通过Microsoft Graph API在Azure AD中邀请用户无效 [英] Inviting a User in Azure AD through Microsoft Graph API doesn't work

问题描述

下面是我在Azure AD中邀请用户使用的代码.

Below is the code that I have put to invite a user in Azure AD.

我收到未经授权"的回复.我不确定缺少哪些权限/设置.有人知道吗?

I get an "unauthorized" response. I am not sure what permission/setting are missing. Do anyone have the idea.

string accessToken = await AuthenticationHelper.GetTokenForApplication ();
InvitationModel invite = new InvitationModel ();
invite.invitedUserEmailAddress = user.Email;
invite.inviteRedirectUrl = ConfigurationManager.AppSettings["InviteRedirectUrl"];
invite.sendInvitationMessage = true;
using (HttpClient client = new HttpClient ()) {
    client.BaseAddress = new Uri ("https://graph.microsoft.com");

    client.DefaultRequestHeaders.Accept.Add (
        new MediaTypeWithQualityHeaderValue ("application/json"));

    client.DefaultRequestHeaders.Authorization =
        new AuthenticationHeaderValue ("Bearer", accessToken);

    HttpResponseMessage response =
        client.PostAsJsonAsync<InvitationModel> ("v1.6/invitations", invite).Result;

    dynamic inviteResult =
        response.Content.ReadAsAsync<dynamic> ().Result;

    if (inviteResult.status != "Error") { }
}

推荐答案

您的问题是，您在此处合并了Microsoft Graph和Azure AD Graph.这是两个不同的API，具有不同的调用转换和权限范围.

You're problem is that you conflating Microsoft Graph and Azure AD Graph here. These are two distinct APIs with different calling conversions and permission scopes.

为了创建一个邀请，您将需要以下权限范围之一(请注意，第一个是(全球范围内)限制性最强的许可，最后一个是最宽松的许可性):

In order to create an Invitation you will need one of the following permission scopes (Note that the first is the most restrictive permission (globally), the last the most permissive):

• User.Invite.All
• User.ReadWrite.All
• Directory.ReadWrite.All

• User.Invite.All
• User.ReadWrite.All
• Directory.ReadWrite.All

请注意，所有这些范围均受管理员限制，并且需要

Note that all of these scopes are admin-restricted and will require Admin Consent before you can use them

拥有有效令牌后，您需要使用以下主体对https://graph.microsoft.com/v1.0/invitations进行POST调用:

Once you have a valid token, you'll need to make a POSTcall to https://graph.microsoft.com/v1.0/invitations with the following body:

{
  "invitedUserEmailAddress": "yyy@test.com",
  "inviteRedirectUrl": "https://myapp.com"
}

由于您使用的是C#，因此我强烈建议您使用 Microsoft Graph Client Library 而不是手动滚动自己的HttpClient通话.

Since you're using C#, I would strongly recommend using Microsoft Graph Client Library rather than hand-rolling your own HttpClient calls.

这篇关于通过Microsoft Graph API在Azure AD中邀请用户无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！