Microsoft Graph API - 删除应用程序权限的新委派权限 [英] Microsoft Graph API - new delegated permission removing application permissions

问题描述

我正在为需要 admin_consent 的多租户应用程序使用 v1 Azure AD 身份验证 URL (/common/oauth2/authorize).

I'm using the v1 Azure AD auth URLs (/common/oauth2/authorize) for a multi-tenant app that requires admin_consent.

我已尝试添加新范围 Directory.AccessAsUser.All.当我的所有其他范围都是应用程序"级别权限时，这是我请求的第一个委托"权限​​.

I've attempted to add a new scope Directory.AccessAsUser.All. It is the first 'delegated' permission I'm requesting when all my other scopes are 'application' level permissions.

当我添加新的委托范围并提示管理员重新同意时，其他范围从返回的 AccessToken 和响应 scope 参数中消失了.access_token scp 字段中仅存在 Directory.AccessAsUser.All.

When I added that new delegated scope and prompted the admin to re-consent, the other scopes disappeared from the returned AccessToken and the responses scope parameter. Only Directory.AccessAsUser.All is present in the access_token scp field.

是否有任何原因会发生这种行为?我很肯定我们正在为 admin_consent 进行宣传，并且管理员是同意的.

Is there any reason this behavior would occur? I'm positive that we are promoting for admin_consent and that an admin is the one consenting.

推荐答案

scp 中指定的范围将取决于您用于获取令牌的 OAUTH 流.您不能有一个具有委托 和 应用程序范围的单个 access_token.

The scopes specified in the scp will depend on which OAUTH flow you used to obtain the token. You cannot have a single access_token with both Delegated and Application scopes.

• 在使用客户端凭据流 (client_credentials) 时应用应用程序范围.

• Application scopes are applied when using the Client Credentials flow (client_credentials).

在使用授权代码或隐式流(authorization_code 或 implicit)时应用委托范围.

Delegated scopes are applied when using either Authorization Code or Implicit flows (authorization_code or implicit).

更新:我写了一篇关于这个主题的更深入的帖子，可能会帮助面临类似问题的人们:应用程序与委托范围.

Update: I've written a more in-depth post about this topic that might help folks facing similar issues: Application vs Delegated Scopes.

这篇关于Microsoft Graph API - 删除应用程序权限的新委派权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！