列出Azure AD组所需的权限 [英] Permissions required to list Azure AD Groups
问题描述
我正在尝试使用NodeJs访问Azure AD的一些详细信息.我可以得到一个访问令牌,但是,每当我尝试使用Graph API调用任何东西(在这种情况下,只是所有组的列表)时,它都说我权限不足,无法完成操作."
I'm trying to use NodeJs access some details of the Azure AD. I can get an access token OK, however whenever I try to call anything using the Graph API (in this case just a list of all groups) it says that I have "Insufficient privileges to complete the operation."
我进入了AD中的应用程序并添加了所有权限(只是为了确保),但仍然出现此错误-我错过了什么吗?这是我的代码:
I've gone into the app in AD and added all permissions (just to make sure) and I still get this error - Have I missed something? Here is my code:
var msRestAzure = require('ms-rest-azure');
var graphRbacManagementClient = require('azure-graph');
var tenantId='';
// Enter your tenant ID here which can be found from your Azure AD URL
// Eg. https://manage.windowsazure.com/example.com#Workspaces/ActiveDirectoryExtension/Directory/<TenantId>/users
var clientId = ''
var clientSecret = ''
console.log('Starting');
msRestAzure.loginWithServicePrincipalSecret(clientId, clientSecret, tenantId, { tokenAudience: 'graph' }, function (err, credentials, subscriptions) {
if(err){
console.log('Could not get token', err)
}
console.log('Logged In');
var client = new graphRbacManagementClient(credentials, tenantId);
console.log("Client created");
client.groups.list({}, function(err, result){
if(err){
console.log('Could not list groups', err)
}
})
});
返回的错误是:
{
"statusCode": 403,
"request": {
"rawResponse": false,
"queryString": {
},
"method": "GET",
"headers": {
"x-ms-client-request-id": "2b0e7464-bf4f-41d3-8440-38797bf0d72b",
"accept-language": "en-US",
"Content-Type": "application/json; charset=utf-8"
},
"url": "https://graph.windows.net/5a677fc4-23da-4e7a-a0fa-75f2c53e9c90/groups?api-version=1.6",
"body": null
},
"response": {
"body": "{\"odata.error\":{\"code\":\"Authorization_RequestDenied\",\"message\":{\"lang\":\"en\",\"value\":\"Insufficient privileges to complete the operation.\"}}}",
"headers": {
"cache-control": "no-cache",
"pragma": "no-cache",
"content-type": "application/json;odata=minimalmetadata;streaming=true;charset=utf-8",
"expires": "-1",
"server": "Microsoft-IIS/8.5",
"ocp-aad-diagnostics-server-name": "F3xU7bkLCvTOf62bCyNdsiLFnuyfFODP68vB9RmoAS0=",
"request-id": "f8404560-e300-4cd1-8a4b-a6487b06f7a2",
"client-request-id": "97cd97fa-448f-44bb-87dc-7d48505e80db",
"x-ms-dirapi-data-contract-version": "1.6",
"ocp-aad-session-key": "REMOVED",
"x-content-type-options": "nosniff",
"dataserviceversion": "3.0;",
"strict-transport-security": "max-age=31536000; includeSubDomains",
"access-control-allow-origin": "*",
"x-aspnet-version": "4.0.30319",
"x-powered-by": "ASP.NET, ASP.NET",
"duration": "1097838",
"date": "Wed, 05 Oct 2016 14:10:41 GMT",
"connection": "close",
"content-length": "139"
},
"statusCode": 403
},
"body": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation."
}
}
为了进行测试,我已经将图形和天蓝色广告的所有权限都添加到了此客户端:
For testing I've added all permissions to both graph and azure AD to this client:
推荐答案
仅仅是因为您已在Azure Portal中选择了权限,并不意味着您的应用已被授予这些权限.我建议使用诸如calebb.net之类的JWT解码器对要发送到AAD Graph的令牌进行解码.令牌的 scp 或 roles 声明应包含必要的权限,在这种情况下为 Groups.Read.All .
Just because you've selected the permissions in the Azure Portal doesn't mean your app has been granted them. I'd recommend decoding the token you're sending to AAD Graph using a JWT decoder like calebb.net. The token's scp or roles claim should contain the necessary permission, in this case, Groups.Read.All.
如果令牌丢失了 Groups.Read.All ,则需要让租户管理员使用 prompt = admin_consent 参数同意"该应用程序描述
If the token is missing Groups.Read.All, you'll need to get a tenant administrator to "consent" to the application using the prompt=admin_consent parameter described here. This will grant your application the permissions you've requested.
如果令牌包含 Groups.Read.All 权限,则应告知我们,因为这可能是Graph API中的错误.
If the token contains the Groups.Read.All permission, you should let us know because that would be a bug in the Graph API.
这篇关于列出Azure AD组所需的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
