID}/",[...]"app_displayname": "我的应用程序","appid": "{我的客户 ID}",[...]"scp": "User.ReadBasic.All profile openid email",[...]

但是在使用 GraphApiClient 的这个调用中:

var client = new GraphServiceClient(authProvider);var users = await client.Groups["group guid"].Members.Request().GetAsync();

我收到此错误:

代码:Authorization_RequestDenied消息:权限不足，无法完成操作.

解决方案

这个调用 var users = await client.Groups["group guid"].Members.Request().GetAsync();需要一个 组权限(即Group.Read.All).

您只有 用户权限(即User.ReadBasic.All).

I'm building an API which is called by a SPA (angular). The user is authenticated using Azure AD and the API uses AzureAdBearer for its authentication.

I need the backend to call graph api on behalf of the user to list members of an AD Group.

According to this documentation, I need one of these permissions:

User.ReadBasic.All, User.Read.All, Group.Read.All, Directory.Read.All

So I have added User.ReadBasic.All to my api permissions list in the app registration of my backend.

I used an IAuthenticationProvider to handle the authentication using this code:

var app = ConfidentialClientApplicationBuilder.Create("{my client id}")
                 .WithAuthority("https://login.microsoftonline.com/{my tenant id}")
                 .WithClientSecret({my backend secret})
                 .WithLogging(Log, Microsoft.Identity.Client.LogLevel.Info, true)
                 .Build();

var token = await _httpContextAccessor.HttpContext.GetTokenAsync("access_token");

var userAssertion = new UserAssertion(token);
var result = await app.AcquireTokenOnBehalfOf(new[] { "https://graph.microsoft.com/.default" }, userAssertion)
                      .ExecuteAsync();

request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);

The result is successful, when I check my token using jwt.ms everything seems correct, here is an extract of it:

"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/{my tenant id}/",
[...]
"app_displayname": "My app",
"appid": "{my client id}",
[...]
"scp": "User.ReadBasic.All profile openid email",
[...]

However on this call using the GraphApiClient:

var client = new GraphServiceClient(authProvider);
var users = await client.Groups["group guid"].Members.Request().GetAsync();

I get this error:

Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.

解决方案

This call var users = await client.Groups["group guid"].Members.Request().GetAsync(); requires a group permission (i.e.Group.Read.All).

You only have user permissions right now (i.e.User.ReadBasic.All).

这篇关于权限不足，无法在 Graph API 中列出群组成员的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！