更改 accountEnabled 会引发 403 Authorization_RequestDenied [英] Changing accountEnabled throws 403 Authorization_RequestDenied

问题描述

我正在使用具有定义权限的客户端应用程序(客户端凭据授予)Application.ReadWrite.All 和 User.ReadWrite.All(两者都包含在 Bearer 令牌中)将用户的 accountEnabled 更改为 false，如下所示:

I am using Client application (Client credentials grant) with defined permissions Application.ReadWrite.All and User.ReadWrite.All (both are included in Bearer token) to change accountEnabled to false for a user, like here:

{
    "accountEnabled": false,
    "city": "C234",
    "country": "AFG",
    "displayName": "Steve Rogers",
    "givenName": "Steve",
    "jobTitle": "Azure",
    "mailNickname": "steve",
    "postalCode": "Z345",
    "streetAddress": "S123",
    "surname": "Rogers",
    "userPrincipalName": "steve@***.onmicrosoft.com",
    "id": "aec...278",
    "mobilePhone": null
}

但所有请求都以 403 结尾

But all requests ends with 403

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "e7a...e42",
      "date": "2019-04-10T08:21:12"
    }
  }
}

文档不包含任何额外权限的限制或要求.它是 Graph API 中的错误吗?

Documentation doesn't contain any restrictions or requirements of additional permissions. Is it a bug in Graph API?

推荐答案

谢谢大家，我找到了根本原因 - 您无法禁用管理员角色的用户.我很不幸，选择了几个用户，他们都是管理员角色.https://docs.microsoft.com/en-us/图/权限参考#remarks-2

Thank you guys, I was able to find a root cause - you can't disable a user in Admin role. I was unlucky and select several users and all of them were in Admin role. https://docs.microsoft.com/en-us/graph/permissions-reference#remarks-2

这篇关于更改 accountEnabled 会引发 403 Authorization_RequestDenied的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！