无法通过REST API使用Microsoft Graph API更新用户配置文件 [英] Failed to update user profile with Microsoft Graph API via REST API
问题描述
我试图在未经用户同意的情况下通过服务器端(Java)应用程序通过Microsoft Graph API更新用户配置文件. 我在MS Azure中有一个具有以下"对其他应用程序的权限"的应用程序:" Microsoft Graph-读写所有用户的完整配置文件"为"申请许可",则管理员同意这些设置.
I'm trying to update user profile via Microsoft Graph API by a server side (Java) application without user consent. I have an app in MS Azure which has the following "Permissions to other applications": "Microsoft Graph - Read and write all user's full profiles" as an "Application Permission", administrator had consent with these settings.
因此,我可以从租户中获取任何用户个人资料.另外,具有"在所有邮箱中读取和写入日历"权限,我可以列出和修补用户的日历条目.但是,使用相同的代码段更新用户配置文件无效.
So I can fetch any user profile from our tenant. Also, with "Read and write calendars in all mailboxes" permission I can list and patch users' calendar entries. Using the same code snipets to update user profiles however does not works.
这是工作流程的REST表示,
Here is a REST representation of the workflow,
获取访问令牌:
POST https://login.microsoftonline.com/<my-tenant>/oauth2/token
Content-Type: application/x-www-form-urlencoded
{
grant_type=client_credentials
&resource=https%3A%2F%2Fgraph.microsoft.com
&client_secret=<my-client-secret>
&client_id=<my-client-id>
}
到目前为止,打补丁用户个人资料:
so far so good, patch user profile:
PATCH https://graph.microsoft.com/v1.0/<my-tenant>/users/<target-user>
Authorization: Bearer <access_token from prev response>
Accept: application/json
Content-Type: application/json
{"aboutMe": "happy"}
响应为:
response code: 500
{
"error": {
"code": "-1, Microsoft.Office.Server.Directory.DirectoryObjectUnauthorizedAccessException",
"message": "Attempted to perform an unauthorized operation.",
"innerError": {
"request-id": "<request-id>",
"date": "2016-09-27T11:07:18"
}
}
}
根据 http://graph .microsoft.io/zh-cn/docs/api-reference/v1.0/api/user_update 文档我应该设置" User.ReadWrite; User.ReadWrite.All; Directory.ReadWrite.All "范围,很遗憾,manage.windowsazure.com应用程序设置页面上没有这样的东西,但我相信"读写所有用户的完整个人资料"应该可以解决问题. 上面的示例请求中有一些数据用<>标记替换,它们在正常的工作流程中显然可以正确填充.它非常适合修补日历事件(除了URL中的微小更改外,几乎完全相同),但无法修补用户对象.
According to the http://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/user_update documentation I should have set "User.ReadWrite; User.ReadWrite.All; Directory.ReadWrite.All" scopes, unfortunately there is no such thing at manage.windowsazure.com app setting page but I believe "Read and write all user's full profiles" should do the trick. The sample requests above have some data replaced with <> tags, they are oviously filled correctly during normal workflow. It is working perfectly for patching a calendar event (which is almost exactly the same except a minor changing in the url) but fails with patching the user object.
推荐答案
Microsoft Graph当前根据权限类型对用户"和组"上的操作有一些限制.根据网站已知问题,您可以发现其中存在限制:Cannot perform any CRUD operations on User other than updating user HD photo and extended profile properties用于Delegated和Application权限类型.
Microsoft Graph has currently some limitations on operations at Users and Groups depending on the permission type. According to the site Known issues, you can find out that there is a limitation: Cannot perform any CRUD operations on User other than updating user HD photo and extended profile properties for both Delegated and Application permission types.
选择Directory.ReadWrite.All权限(在新Azure门户中的Read and write directory data),如
Selecting Directory.ReadWrite.All permission (Read and write directory data in the new Azure portal), as indicated in Alternative column in the table in Microsoft Graph permissions section, should solve the problem.
这篇关于无法通过REST API使用Microsoft Graph API更新用户配置文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
