将受邀(来宾)用户添加到团队似乎无法正常工作 [英] Adding invited (guest) user to teams seems to not work properly

问题描述

您好(参考 问题)

将租户设置为允许邀请来自另一个域的用户后，我们可以邀请外部用户(在设置的域中)加入团队.在 GUI 中手动执行此操作时效果很好.但是，当尝试添加受邀用户时抛出了 windows 图形 API，有些东西无法正常工作.

After setting up the tenant to allow invitation of user from another domain, we are able to invite external users (in set domain) to teams. This works fine when doing it manually, in the GUI. However, when trying to add an invited user threw the windows graph API, something is not working properly.

我们邀请用户加入团队的程序如下:请注意，我们正在使用应用程序权限

Our procedure to invite a user to a team is as follows: Note we are using application privileges

1. 邀请用户加入租户(有或没有欢迎邮件)https://docs.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0

将受邀用户添加到团队https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0

这两个调用都成功完成并且不返回任何错误消息.在所有管理 GUI(AAD、Teams、Exchange)中，用户被邀请并被添加到组中.但是有问题的用户没有收到他/她已加入团队的欢迎邮件.如果用户(假设我们在步骤 1 中发送了欢迎邮件)尝试访问 http://teams.microsoft.com 通知用户他/她没有权限和/或看不到团队.

Both these calls complete successfully and does not return any error messages. In all the admin GUI’s (AAD, Teams, Exchange) the user is invited and is added to the group. But the user in question does not receive a welcome mail that he/she has been added to the team. And if the user (given we send a welcome mail in step 1) tries to access http://teams.microsoft.com the user gets notified that he/she does not have permissions and/or does not see the team.

有什么建议吗?

API 权限

经过一番调查，通过监控网络流量.似乎缺少的被邀请加入团队的电话是:发布 https://api.teams.skype.com/emea/beta/teams/($teamurl)/bulkUpdateRoledMembers?allowBotsInChannel=true

After some investigation, by monitoring the network traffic. It's seems that the missing call, to get properly invited to the team is: POST https://api.teams.skype.com/emea/beta/teams/($teamurl)/bulkUpdateRoledMembers?allowBotsInChannel=true

您在哪里发送用户 ID (8:orgid:{userid}) 和 groupid 列表.(teamurl 好像是频道号)

where you send in a list of userid (8:orgid:{userid}) and the groupid. (teamurl seems to be the channel id)

{"users":[{"mri":"8:orgid:00000000-5946-0000-87d2-b16b6fdf7a72","role":2}],"groupId":"00000000-2e8b-4d18-0000-394c6a4846d0"}

{"users":[{"mri":"8:orgid:00000000-5946-0000-87d2-b16b6fdf7a72","role":2}],"groupId":"00000000-2e8b-4d18-0000-394c6a4846d0"}

我试图从应用程序中调用它 &委派，但得到未经授权".我也找不到任何授予访问api.teams.skype.com"的 API 权限.

I have tried to call this from application & delegation, but get 'Unauthorized'. Also I could not find any API permission that granted access to 'api.teams.skype.com'.

推荐答案

我终于想通了如何获取访问令牌来调用 bulkUpdateRoledMembers.它仅在我直接为其请求访问令牌时才有效，因此没有应用程序权限，也没有代表流程.

I finally figured out how to get an access token to invoke bulkUpdateRoledMembers. It only works if I request an access token for it directly, so no Application Permissions and no On-Behalf-Of Flow.

private static async Task<string> GetAccessTokenForTeams(string tenantId)
{

    var client = new PublicClientApplication(
        clientId: "d3590ed6-52b3-4102-aeff-aad2292ab01c",
        authority: $"https://login.microsoftonline.com/{tenantId}/",
        userTokenCache: null);

    try
    {
        var result = await client.AcquireTokenInteractive(new[] { "https://api.spaces.skype.com/user_impersonation" }, null).ExecuteAsync();
        return result.AccessToken;
    }
    catch (Exception e)
    {
        Debug.WriteLine(e);
        throw;
    }
}

事实证明，您还需要一个 Skypetoken，您可以使用刚刚获得的访问令牌非常轻松地获得它.

It turns out you also need a Skypetoken, which you can get very easily with the just acquired access token.

private static async Task<string> GetSkypeToken(string accessToken)
{
    using (var client = new HttpClient())
    {
        client.DefaultRequestHeaders.Add(HttpRequestHeader.Authorization.ToString(), "Bearer " + accessToken);

        using (var response = await client.PostAsync("https://api.teams.skype.com/beta/auth/skypetoken", null))
        {
            var contentString = await response.Content.ReadAsStringAsync();
            if (response.IsSuccessStatusCode)
            {
                var skypeTokenResponse = JsonConvert.DeserializeObject<SkypeTokenResponse>(contentString);
                return skypeTokenResponse.Tokens.SkypeToken;
            }
            else
            {
                throw new Exception(response.StatusCode.ToString() + ": " + contentString);
            }
        }
    }
}
private class SkypeTokenResponse
{
    public Token Tokens { get; set; }

    public class Token
    {
        public string SkypeToken { get; set; }
        public string ExpiresIn { get; set; }
    }
}

然后您最终可以通过传递两个令牌来调用 bulkUpdateRoledMembers.

Then you can finally invoke bulkUpdateRoledMembers by passing both tokens along.

private static async Task<object> bulkUpdateRoledMembers(string accessToken, string skypeToken, string teamUrl, string groupId, string userId)
{
    using (var client = new HttpClient())
    {
        client.DefaultRequestHeaders.Add(HttpRequestHeader.Authorization.ToString(), "Bearer " + accessToken);
        client.DefaultRequestHeaders.Add("X-Skypetoken", skypeToken);

        var bodyString = JsonConvert.SerializeObject(new
        {
            users = new List<object>
            {
                new
                {
                    mri = "8:orgid:" + userId,
                    role = 2
                }
            },
            groupId = groupId
        });
        var body = new StringContent(bodyString, Encoding.UTF8, "application/json");

        using (var response = await client.PutAsync($"https://teams.microsoft.com/api/mt/emea/beta/teams/{teamUrl}/bulkUpdateRoledMembers?allowBotsInChannel=true", body))
        {
            var contentString = await response.Content.ReadAsStringAsync();
            if (response.IsSuccessStatusCode)
            {
                var jsonresult = JObject.Parse(contentString);
                return jsonresult;
            }
            else
            {
                throw new Exception(response.StatusCode.ToString() + ": " + contentString);
            }
        }
    }
}

这篇关于将受邀(来宾)用户添加到团队似乎无法正常工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！