密码重置权限不足 [英] Insufficient privileges for password reset

问题描述

我的目标是允许用户在我的应用程序中更改和重置自己的密码.我们不希望将用户重定向到同意页面.

My goal is to allow users to change and reset their own passwords within my application. We do not want users to be redirected to consent pages.

我已按照但是我遇到了以下错误:

But I'm running into the following error:

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "19c43c69-f553-470e-9432-617395f5f8f5",
      "date": "2017-06-01T17:24:11"
    }
  }
}

我的补丁请求:

PATCH /v1.0/users/2b6c3114-d81b-429d-af7e-c822a456ebba HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJ...xnsYVw
Content-Type: application/json
Cache-Control: no-cache
Postman-Token: 73f...d6

{
  "passwordProfile": {
    "password": "w",
    "forceChangePasswordNextSignIn": false
  }
}

这是我的图形权限:

委派的权限:

User.Read，User.ReadWrite，Directory.AccessAsUser.All *，Directory.ReadWrite.All *，User.ReadWrite.All *

User.Read, User.ReadWrite, Directory.AccessAsUser.All*, Directory.ReadWrite.All*, User.ReadWrite.All*

应用程序权限:

Directory.ReadWriteAll *，User.Read.All *，User.ReadWrite.All *

_{*需要管理员同意}

我知道使用passwordProfile属性时需要范围Directory.AccessAsUser.All.由于这不能作为应用程序许可使用，这是否意味着我必须代表用户获得访问权限并使用授权码授予?在使用授权代码检索令牌时，我看不到任何避免用户同意的方法.

I understand that the scope Directory.AccessAsUser.All is required when using the passwordProfile property. Since this isn't available as an application permission, does this mean I have to get access on behalf of a user and use the Authorization Code grant? I don't see any possible way to avoid user consent when using authorization codes to retrieve a token.

编辑1

我尝试使用client_credentials grant_type获取令牌，但是如果我不使用https://graph.microsoft.com/.default的作用域，我总是会收到一条消息，指出作用域是无效的:

I've tried getting the token using the client_credentials grant_type but I always receive a message that the scope is invalid if I don't use a scope of https://graph.microsoft.com/.default:

POST /tenantid/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Postman-Token: 006...85

client_id={id}&scope=https://graph.microsoft.com/User.Read&client_secret={secret}&grant_type=client_credentials     

推荐答案

因此，我会以一个事实来做这个事情，即可能有充分的理由来做您正在做的事情，但我应该对此做出警告，但是您应该意识到绕过Azure AD登录和诸如SSPR之类的相关功能，企业将会迷失方向.请参阅此精彩的博客文章，描述了您将要丢失的一些内容-此外，尽管这仍然是相关的，但您的客户现在将失去更多的安全功能，例如有条件访问.

So I will caveat this answer with the fact that there may be good reasons for doing what you are doing, but you should be aware of all the things that the organization will lose by bypassing Azure AD sign-in and related features like SSPR. Please see this excellent blog post that describes some of the things you'll lose - plus while this is still relevant, there are now MORE security features that your customer will lose, like conditional access.

无论如何，假设您想向前推动... 对于您的情况(绕过Azure AD SSPR和更改密码体验的应用程序服务)，有一个更改密码的选项(看来我们没有记录在案-为此提交了一个错误)，很遗憾，我无法提供任何密码重置功能.让我解决第一个问题.

Anyways, assuming you want to press ahead... For your scenario (an app service that bypasses Azure AD SSPR and change password experiences), there is an option for change password (that it appears we did not document - filing a bug for that) and regrettably nothing I can offer for password reset. Let me address the first one.

1. 更改密码-在Microsoft Graph中(尽管没有记录)，您将在用户-../users/{id}/changePassword上找到"changePassword"方法，该方法使用旧密码和新密码.该API仅适用于已登录的用户(因此，它需要委托的OAuth2代码流).它需要管理员同意Directory.AccessAsUser.All(尽管我们正在考虑添加更细化的权限).

1. Change Password - in Microsoft Graph (although not documented) you'll find the "changePassword" method on user - ../users/{id}/changePassword, which takes the old password and a new password. This API works ONLY for the signed-in user (so it requires the delegated OAuth2 code flow). It requires an admin to consent for Directory.AccessAsUser.All (although we are looking at adding a more granular permission).

重置密码-Microsoft Graph没有为此公开仅应用程序权限.这是授予应用程序的极其强大的权限.支持已为您提供了解决方法，管理员可以使用powershell明确授予此解决方法.这为您的应用授予了客户资源的许多特权.或者，有一个委派的权限(Directory.AccessAsUser.All)，允许管理员用户重置另一个用户的密码.但是，这不是自助服务.

Reset password - there is no app-only permission exposed by Microsoft Graph for this. This is an extremely powerful permission to grant to an application. You've already been given the workaround by support, for an admin to explicitly grant this using powershell. This grants your app a lot of privileges to your customer's resources. Alternatively, there is a delegated permission (Directory.AccessAsUser.All) that allows an admin user to reset another user's password. However this wouldn't be a self-service experience.

希望这会有所帮助，

这篇关于密码重置权限不足的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！