尝试使用 Graph API 从 Azure Active Directory 获取组时出现 Authorization_RequestDenied [英] Authorization_RequestDenied when trying to get groups from Azure Active Directory using Graph API

问题描述

我正在尝试使用 Graph API 获取有关 Azure Active Directory 组的信息，但我不断收到Authorization_RequestDenied"响应.

I'm trying to get information about Azure Active Directory groups using the Graph API, but I keep getting an "Authorization_RequestDenied" response.

这个问题类似于Insufficientprivilege error when尝试使用Azure AD Graph API获取登录用户的组成员身份，但那个问题的答案对我不起作用.

This question is similar to Insufficient privileges error when trying to fetch signed in user's group membership using Azure AD Graph API, but that question's answer didn't work for me.

这是我所做的:

• 使用我的 Microsoft 帐户登录 Azure 门户(例如 example@hotmail.com)
• 设置用于测试的 Azure Active Directory 实例.实例的域类似于 examplehotmail247.onmicrosoft.com
• 创建了一个用户 (TestMember@examplehotmail247.onmicrosoft.com)
• 创建了一些组，并使用户成为这些组的一部分
• 创建了一个配置为使用 OpenID Connect 向 AAD 进行身份验证的 ASP.NET 应用程序.
• 在 AAD 中注册应用程序，创建客户端密码，回复 URL 等.
• 修改了 AAD 中应用程序的清单，以便返回组成员资格声明.

身份验证部分工作正常.用户登录后，我可以看到我期望的所有信息(姓名、ID 等)，以及包含用户所属所有组的 ID 的声明.

The authentication part works fine. After the user logs on, I can see all the information I expect (name, ID, etc.), along with claims containing the IDs of all the groups the user belongs to.

到目前为止，一切都很好.

So far, so good.

现在，我想将这些组 ID 转换为人类可读的组名.为此，我使用了 Microsoft.Azure.ActiveDirectory.GraphClient NuGet 包，它提供了一个 GetObjectsByObjectIdsAsync 方法.此方法似乎是 getObjectsByObjectIds REST 方法.

Now, I want to translate those group IDs to human-readable group names. For this, I'm using the Microsoft.Azure.ActiveDirectory.GraphClient NuGet package, which provides a GetObjectsByObjectIdsAsync method. This method seems to be a wrapper for the getObjectsByObjectIds REST method.

为了尝试让这个工作，我做了以下事情:

To try and get this working, I've done the following:

• 在 Azure 门户中，我已向我的应用程序授予登录并读取用户配置文件"和读取目录数据"权限.
• 使用我的 Microsoft 帐户至少登录一次我的 ASP.NET 应用程序

我所看到的:当我使用我的 Microsoft 帐户登录到我的 ASP.NET 应用程序时，一切正常.但是，当我使用我创建的 AAD 帐户 (TestMember@examplehotmail247.onmicrosoft.com) 登录时，它会失败并出现以下错误:

What I see: When I log in to my ASP.NET application using my Microsoft account, everything works. However, when I log in using the AAD account I created (TestMember@examplehotmail247.onmicrosoft.com), it fails with the following error:

[DataServiceClientException: {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"权限不足，无法完成操作."},"requestId":"1234e0bb-3144-4494-a5fb-12a937147bcf","date":"2016-12-06T18:39:13"}}]System.Data.Services.Client.BaseAsyncResult.EndExecute(对象源，字符串方法，IAsyncResult asyncResult)+919System.Data.Services.Client.QueryResult.EndExecuteQuery(Object source, String method, IAsyncResult asyncResult) +116

[DataServiceClientException: {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"1234e0bb-3144-4494-a5fb-12a937147bcf","date":"2016-12-06T18:39:13"}}] System.Data.Services.Client.BaseAsyncResult.EndExecute(Object source, String method, IAsyncResult asyncResult) +919 System.Data.Services.Client.QueryResult.EndExecuteQuery(Object source, String method, IAsyncResult asyncResult) +116

直接使用 REST api 尝试等效查询(即从图片中删除 ASP.NET)会得到相同的结果.

Trying the equivalent query using the REST api directly (i.e. taking ASP.NET out of the picture) gives the same result.

那么我在这里错过了什么?

So what am I missing here?

更新:我还授予应用程序以下委派权限(对 Windows Azure Active Directory):登录并读取用户配置文件、读取目录数据、以登录用户身份访问目录.然而，这并没有什么不同.

Update: I also granted the application the following delegated permissions (to Windows Azure Active Directory): Sign in and read user profile, Read directory data, Access the directory as the signed-in user. However, it didn't make any difference.

更新 #2: 我什至将 TestMember@examplehotmail247.onmicrosoft.com 设为 AAD 实例的全局管理员，但它仍然没有帮助.

Update #2: I even made the TestMember@examplehotmail247.onmicrosoft.com a Global Administrator for the AAD instance, and it still didn't help.

更新 #3: 好的，首先，澄清一下.用户登录后，我的 ASP.NET 应用程序从 OpenID Connect 流中获取授权代码.获得代码后，我将使用 AcquireTokenByAuthorizationCodeAsync 将其交换为访问令牌.访问令牌与用户相关联，因此我想依赖委派权限，而不是应用程序权限.

Update #3: Ok, so first, some clarification. After a user logs on, my ASP.NET app gets an authorization code from the OpenID Connect flow. Once I get the code, I'm exchanging it for an access token using AcquireTokenByAuthorizationCodeAsync. The access token is tied to the user, and so I want to rely on delegated permissions, not application permissions.

推荐答案

问题是，尽管在 Azure 门户中为我的 ASP.NET 应用程序授予了适当的委派权限，但用户从未有机会同意他们.

The problem was that although the proper delegated permissions were granted to my ASP.NET app in the Azure portal, the user never had an opportunity to consent to them.

我通过在 Azure 中为我的 ASP.NET 应用程序创建一个全新的应用程序注册重新开始，这就是我的发现:当用户第一次登录时，系统会要求他们同意所需的任何委派权限.但是，如果我在他们第一次登录后更改了需要哪些委派权限，则下次登录时不会要求用户同意(对于新需要的权限).

I started over by creating a completely new app registration in azure for my ASP.NET app, and here's what I found: When a user logs on for the first time, they are asked for consent to whatever delegated permissions are required. However, if I change which delegated permissions are required after they've logged on for the first time, the user is not asked for consent (for the newly-required permissions) the next time he logs on.

这绝对不是我所期望的，所以我将就此提出一个新问题.

This is definitely not what I expected, so I'm going to open a new question about this.

这篇关于尝试使用 Graph API 从 Azure Active Directory 获取组时出现 Authorization_RequestDenied的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！