访问天蓝色图api用户列表时权限不足 [英] Insufficent privileges when accessing azure graph api users list

问题描述

我正在尝试使用图形API从蔚蓝活动目录中获取用户.我已经尝试了很多方法，但没有一种起作用，但是让我们坚持最简单的方法-使用 https://graph.microsoft.com/v1.0获取用户列表/users ，在标头中传递令牌.而不是用户列表，我获得权限不足，无法完成操作".此错误消息使我非常困惑，因为应用程序注册现在具有所有可能的权限，并且拥有该应用程序的服务帐户是Global Administrator的角色，因此我认为此应用程序将不再拥有任何特权.

I'm trying to fetch users from azure active directory using graph api. I've tried many ways, none of them worked, but let's stick to simplest one - using this instruction and some app to make http requests (I'm using postman) I'm able to obtain autherization token with no problem. After that I want to get users list using https://graph.microsoft.com/v1.0/users, passing token in header. Instead of the users list I get "Insufficient privileges to complete the operation." This error message is very confusing to me because app registration has now all possible permissions and service account that owns this app is in role of Global Administrator, so I believe there aren't any more privileges that this app could get.

我正在开发的应用程序的任务是合并来自少数公司的用户数据，并在其中一个公司的蔚蓝帐户上托管的网页上显示用户列表.在所有这些方面，我什至感到奇怪的是，对于其中一个域，使用graph api访问用户数据实际上是可行的，因此逻辑上的配置在每个地方都没有正确设置，但我真的不知道使它们成为一个域的区别是什么工作和其他人因权限不足错误"而失败.

Task of the application I'm developing is to merge users data from few companies and display users list on web page hosted on azure account of one of them. What's even weirder for me in all of this, is that for one these domains accesing users data using graph api actually works, so logically configuration isn't set correctly everywhere, but I don't really know what can be difference that makes one them work and others fail on "Insufficent privileges error".

推荐答案

在将AAD集成到仅应用程序的应用程序中时，如

As you are integrating AAD in app only applications, as the description at https://graph.microsoft.io/en-us/docs/authorization/app_only:

注册应用程序后，配置服务或守护程序应用程序所需的应用程序权限.

After you register the application, configure the application permissions that your service or daemon app requires.

因此，首先，您可以检查是否在Azure门户上配置了正确的权限:

So, firstly, you may check out whether you have configured the correct permission on Azure portal:

根据您的错误消息:

权限不足，无法完成操作

Insufficient privileges to complete the operation

并且应用程序权限要求您的应用程序具有管理员权限.您可以尝试将使用的AD应用程序的角色升级为管理员权限.在PowerShell中运行以下命令:

And the application permissions require that your application has admin privileges. You can try to upgrade the role of the AD application you use to a administrator permission. Run the following commands in PowerShell:

Connect-MsolService
$ClientIdWebApp = '{your_AD_application_client_id}'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp
#use Add-MsolRoleMember to add it to "Company Administrator" role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId

这篇关于访问天蓝色图api用户列表时权限不足的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！