管理员如何授予对应用程序的访问权限? [英] How does an admin grant access to an app?

问题描述

我制作了一个使用Microsoft Graph和范围profile，openid，email和User.Read的Web应用程序.这很好.

I have made a web app that using Microsoft Graph and the scopes profile, openid, email and User.Read. This works fine.

我现在要包含offline_access，User.Read，Mail.Send，Calendars.ReadWrite，Directory.ReadWrite.All，Directory.AccessAsUser.All，User.Read.All，Files.ReadWrite.All，Files.Read，Files.ReadWrite和Sites.Read.All范围.

I now want to include offline_access, User.Read, Mail.Send, Calendars.ReadWrite, Directory.ReadWrite.All, Directory.AccessAsUser.All, User.Read.All, Files.ReadWrite.All, Files.Read, Files.ReadWrite, and Sites.Read.All scopes.

尝试登录时，我收到消息:

When trying to login I get the message:

您无法访问此应用程序.

You can't access this application.

教程样本应用程序需要访问权限才能访问组织中只有管理员才能授予的资源.请先向管理员授予此应用的权限，然后才能使用它.

Tutorial Sample App needs permission to access resources in your organisation that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

我在https://apps.dev.microsoft.com/注册了该应用，并设置了以下图形权限:

I registered the app at https://apps.dev.microsoft.com/ and have these Graph Permissions set:

使用PHP，我使用以下

Using PHP, I use the following

use Microsoft\Graph\Graph;
use Microsoft\Graph\Model;
const CLIENT_ID          = 'xxx';
const CLIENT_SECRET      = 'xxx';
const REDIRECT_URI       = 'xxxx';
const AUTHORITY_URL      = 'https://login.microsoftonline.com/common';
const AUTHORIZE_ENDPOINT = '/oauth2/v2.0/authorize';
const TOKEN_ENDPOINT     = '/oauth2/v2.0/token';
const SCOPES             = 'profile openid email offline_access User.Read Mail.Send Calendars.ReadWrite Directory.ReadWrite.All Directory.AccessAsUser.All User.Read.All Files.ReadWrite.All Files.Read Files.ReadWrite Sites.Read.All';

并创建authorisationUrl

$authorizationUrl = $provider->getAuthorizationUrl();

那么，如何让管理员授予访问权限?

So, how can I get admin to grant access?

推荐答案

为了获得管理员同意，您需要具有一个针对租户的Admin，以针对/adminconsent进行身份验证.此URL的原型为(仅换行符以提高可读性):

In order to obtain Admin Consent, you need to have an Admin for the tenant authenticate against the /adminconsent. The prototype for this URL is (line-break for readability only):

https://login.microsoftonline.com/common/adminconsent?
client_id=[APPLICATION ID]&redirect_uri=[REDIRECT URI]

我为此写了一篇博客文章，它将帮助您逐步了解它的工作方式:

I've written a blog post on this that will help walk you through how this works: v2 Endpoint and Admin Consent.

这篇关于管理员如何授予对应用程序的访问权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！