Groups.ReadBasic.All的替代方法-未经管理员同意即可访问组 [英] Alternative to Groups.ReadBasic.All - access Groups without Admin consent
问题描述
我有一个使用Azure AD无需管理员同意即可访问Microsoft Graph的应用程序.
I have an application that uses Azure AD to access Microsoft Graph without Admin Consent.
我想在我的应用程序中引入Office 365组功能,以管理应用程序对象的可见性.基本上,在没有管理员同意的情况下,我需要使用委派作用域的两件事:
I would like to introduce the Office 365 Groups capabilities into my app to manage the visibility of my application objects. Basically, I need two things using delegated scopes without Admin Consent:
- 用户必须能够查看租户中组的基本信息
- 检查当前用户是否属于给定组
我看到两种方法:
-
等待
Groups.ReadBasic.All
实际上,Groups.Read.All确实需要管理员同意,因此在我们的方案中现在无法使用它.我的问题是,Microsoft Graph是否计划了这样的范围?
Indeed, Groups.Read.All does require Admin Consent so it is not possible to use it right now in our scenario. My question is then, is such a scope is planned for Microsoft Graph?
仅将组管理功能限制为管理员.
Limit the Group management feature to Admin only.
我可以将组管理功能限制为管理员,也可以等待管理员同意,但是该应用程序的其余部分必须仍可用于非管理员同意工作流.有没有办法做到这一点?我看到的唯一方法是在Azure AD中注册了两个不同的应用程序:myApp和myApp-扩展权限.但是,它闻起来不好,看起来很复杂.
I could limit the Group management capabilities to Administrators or wait for Admin Consent but the rest of the application must be still available for non-Admin Consent workflows. Is there a way to achieve this? The only way I see this is to have two distinct applications registered in Azure AD: myApp and myApp - Extended Permissions. However, it does not smell good and looks complex.
推荐答案
所以#1已经准备就绪,但是我现在不能给您具体的预计到达时间,但我希望它会很快面世.那个应该给你你想要的东西.
So #1 is on the cards, but I cannot give you a concrete ETA right now, but I'm hoping it'll be available soon. That should give you what you are after.
在#2上,这是可能的,这是我们称为增量同意或动态同意的功能.仅可通过新的 v2身份验证终结点一个>.作为授权请求的一部分,您可以指定所需的权限范围-在后续请求中,您可以要求其他范围.但是,根据您的情况,您想要的附加范围是您希望管理员代表组织同意的范围.这还不太可能,但很快也会到来.可能#1和#2大约在同一时间着陆;)
On #2, this is possible, and it's a feature we call incremental or dynamic consent. It's only available through the new v2 authentication endpoint. As part of the authorize request you can specify the permission scopes you need, - in subsequent requests you can ask for additional scopes. However in your case, the additional scope you want is a scope that you want the admin to consent on behalf of the organization for. This isn't quite possible yet, but is also coming soon. It might be that #1 and #2 land around the same time ;)
当#1和#2可用时,我们将更新此线程.
We'll update this thread when #1 and #2 are available.
希望这会有所帮助
这篇关于Groups.ReadBasic.All的替代方法-未经管理员同意即可访问组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
