Microsoft Graph API-更新密码-权限不足,无法完成操作 [英] Microsoft Graph API - Update password - Insufficient privileges to complete the operation
问题描述
我正在尝试通过Microsoft Graph API更新用户,我能够更新DisplayName
,但是PasswordProfile
我收到错误消息:
I am trying to update a user via Microsoft Graph API, I am able to update the DisplayName
but the PasswordProfile
I get an error:
Insufficient privileges to complete the operation.
当我在 http://jwt.io 上解码JWT令牌时,以下是与令牌相关联的角色:
Here are the roles associated to the token when I decoded the JWT token at http://jwt.io :
"roles": [
"User.ReadWrite.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All"
],
基于文档,看来这些权限应该足够了.
Based on the documentation it seems these permissions should suffice.
这是我的代码(来自控制台应用程序),我能够通过Fiddler找出调用失败的原因,UpdateAsync
不会引发异常.
Here is my code (taken from a console app), I was able to figure out the call is failing via Fiddler, the UpdateAsync
does not throw an exception.
try
{
var userId = "9a5413cd-85ff-4ad1-ab2f-b443941abd8e";
var token = GetToken().Result;
System.Console.Write($"Token: {token}");
var newPassword = "TwDx5zgHxe51DZZ";
GraphServiceClient graphClient = GetAuthenticatedClient(token);
// This works -- Updating Display name
graphClient.Users[userId].Request().UpdateAsync(new User
{
DisplayName = "NewDisplayName"
});
// This does not work - Updating password
graphClient.Users[userId].Request().UpdateAsync(new User
{
PasswordProfile = new PasswordProfile
{
Password = newPassword,
ForceChangePasswordNextSignIn = true
}
});
System.Console.WriteLine("---Update Complete---");
}
catch (Exception e)
{
System.Console.WriteLine(e);
}
获取令牌的方法:
public async Task<string> GetToken()
{
// Constants
var tenant = "dev-mytenantmydomaincom";
var resource = "https://graph.microsoft.com/";
var clientID = "XXXXXXXX-87ef-494d-b921-cf8956006b0e";
var secret = "zgkzas2THJLiD5XXXXXX";
// Ceremony
var authority = $"https://login.microsoftonline.com/{tenant}";
var authContext = new AuthenticationContext(authority);
var credentials = new ClientCredential(clientID, secret);
var authResult = await authContext.AcquireTokenAsync(resource, credentials);
return authResult.AccessToken;
}
这是Fiddler的完整回应:
Here is the full response via Fiddler:
HTTP/1.1 403 Forbidden
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: application/json
request-id: 6edcf194-7705-4cd7-8144-767925cc9ee4
client-request-id: 6edcf194-7705-4cd7-8144-767925cc9ee4
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"East US","Slice":"SliceB","ScaleUnit":"001","Host":"AGSFE_IN_27","ADSiteName":"EST"}}
Duration: 69.2849
Date: Thu, 31 Aug 2017 13:15:34 GMT
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "6edcf194-7705-4cd7-8144-767925cc9ee4",
"date": "2017-08-31T13:15:34"
}
}
}
推荐答案
密码是特别敏感的数据集,因此具有一些唯一的权限.从文档:
Passwords are a particularly sensitive data set and therefore have some unique permissions to them. From the documentation:
更新
passwordProfile
属性时,需要以下范围:Directory.AccessAsUser.All
.
When updating the
passwordProfile
property, the following scope is required:Directory.AccessAsUser.All
.
Directory.AccessAsUser.All 是需要管理员的委派权限.换句话说,它允许全局管理员某人更改其他用户的passwordProfile
.
The Directory.AccessAsUser.All is a Delegated Permission that requires an Admin. In other words, it allows someone a Global Administrator to change other another user's passwordProfile
.
如果您希望允许最终用户自己更改密码,则SDK中的ChangePassword
方法中也有一个改进:
If you're looking to allow the end user to change their password themselves, there is also a baked in ChangePassword
method in the SDK:
await graphClient.Me.ChangePassword("current-pwd, "new-pwd").Request().PostAsync();
注意:这还要求在DirectoryAccessAsUser.All
上授予管理员同意书,然后用户才能执行它)
Note: that this also requires that Admin Consent be granted for DirectoryAccessAsUser.All
before a user can execute it)
请记住,DirectoryAccessAsUser.All
是委托"权限范围,而不是应用程序"权限范围.这意味着隐含流;使用
Keep in mind that DirectoryAccessAsUser.All
is a "Delegated" rather than an "Application" permission scope. This means it is only supported by the Authorization Code and Implicit flows; it will not work for daemon/service scenarios using the Client Credentials flow.
如果您考虑到非交互式应用程序可以随意更改用户密码的能力,则可能会受到潜在的利用,这很明显.
If you consider the potential exploits that could be achieved by a non-interactive application having the ability to change user's passwords at will, the reason for this restriction is pretty clear.
这篇关于Microsoft Graph API-更新密码-权限不足,无法完成操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!