尝试访问 Azure Graph API 时出现权限不足错误 [英] Insufficient privileges error when trying to access Azure Graph APIs
问题描述
我已经设置了一个要与我的 Web 应用程序一起使用的 Azure AD 应用程序.我使用以下步骤获得了一个 oAuth 令牌:
I have set up an Azure AD application that I want to use with my web application. I have obtained an oAuth token using the following steps:
首先我请求了我的授权码:
First I requested my authorization code:
https://login.windows.net/common/oauth2/authorize?redirect_uri={REDIRECT_URI}&client_id={CLIENT_ID}&response_type=code&state=o365&prompt=admin_consent
这会将用户带到 login.windows.net 页面,在那里他们必须接受我的应用程序将在他们的 AD 上使用的权限.
This takes the user to the login.windows.net page where they must accept permissions that my application is going to use on their AD.
之后,我使用此端点获取 oAuth 令牌 https://login.windows.net/common/oauth2/token 使用 C# 使用此有效负载:
After that I get the oAuth Token using this endpoint https://login.windows.net/common/oauth2/token with this payload using C#:
{"code": {AUTH_CODE}},
{"state", {STATE}},
{"grant_type", "authorization_code"},
{"redirect_uri", "{REDIRECT_URI}"},
{"client_id", "1ff78c4b-414f-44c7-834b-09bdae96f440"},
{"client_secret", "{CLIENT_SECRET}"},
{"resource", "https://graph.windows.net"}
一切恢复正常,我得到了我的 oAuth 令牌.但是,当我尝试使用令牌卷曲图形 API 时,出现此错误
Everything comes back just fine and I get my oAuth Token. However when I try to curl the Graph API using the token I get this error
curl https://graph.windows.net/{tenant}/users?api-version=1.5 -H "Authorization: Bearer [AUTH_TOKEN]"
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
我已经尝试了 {tenant} 的实际域、me"别名和myorganization"别名,但它们都不起作用.me"别名返回一个错误,指出用户"资源不存在.我对这里的问题感到困惑
I have tried the actual domain for the {tenant}, the "me" alias and the "myorganization" alias and they all don't work. The "me" alias returns an error saying the 'users' resource doesn't exist. I am confused on what the problem is here
推荐答案
您的应用程序缺少权限,这会阻止 azure AD 读取自定义 AD 中存在的用户详细信息.您需要执行以下操作:
Privileges are missing for your application which is barring the azure AD to read the details of users present in your custom AD. Here is what you need to do:
转到 windows azure 管理门户上的自定义 AD -> 单击应用程序选项卡 -> 单击 AD 应用程序的名称以转到其详细信息视图.在详细信息视图中,转到配置选项卡.
Go to your custom AD on windows azure management portal -> Click applications tab -> Click on the name of your AD application to go to its details view. On the details view go to configure tab.
现在向下滚动到页面底部以到达其他应用程序的权限"部分.在那里,您将在委派权限多选列表框中看到当前分配给Windows Azure Active Directory"应用程序的所有权限,如下所示:
Now scroll down to the bottom of the page to reach "permissions to other applications" section. There you will see all permissions currently assigned to "Windows Azure Active Directory" application in delegated permissions multi-select list box as shown below:
选中访问您组织的目录"和读取目录数据"旁边的框.单击底部工具栏中的保存以保存更改.一旦您在页面上进行任何更改,保存按钮就会自动出现.保存按钮在上面的屏幕截图中不可见,因为我在截取屏幕截图时已经保存了更改.
Check the box against "Access your organization's directory" and "Read directory data". Click save in bottom tool bar to save the changes. Save button appears automatically as soon as you make any changes on the page. Save button is not visible in the screenshot above as I had already saved the changes when I took the screenshot.
现在再次尝试使用图形 API 访问您的 AD 用户详细信息.它不应再出现权限不足"错误.希望这可以帮助!
Now try again accessing your AD user details using graph API. It should not give the "Insufficient privileges" error any more. Hope this helps!
这篇关于尝试访问 Azure Graph API 时出现权限不足错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
