结合使用Azure AD App权限时将永远运行到'serviceUnavailable'SharePoint图查询中 [英] Running into 'serviceUnavailable' SharePoint graph query forever when combining Azure AD App permissions

问题描述

这种情况使我创建了一个真正的变通方法，但是有时候，您没有选择的权利吗?

当您在Azure AD应用程序中设置了多个(特定?)Azure AD应用程序权限时，问题基本上会出现在 503:'serviceUnavailable'消息中，这种情况不会发生.

上下文和技术查询

上下文专门用于应用程序权限(仅应用程序身份验证)和否委派权限.令牌通过以下方式检索:

HTTP POST https://login.microsoftonline.com/e6fcb01a-f706-4b1b-872b-1e7645d78491/oauth2/v2.0/token
headers: 
Content-Type=application/x-www-form-urlencoded
-------------
client_id=<App GUID>
client_secret=<App SECRET>
scope=https://graph.microsoft.com/.default
grant_type=client_credentials

/站点/根查询通过以下方式检索:

HTTP GET https://graph.microsoft.com/v1.0/sites/root
headers: Authorization=Bearer <AccessToken>
-------------

重现这种情况:

• 创建Azure AD应用程序
• 添加应用程序权限> Sites.ReadWrite.All
• 获得
的许可管理员同意
• 创建秘密
• 生成访问令牌(使用)
• 使用令牌运行查询(有效)

强迫它破坏(一次全部添加或1比1添加)

• 添加应用程序权限> Group.Create
• 获得
的许可管理员同意
• 生成访问令牌
• 使用令牌运行查询(失败?)

行得通吗?

• 添加应用程序权限> Group.ReadWrite.All
• 获得
的许可管理员同意
• 生成访问令牌
• 使用令牌运行查询(失败?)
• 重复另一个权限.直到它破裂.

它坏了吗?

• 永远失败

解决方法:

在多个AD应用程序中拆分应用程序权限.

解决方案

我对此进行了测试，问题出在但是有一种解决方法，如果您拥有Group.Create权限>.

因此，总而言之，单个AD应用程序可以具有Group.ReadWrite.All和Sites.ReadWrite.All权限，并且可以运行，但是如果单个AD应用程序具有所有三个权限，分别为Group.Create，Group.ReadWrite.All和Sites.ReadWrite.All <，则失败./p>

This situation made me create a real monstrous work-around, but sometimes, you don't have an option right?

The problem is basically bumping into 503: 'serviceUnavailable' messages when several (specific?) Azure AD Application permissions are set in your Azure AD Application, which should not happen.

Context and technical queries

The context is specifically for Application permissions (app-only auth) and NOT delegated permissions. Token is retrieved by:

HTTP POST https://login.microsoftonline.com/e6fcb01a-f706-4b1b-872b-1e7645d78491/oauth2/v2.0/token
headers: 
Content-Type=application/x-www-form-urlencoded
-------------
client_id=<App GUID>
client_secret=<App SECRET>
scope=https://graph.microsoft.com/.default
grant_type=client_credentials

/sites/root query retrieved by:

HTTP GET https://graph.microsoft.com/v1.0/sites/root
headers: Authorization=Bearer <AccessToken>
-------------

Reproduce this situation:

• Create an Azure AD Application
• Add Application Permission > Sites.ReadWrite.All
• Grant Admin Consent for
• Create Secret
• Generate Access Token (using)
• Run Query with token (works)

Forcing it to break (either add all at once or 1-by-1)

• Add Application Permission > Group.Create
• Grant Admin Consent for
• Generate Access Token
• Run Query with token (fails?)

Does it work?

• Add Application Permission > Group.ReadWrite.All
• Grant Admin Consent for
• Generate Access Token
• Run Query with token (fails?)
• Repeat for another permission. until it breaks.

Does it break?

• Fails forever

Workaround:

Split up App Permission across multiple AD applications.

解决方案

I tested this and the issue is there but a workaround is you don't need Group.Create permission if you have Group.ReadWrite.All.

So in summary a single AD app can have Group.ReadWrite.All and Sites.ReadWrite.All permission and it will work but a single AD app will fail if it has all three permissions of Group.Create, Group.ReadWrite.All and Sites.ReadWrite.All

这篇关于结合使用Azure AD App权限时将永远运行到'serviceUnavailable'SharePoint图查询中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！