Azure AD Graph API失败，显示“权限不足，无法完成操作"在分配应用程序时 [英] Azure AD Graph API failing with "Insufficient privileges to complete the operation" while assigning applications

问题描述

我正在使用Azure AD Graph API来管理Azure应用程序.

当尝试使用API​​ https://graph.windows.net/<TenantID>/servicePrincipals/<ServicePrincipalID>/appRoleAssignments?api-version=1.6将应用程序的appRole分配给用户时，它失败并显示403，响应为以下.即使API失败， 应用角色将分配给用户.

{
    "odata.error":{
        "代码":"Authorization_RequestDenied"，
        消息":{
            "lang":"en"，
            值":"权限不足，无法完成操作."
        }
    }
}

相同的API可以与Azure AD Graph Explorer一起正常工作.
删除appRoleAssignments的DELETE操作可以正常工作，没有任何问题.

分配appRole是否需要任何特定的特权?

感谢您的帮助.

谢谢
伊什瓦尔

Hi,

I am using Azure AD Graph API to manage Azure applications.

When trying to assign an application's appRole to a user using API https://graph.windows.net/<TenantID>/servicePrincipals/<ServicePrincipalID>/appRoleAssignments?api-version=1.6, it fails with 403 and response is as below. Even though the API fails, the app role gets assigned to user.

{
    "odata.error": {
        "code": "Authorization_RequestDenied",
        "message": {
            "lang": "en",
            "value": "Insufficient privileges to complete the operation."
        }
    }
}

The same API works fine with Azure AD Graph Explorer.
The DELETE operation to remove appRoleAssignments works fine without any issues.

Does it need any specific privileges to assign appRole?

Any help on this is appreciated.

Thanks,
Ishwar

推荐答案

Step1:-

• 如果您在调用仅包含读取权限的API时收到此错误，则表示必须在"Azure管理门户"中设置权限.
• 转到Azure管理门户并单击Active Directory.
• 选择您的自定义AD目录.
• 点击应用程序"并选择您的应用程序.
• 点击配置并

• If you are receiving this error when you call the API that includes only read permissions, you have to set permissions in Azure Management Portal.
• Go to Azure Management Portal and click Active Directory.
• Select your custom AD directory.
• Click Applications and select your Application.
• Click CONFIGURE and scroll down to the section 'Permissions to other applications'.
• Provide required Application Permissions and Delegated Permissions for  Azure Active Directory. Finally save the changes. 
  
  

Step2:-

如果您在调用包含删除或重置密码操作的API时收到此错误，则需要管理员角色公司管理员".你 只能通过Azure ActiveDirectory Powershell模块执行此操作.您可以使用Get-MsolServicePrincipal –AppPrincipalId查找服务主体，然后使用Add-MsolRoleMember将其添加到公司管理员"角色.

If you are receiving this error when you call the API that includes delete or reset password operations, it requires the Admin role "Company Administrator". You can do this only through Azure ActiveDirectory Powershell module. You can find the service principal using Get-MsolServicePrincipal –AppPrincipalId and then use Add-MsolRoleMember to add it to "Company Administrator" role. 

1.获取您的Web应用程序的clientid-您可以从azure web/configuration或通过运行以下命令在PowerShell中获取它.

Get-MsolServicePrincipal | ft DisplayName, AppPrincipalId -AutoSize

2.放置您的Web应用程序guid，并使用它来获取MsolServicePrincipal，并使用Add-MsolRoleMember将其添加到公司管理员"角色.

clientIdApp ='1a27ce25-xx-46e8-xxxx-1f3e5xxxx4'

clientIdApp = '1a27ce25-xx-46e8-xxxx-1f3e5xxxx4'

webApp =获取-MsolServicePrincipal –AppPrincipalId

webApp = Get-MsolServicePrincipal –AppPrincipalId

这篇关于Azure AD Graph API失败，显示“权限不足，无法完成操作"在分配应用程序时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！