尝试使用Graph API从Azure Active Directory中获取组时的Authorization_RequestDenied [英] Authorization_RequestDenied when trying to get groups from Azure Active Directory using Graph API
问题描述
我正在尝试使用Graph API获取有关Azure Active Directory组的信息,但是我一直收到"Authorization_RequestDenied"响应.
I'm trying to get information about Azure Active Directory groups using the Graph API, but I keep getting an "Authorization_RequestDenied" response.
此问题类似于尝试使用Azure AD Graph API提取已登录用户的组成员身份时权限不足错误,但是这个问题的答案对我不起作用.
This question is similar to Insufficient privileges error when trying to fetch signed in user's group membership using Azure AD Graph API, but that question's answer didn't work for me.
这就是我所做的:
- 使用我的Microsoft帐户(例如
example@hotmail.com)登录到Azure门户 - 设置一个Azure Active Directory实例进行测试.实例的域类似于
examplehotmail247.onmicrosoft.com - 创建用户(
TestMember@examplehotmail247.onmicrosoft.com) - 创建了一些组,并使用户成为这些组的一部分
- 创建一个ASP.NET应用程序,该应用程序配置为使用OpenID Connect对AAD进行身份验证.
- 在AAD中注册该应用程序,创建客户机密,回复URL等.
- 修改了AAD中应用程序的清单,以便返回组成员身份声明.
- Logged onto the Azure portal using my Microsoft account (e.g.
example@hotmail.com) - Set up an Azure Active Directory instance for testing. The domain of the instance is something like
examplehotmail247.onmicrosoft.com - Created a user (
TestMember@examplehotmail247.onmicrosoft.com) - Created some groups, and made the user part of those groups
- Created an ASP.NET application configured to authenticate to AAD using OpenID Connect.
- Registered the application in AAD, created client secret, reply URL, etc.
- Modified the manifest of the application in AAD so that group membership claims are returned.
身份验证部分工作正常.用户登录后,我可以看到我期望的所有信息(名称,ID等),以及包含用户所属所有组的ID的声明.
The authentication part works fine. After the user logs on, I can see all the information I expect (name, ID, etc.), along with claims containing the IDs of all the groups the user belongs to.
到目前为止,很好.
现在,我想将这些组ID转换为人类可读的组名.为此,我使用了Microsoft.Azure.ActiveDirectory.GraphClient NuGet软件包,该软件包提供了GetObjectsByObjectIdsAsync方法.此方法似乎是
Now, I want to translate those group IDs to human-readable group names. For this, I'm using the Microsoft.Azure.ActiveDirectory.GraphClient NuGet package, which provides a GetObjectsByObjectIdsAsync method. This method seems to be a wrapper for the getObjectsByObjectIds REST method.
要尝试使此工作正常进行,我已完成以下操作:
To try and get this working, I've done the following:
- 在Azure门户中,我已授予我的应用程序登录并读取用户配置文件"和读取目录数据"的权限.
- 使用我的Microsoft帐户至少登录一次我的ASP.NET应用程序
所见:当我使用Microsoft帐户登录到ASP.NET应用程序时,一切正常.但是,当我使用创建的AAD帐户(TestMember@examplehotmail247.onmicrosoft.com)登录时,它将失败,并显示以下错误:
What I see: When I log in to my ASP.NET application using my Microsoft account, everything works. However, when I log in using the AAD account I created (TestMember@examplehotmail247.onmicrosoft.com), it fails with the following error:
[DataServiceClientException:{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":权限不足,无法完成操作."}, "requestId":"1234e0bb-3144-4494-a5fb-12a937147bcf","date":"2016-12-06T18:39:13"}}] System.Data.Services.Client.BaseAsyncResult.EndExecute(对象源,String方法,IAsyncResult asyncResult)+919 System.Data.Services.Client.QueryResult.EndExecuteQuery(对象源,String方法,IAsyncResult asyncResult)+116
[DataServiceClientException: {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"1234e0bb-3144-4494-a5fb-12a937147bcf","date":"2016-12-06T18:39:13"}}] System.Data.Services.Client.BaseAsyncResult.EndExecute(Object source, String method, IAsyncResult asyncResult) +919 System.Data.Services.Client.QueryResult.EndExecuteQuery(Object source, String method, IAsyncResult asyncResult) +116
直接使用REST API尝试等效查询(即,将ASP.NET移出图片)会得到相同的结果.
Trying the equivalent query using the REST api directly (i.e. taking ASP.NET out of the picture) gives the same result.
那我在这里想念什么?
更新:我还向应用程序授予了以下委托权限(授予Windows Azure Active Directory):登录并读取用户配置文件,读取目录数据,以登录用户身份访问目录.但是,它没有任何区别.
Update: I also granted the application the following delegated permissions (to Windows Azure Active Directory): Sign in and read user profile, Read directory data, Access the directory as the signed-in user. However, it didn't make any difference.
更新#2:我甚至将TestMember@examplehotmail247.onmicrosoft.com设置为AAD实例的全局管理员,但仍然无济于事.
Update #2: I even made the TestMember@examplehotmail247.onmicrosoft.com a Global Administrator for the AAD instance, and it still didn't help.
更新#3:好的,首先要澄清一下.用户登录后,我的ASP.NET应用程序从OpenID Connect流中获取授权码.一旦获得代码,就可以使用AcquireTokenByAuthorizationCodeAsync将其交换为访问令牌.访问令牌与用户绑定在一起,因此我想依赖委托的权限,而不是应用程序的权限.
Update #3: Ok, so first, some clarification. After a user logs on, my ASP.NET app gets an authorization code from the OpenID Connect flow. Once I get the code, I'm exchanging it for an access token using AcquireTokenByAuthorizationCodeAsync. The access token is tied to the user, and so I want to rely on delegated permissions, not application permissions.
推荐答案
问题是,尽管在Azure门户中向我的ASP.NET应用程序授予了适当的委派权限,但用户从未有机会同意它们.
The problem was that although the proper delegated permissions were granted to my ASP.NET app in the Azure portal, the user never had an opportunity to consent to them.
我首先以天蓝色为我的ASP.NET应用程序创建了一个全新的应用程序注册,这是我的发现:当用户首次登录时,要求他们同意所需的任何委派权限.但是,如果我更改了首次登录后需要的委派权限,则下次用户登录时,系统不会询问用户同意(新要求的权限).
I started over by creating a completely new app registration in azure for my ASP.NET app, and here's what I found: When a user logs on for the first time, they are asked for consent to whatever delegated permissions are required. However, if I change which delegated permissions are required after they've logged on for the first time, the user is not asked for consent (for the newly-required permissions) the next time he logs on.
这绝对不是我所期望的,因此我将对此提出一个新的问题.
This is definitely not what I expected, so I'm going to open a new question about this.
这篇关于尝试使用Graph API从Azure Active Directory中获取组时的Authorization_RequestDenied的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
