Azure AD b2b“读取所有用户的基本配置文件"允许 [英] Azure AD b2b "Read all users' basic profiles" permission
问题描述
我已委派用户权限User.ReadBasic.All.在文档中,该声明为
I have delegated user permission User.ReadBasic.All. In the documentation, it states this
"允许该应用代表已登录的用户读取组织中其他用户的基本配置文件属性集.这包括显示名称,名字和姓氏,电子邮件地址,打开的扩展名和照片.还允许该应用程序以读取已登录用户的完整个人资料."
"Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user."
如何为所有用户提供基本个人资料?
How can I get all users with basic profiles?
var accessToken = authContext
.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId, secret))
.Result
.AccessToken;
var graphserviceClient = new GraphServiceClient(
new DelegateAuthenticationProvider(requestMessage => {
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
return Task.FromResult(0);
}));
能否请您确认我的"Authority" URL是否正确?
string authority = "https://login.microsoftonline.com/{tenantId}/common/oauth2/v2.0/token?&response_type=code&scope=openid%20profile%20User.Read%20User.ReadWrite%20User.ReadBasic.All";
AuthenticationContext authContext = new AuthenticationContext(authority);
var accessToken = authContext
.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId, secret))
.Result
.AccessToken;
推荐答案
在这里,您实际上是从缓存中获取令牌的(使用AcquireTokenSilentAsync),而当您赎回授权代码时,令牌实际上已添加到缓存中由ASP.NET使用对AcquireTokenByAuthorizationCodeAsync的调用生成.您将在ADAL.NET概念文档中找到说明:
Here you are really getting a token from the cache (using AcquireTokenSilentAsync), whereas your token was really added in the cache when you have redeemed the authorization code produced by ASP.NET using the call to AcquireTokenByAuthorizationCodeAsync. you will find the explanation in ADAL.NET conceptual documentation : Acquiring a token by authorization code in Web Apps
请注意,要调用该图形,您可能更希望使用MSAL.NET.例如,请参见以下分支 signInAndCallMicrosoftGraph 名为以下示例: aspnetcore-webapp-openidconnect-v2 .这表示为教程,首先说明了登录阶段,然后调用了API(在本例中为Microsoft Graph)
Note that to call the graph you might rather want to use MSAL.NET. See for instance the following branch signInAndCallMicrosoftGraph of the sample named: aspnetcore-webapp-openidconnect-v2. This is expressed as a tutorial, explaining first the sign-in phase, and then calling an API (in this case the Microsoft Graph)
最后,您所使用的权限不是Azure AD B2C的权限(正如我在对问题的评论中提到的那样,对于Azure AD,应将其简化为login.microsoftonline.com{tenantId}/common)
Finally the authority you have used is not for Azure AD B2C (and as I mentioned in the comment on your question, for Azure AD, it should be reduced to login.microsoftonline.com{tenantId}/common)
这篇关于Azure AD b2b“读取所有用户的基本配置文件"允许的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
