具有预先同意的多租户应用程序无法调用图谱API [英] Multi-tenant application with pre-consent cannot call graph API

问题描述

我想使我们的合作伙伴帐户中不需要任何用户凭据的所有租户都可以自动使用该应用程序.

I'd like to make an app automatically available for all tenants we have in our partner account that doesn't require any user credential.

为此，我在azure中创建了一个多租户的Web应用程序，并可以通过"Microsoft graph"应用程序访问应用程序权限.

For that, I created a web app in azure that is multitenant and has access to application permissions over "Microsoft graph" app.

我遵循了 Microsoft指南以启用事先同意，并且进展顺利.

I followed Microsoft's guide to enable the preconsent, and it went well.

然后我尝试与租户一起测试对图API的调用:

I then tried to test calls to the graph API with my tenant:

POST https://login.microsoftonline.com/<my-tenant-id>/oauth2/token
=> got the token
GET https://graph.microsoft.com/v1.0/users
=> Got the users of my-tenant

然后我尝试了与客户的租户:

Then I tried with a customer's tenant:

POST https://login.microsoftonline.com/<customer-tenant-id>/oauth2/token
=> got the token
GET https://graph.microsoft.com/v1.0/users
=> 
{
  "error": {
    "code": "Service_InternalServerError",
    "message": "Encountered an internal server error.",
    "innerError": {
      "request-id": "270ef482-e7ca-4184-bb9e-0567b123b7ab",
      "date": "2016-09-15T10:00:14"
    }
  }
}

为什么我得到这500个电话，因为我获得了客户租户的oauth令牌，所以该呼叫不起作用?

Why do I get this 500, shouldn't this call work as I got the oauth token for the customer's tenant?

还有一个侧面的问题:事先同意是否适用于以前存在的租户?如果更改了权限，是否会影响所有租户而无需执行任何操作?

Also, quick side questions: Does the preconsent work for previously existing tenants? And if permissions are changed, will it affect all tenants without having to do anything?

更新:尝试了许多事情之后，它开始使用相同的命令工作.但是，我尝试了另一个随机租户，它给了我500个...将继续尝试并更新

Update: after trying many things, it started to work with the same commands. However, I tried another random tenant and it gives me the 500... Will keep trying and update

推荐答案

似乎同意书有问题.无论我是否使用新租户，我都必须转到 https://login.windows.net/common/oauth2/authorize?response_type=code&client_id= {0}& prompt = admin_consent ({0}为的应用程序)，然后可以使用

It seems that it was a problem with the consent. Whether or not I use a new tenant, I have to go to https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={0}&prompt=admin_consent (with {0} being the cliendId of the app) and then it works

因此，自动同意可能有问题，但这是针对单独的问题.

Something is therefore probably wrong with the autoconsent, but this is up for a separate question.

这篇关于具有预先同意的多租户应用程序无法调用图谱API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！