Microsoft Graph:“需要管理员批准"非管理员同意所需的范围"User.ReadBasic.All"登录期间 [英] Microsoft Graph: "Need admin approval" for non admin consent required scope "User.ReadBasic.All" during login
问题描述
我有以下设置:
具有应用程序注册的AAD目录A.该应用程序注册被标记为多租户应用程序,并且默认情况下没有请求的权限:
AAD Directory A with an app registration. The app registration is marked as a Multi-Tenant app and has no permissions requested per default:
在登录期间,我的Web应用程序将重定向到Microsoft登录,如下所示(即刻和重定向uri已删除):
During login my webapp redirects to the Microsoft Login like this (nonce and redirect uri is removed):
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=05f0df69-2f61-4b41-91ff-31656787f9d3
&redirect_uri=https%3A%2F%2F....azurewebsites.net%2Fids%2Foidc-signin-office365auth
&response_type=code%20id_token&scope=openid%20profile%20email%20User.Read%20offline_access%20User.ReadBasic.All
&response_mode=form_post
&nonce=...
范围是:
- openid
- 个人资料
- 电子邮件
- User.Read
- offline_access
- User.ReadBasic.All
我的测试用户位于AAD目录B中(并且没有任何只有管理员才能同意申请的特殊设置).当我尝试登录到我的应用程序时,结果如下:
My test user is in AAD Directory B (and without any special setting that only admins can consent to an application). When I try to login to my application this is the result:
作用域"User.ReadBasic.All" 不需要管理员同意,但是以某种方式,当我删除此请求的范围时,用户无需管理员同意即可直接登录该应用程序.
The scope "User.ReadBasic.All" doesn't require a Admin consent, but somehow when I remove this requested scope the user can just login to the application without any admin consent.
问题是:为什么管理员同意显示"User.ReadBasic.All"?范围?
Question is: Why does the admin consent show up with the "User.ReadBasic.All" scope?
目标将是正常"操作.用户可以在无需征得管理员广泛同意的情况下登录我们的应用程序. 是否需要征得管理员同意"?对于多租户"而言有所不同应用程序?
The target would be, that a "normal" user can login to our application without hasseling with a tenant wide approval from the administrators. Does the "require admin consent" differ for "Multitenant" applications?
推荐答案
由于您可以通过查看审核日志(在"AAD目录B"中)来确认是否是这种情况:Azure门户> Azure AD>审核日志(在监视"类别下).
You can confirm if this is the case by looking in the audit log (in "AAD Directory B"): Azure portal > Azure AD > Audit logs (under the "Monitoring" category).
当由于基于风险的保护而不允许用户同意时,将显示失败的同意应用程序".在"ApplicationManagement"下发出事件.类别,表示由于基于风险的检测而失败.
When user consent is disallowed due to risk-based protection, a failed "Consent to application" event is emitted under the "ApplicationManagement" category, indicating it failed due to risk-based detections.
这篇关于Microsoft Graph:“需要管理员批准"非管理员同意所需的范围"User.ReadBasic.All"登录期间的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!