从 Microsoft Graph 请求“/joinedTeams"时出现“未经授权"错误 [英] 'Unauthorized' error when requesting '/joinedTeams' from Microsoft Graph

问题描述

我正在设置一个应用程序以通过 Microsoft Graph API 修改 Microsoft Teams 帐户(团队/频道)，但我无法从我需要调用的所有端点获得响应.我已遵循 指南 用于创建具有应用程序权限并成功获取访问(和刷新)令牌的应用程序.

I am setting up an app for modifying a Microsoft Teams account (teams/channels) through the Microsoft Graph API, but I can't get responses from all of the endpoints which I need to call. I have followed the guide for creating an app with application permissions and acquired access (and refresh) token(s) succesfully.

调用 https://graph.microsoft.com/v1.0/users/<user guid>/joinedTeams endpoint 产生如下响应:

Calling the https://graph.microsoft.com/v1.0/users/<user guid>/joinedTeams endpoint yields a response as follows:

{
  "error": {
    "code": "Unauthorized",
    "message": "Unauthorized",
    "innerError": {
      "date": "2020-06-24T12:37:53",
      "request-id": <guid>
    }
  }
}

在调用 https://graph.microsoft.com/v1.0/users 等端点时，如所述.似乎该应用尚未获得访问这些内容的同意和/或权限，但在注册后，它们会列在 Azure 门户企业应用程序页面的 API 权限中，并且访问令牌 JWT 包含指定的权限作为 角色对象.

while calling endpoints such as https://graph.microsoft.com/v1.0/users works as described. It would seem that the app hasn't gotten consent and/or permissions to access these, but after signup they are listed on the API permissions in the azure portal enterprise applications page, and the access token JWT contains the specified permissions as a roles object.

来自智威汤逊:

"roles": [
    "TeamSettings.ReadWrite.All",
    "User.ReadWrite.All",
    "Directory.ReadWrite.All",
    "Group.ReadWrite.All",
    "TeamMember.ReadWrite.All",
    "Team.ReadBasic.All",
    "GroupMember.ReadWrite.All",
    "Member.Read.Hidden"
  ]

我已尝试使用 Directory.ReadWrite.All 权限以及 权限页面它们都会引发相同的错误.

I have tried with the Directory.ReadWrite.All permission and also with the full permission list listed on the permissions page for the /joinedTeams endpoint and they all elicit the same error.

奇怪的是，根据 this 401 - 过期(或类似无效)令牌将给出未经授权的响应，但显然情况并非如此，因为我可以使用该令牌调用其他端点.

Curiously, according to this a 401 - Unauthorized response would be given for expired (or similarly invalid) tokens, however that seems to clearly not be the case as I can call other endpoints with that very token.

我错过了什么?

推荐答案

感谢@MikeOliver 解决当我注册 Teams 时，它创建了另一个目录.只有第二个目录具有 Teams许可证".(从 azure 门户的许可页面可见).

Solved thanks to @MikeOliver When I signed up for Teams it created another directory. Only that second directory had a Teams "license" (visible from the azure portal's License page).

这篇关于从 Microsoft Graph 请求“/joinedTeams"时出现“未经授权"错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！