将受邀(访客)用户添加到团队中似乎无法正常工作 [英] Adding invited (guest) user to teams seems to not work properly
问题描述
嗨(参考问题)
设置租户以允许来自其他域的用户邀请后,我们可以邀请外部用户(在设置的域中)加入团队.在GUI中手动执行此操作时效果很好. 但是,当尝试添加受邀用户时,抛出了Windows graph API,某些操作无法正常进行.
After setting up the tenant to allow invitation of user from another domain, we are able to invite external users (in set domain) to teams. This works fine when doing it manually, in the GUI. However, when trying to add an invited user threw the windows graph API, something is not working properly.
我们邀请用户加入团队的过程如下: 请注意,我们正在使用应用程序特权
Our procedure to invite a user to a team is as follows: Note we are using application privileges
-
邀请用户加入租户(有或没有欢迎邮件) https://docs.microsoft. com/en-us/graph/api/invitation-post?view = graph-rest-1.0
Invite the user to the tenant (with or without welcome mail) https://docs.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0
将邀请的用户添加到团队中 https://docs. microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0
Add the invited user to the team https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0
这两个调用都成功完成,并且不返回任何错误消息.在所有管理GUI(AAD,团队,Exchange)中,该用户被邀请并添加到该组中. 但是有问题的用户没有收到他/她已被添加到团队的欢迎邮件.并且,如果用户(鉴于我们在步骤1中发送了欢迎邮件)尝试访问 http://teams.microsoft.com 用户会收到通知,告知他/她没有权限和/或没有看到团队.
Both these calls complete successfully and does not return any error messages. In all the admin GUI’s (AAD, Teams, Exchange) the user is invited and is added to the group. But the user in question does not receive a welcome mail that he/she has been added to the team. And if the user (given we send a welcome mail in step 1) tries to access http://teams.microsoft.com the user gets notified that he/she does not have permissions and/or does not see the team.
有什么提示吗?
经过一番调查,通过监视网络流量.似乎被正确邀请加入团队的失踪电话是: POST https://api.teams.skype.com/emea/beta/teams/($ teamurl)/bulkUpdateRoledMembers?allowBotsInChannel = true
After some investigation, by monitoring the network traffic. It's seems that the missing call, to get properly invited to the team is: POST https://api.teams.skype.com/emea/beta/teams/($teamurl)/bulkUpdateRoledMembers?allowBotsInChannel=true
在其中发送用户ID(8:orgid:{userid})和组ID的列表. (teamurl似乎是频道ID)
where you send in a list of userid (8:orgid:{userid}) and the groupid. (teamurl seems to be the channel id)
{"users":[{"mri":"8:orgid:00000000-5946-0000-87d2-b16b6fdf7a72","role":2}],"groupId":"00000000-2e8b-4d18-0000 -394c6a4846d0}
{"users":[{"mri":"8:orgid:00000000-5946-0000-87d2-b16b6fdf7a72","role":2}],"groupId":"00000000-2e8b-4d18-0000-394c6a4846d0"}
我试图从应用程序&中调用它委派,但获得未经授权".另外,我找不到授予对"api.teams.skype.com"的访问权限的任何API权限.
I have tried to call this from application & delegation, but get 'Unauthorized'. Also I could not find any API permission that granted access to 'api.teams.skype.com'.
推荐答案
我终于想出了如何获取访问令牌来调用bulkUpdateRoledMembers的方法.仅当我直接为其请求访问令牌时,它才有效,因此没有应用程序权限",也没有代理流".
I finally figured out how to get an access token to invoke bulkUpdateRoledMembers. It only works if I request an access token for it directly, so no Application Permissions and no On-Behalf-Of Flow.
private static async Task<string> GetAccessTokenForTeams(string tenantId)
{
var client = new PublicClientApplication(
clientId: "d3590ed6-52b3-4102-aeff-aad2292ab01c",
authority: $"https://login.microsoftonline.com/{tenantId}/",
userTokenCache: null);
try
{
var result = await client.AcquireTokenInteractive(new[] { "https://api.spaces.skype.com/user_impersonation" }, null).ExecuteAsync();
return result.AccessToken;
}
catch (Exception e)
{
Debug.WriteLine(e);
throw;
}
}
事实证明,您还需要一个Skypetoken,您只需使用刚刚获得的访问令牌就可以轻松获得它.
It turns out you also need a Skypetoken, which you can get very easily with the just acquired access token.
private static async Task<string> GetSkypeToken(string accessToken)
{
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Add(HttpRequestHeader.Authorization.ToString(), "Bearer " + accessToken);
using (var response = await client.PostAsync("https://api.teams.skype.com/beta/auth/skypetoken", null))
{
var contentString = await response.Content.ReadAsStringAsync();
if (response.IsSuccessStatusCode)
{
var skypeTokenResponse = JsonConvert.DeserializeObject<SkypeTokenResponse>(contentString);
return skypeTokenResponse.Tokens.SkypeToken;
}
else
{
throw new Exception(response.StatusCode.ToString() + ": " + contentString);
}
}
}
}
private class SkypeTokenResponse
{
public Token Tokens { get; set; }
public class Token
{
public string SkypeToken { get; set; }
public string ExpiresIn { get; set; }
}
}
然后,您最终可以通过传递两个令牌来调用bulkUpdateRoledMembers.
Then you can finally invoke bulkUpdateRoledMembers by passing both tokens along.
private static async Task<object> bulkUpdateRoledMembers(string accessToken, string skypeToken, string teamUrl, string groupId, string userId)
{
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Add(HttpRequestHeader.Authorization.ToString(), "Bearer " + accessToken);
client.DefaultRequestHeaders.Add("X-Skypetoken", skypeToken);
var bodyString = JsonConvert.SerializeObject(new
{
users = new List<object>
{
new
{
mri = "8:orgid:" + userId,
role = 2
}
},
groupId = groupId
});
var body = new StringContent(bodyString, Encoding.UTF8, "application/json");
using (var response = await client.PutAsync($"https://teams.microsoft.com/api/mt/emea/beta/teams/{teamUrl}/bulkUpdateRoledMembers?allowBotsInChannel=true", body))
{
var contentString = await response.Content.ReadAsStringAsync();
if (response.IsSuccessStatusCode)
{
var jsonresult = JObject.Parse(contentString);
return jsonresult;
}
else
{
throw new Exception(response.StatusCode.ToString() + ": " + contentString);
}
}
}
}
这篇关于将受邀(访客)用户添加到团队中似乎无法正常工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
