Microsoft Graph API-更新密码-权限不足，无法完成操作 [英] Microsoft Graph API - Update password - Insufficient privileges to complete the operation

问题描述

我正在尝试通过Microsoft Graph API更新用户，我能够更新DisplayName，但是PasswordProfile我收到错误消息:

I am trying to update a user via Microsoft Graph API, I am able to update the DisplayName but the PasswordProfile I get an error:

Insufficient privileges to complete the operation.

当我在 http://jwt.io 上解码JWT令牌时，以下是与令牌相关联的角色:

Here are the roles associated to the token when I decoded the JWT token at http://jwt.io :

"roles": [
    "User.ReadWrite.All",
    "Directory.ReadWrite.All",
    "Group.ReadWrite.All"
],

基于文档，看来这些权限应该足够了.

Based on the documentation it seems these permissions should suffice.

这是我的代码(来自控制台应用程序)，我能够通过Fiddler找出调用失败的原因，UpdateAsync不会引发异常.

Here is my code (taken from a console app), I was able to figure out the call is failing via Fiddler, the UpdateAsync does not throw an exception.

try
{
    var userId = "9a5413cd-85ff-4ad1-ab2f-b443941abd8e";
    var token = GetToken().Result;
    System.Console.Write($"Token: {token}");

    var newPassword = "TwDx5zgHxe51DZZ";
    GraphServiceClient graphClient = GetAuthenticatedClient(token);

    // This works -- Updating Display name
    graphClient.Users[userId].Request().UpdateAsync(new User
    {
        DisplayName = "NewDisplayName"
    });

    // This does not work - Updating password
    graphClient.Users[userId].Request().UpdateAsync(new User
    {
        PasswordProfile = new PasswordProfile
        {
            Password = newPassword,
                ForceChangePasswordNextSignIn = true
        }
    });
    System.Console.WriteLine("---Update Complete---");
}
catch (Exception e)
{
    System.Console.WriteLine(e);
}

获取令牌的方法:

public async Task<string> GetToken()
{
    //  Constants
    var tenant = "dev-mytenantmydomaincom";
    var resource = "https://graph.microsoft.com/";
    var clientID = "XXXXXXXX-87ef-494d-b921-cf8956006b0e";
    var secret = "zgkzas2THJLiD5XXXXXX";

    //  Ceremony
    var authority = $"https://login.microsoftonline.com/{tenant}";
    var authContext = new AuthenticationContext(authority);
    var credentials = new ClientCredential(clientID, secret);
    var authResult = await authContext.AcquireTokenAsync(resource, credentials);
    return authResult.AccessToken;
}

这是Fiddler的完整回应:

Here is the full response via Fiddler:

HTTP/1.1 403 Forbidden
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: application/json
request-id: 6edcf194-7705-4cd7-8144-767925cc9ee4
client-request-id: 6edcf194-7705-4cd7-8144-767925cc9ee4
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"East US","Slice":"SliceB","ScaleUnit":"001","Host":"AGSFE_IN_27","ADSiteName":"EST"}}
Duration: 69.2849
Date: Thu, 31 Aug 2017 13:15:34 GMT

{
    "error": {
        "code": "Authorization_RequestDenied",
            "message": "Insufficient privileges to complete the operation.",
                "innerError": {
            "request-id": "6edcf194-7705-4cd7-8144-767925cc9ee4",
                "date": "2017-08-31T13:15:34"
        }
    }
}    

推荐答案

密码是特别敏感的数据集，因此具有一些唯一的权限.从文档:

Passwords are a particularly sensitive data set and therefore have some unique permissions to them. From the documentation:

更新passwordProfile属性时，需要以下范围:Directory.AccessAsUser.All.

When updating the passwordProfile property, the following scope is required: Directory.AccessAsUser.All.

Directory.AccessAsUser.All 是需要管理员的委派权限.换句话说，它允许全局管理员某人更改其他用户的passwordProfile.

The Directory.AccessAsUser.All is a Delegated Permission that requires an Admin. In other words, it allows someone a Global Administrator to change other another user's passwordProfile.

如果您希望允许最终用户自己更改密码，则SDK中的ChangePassword方法中也有一个改进:

If you're looking to allow the end user to change their password themselves, there is also a baked in ChangePassword method in the SDK:

await graphClient.Me.ChangePassword("current-pwd, "new-pwd").Request().PostAsync();

注意:这还要求在DirectoryAccessAsUser.All上授予管理员同意书，然后用户才能执行它)

Note: that this also requires that Admin Consent be granted for DirectoryAccessAsUser.All before a user can execute it)

请记住，DirectoryAccessAsUser.All是委托"权限​​范围，而不是应用程序"权限范围.这意味着

Keep in mind that DirectoryAccessAsUser.All is a "Delegated" rather than an "Application" permission scope. This means it is only supported by the Authorization Code and Implicit flows; it will not work for daemon/service scenarios using the Client Credentials flow.

如果您考虑到非交互式应用程序可以随意更改用户密码的能力，则可能会受到潜在的利用，这很明显.

If you consider the potential exploits that could be achieved by a non-interactive application having the ability to change user's passwords at will, the reason for this restriction is pretty clear.

这篇关于Microsoft Graph API-更新密码-权限不足，无法完成操作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！