更改 accountEnabled 会引发 403 Authorization_RequestDenied [英] Changing accountEnabled throws 403 Authorization_RequestDenied
问题描述
我正在使用具有定义权限的客户端应用程序(客户端凭据授予)Application.ReadWrite.All
和 User.ReadWrite.All
(两者都包含在 Bearer 令牌中)将用户的 accountEnabled 更改为 false,如下所示:
I am using Client application (Client credentials grant) with defined permissions Application.ReadWrite.All
and User.ReadWrite.All
(both are included in Bearer token) to change accountEnabled to false for a user, like here:
{
"accountEnabled": false,
"city": "C234",
"country": "AFG",
"displayName": "Steve Rogers",
"givenName": "Steve",
"jobTitle": "Azure",
"mailNickname": "steve",
"postalCode": "Z345",
"streetAddress": "S123",
"surname": "Rogers",
"userPrincipalName": "steve@***.onmicrosoft.com",
"id": "aec...278",
"mobilePhone": null
}
但所有请求都以 403 结尾
But all requests ends with 403
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "e7a...e42",
"date": "2019-04-10T08:21:12"
}
}
}
文档不包含任何额外权限的限制或要求.它是 Graph API 中的错误吗?
Documentation doesn't contain any restrictions or requirements of additional permissions. Is it a bug in Graph API?
推荐答案
谢谢大家,我找到了根本原因 - 您无法禁用管理员角色的用户.我很不幸,选择了几个用户,他们都是管理员角色.https://docs.microsoft.com/en-us/图/权限参考#remarks-2
Thank you guys, I was able to find a root cause - you can't disable a user in Admin role. I was unlucky and select several users and all of them were in Admin role. https://docs.microsoft.com/en-us/graph/permissions-reference#remarks-2
这篇关于更改 accountEnabled 会引发 403 Authorization_RequestDenied的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!