Graph API - 权限不足，无法完成操作 [英] Graph API - Insufficient privileges to complete the operation

问题描述

当我尝试访问图形服务客户端时收到错误消息:

When trying to access the Graph Service Client using I am receiving the error :

代码:Authorization_RequestDenied
消息:权限不足，无法完成操作.

Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.

研究此错误后，最常见的解决方案是为 API 设置权限.这已经完成并且有权读取基本/完整配置文件.

After researching this error the most common solution was to set the permissions for the API. This had already been done and has permissions to read basic/full profiles.

我已删除并重新添加了 API.

I've delete and re-added the APIs.

下面是我的 AzureAuthenticationProvider 类中的代码，它继承自 IAuthenticationProvider:

Below is the code in my AzureAuthenticationProvider class which inherits from IAuthenticationProvider:

public class AzureAuthenticationProvider : IAuthenticationProvider
{
    private string _azureDomain = "myDevDom.onmicrosoft.com";

    public async Task AuthenticateRequestAsync(HttpRequestMessage request)
    {
        try
        {
            string clientId = "2b823c67-1b0d-4a10-a9e1-737142516f5q";
            string clientSecret = "xxxxxx";

            AuthenticationContext authContext = new AuthenticationContext("https://login.windows.net/" + _azureDomain + "/oauth2/token");

            ClientCredential credentials = new ClientCredential(clientId, clientSecret);

            AuthenticationResult authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", credentials);

            request.Headers.Add("Authorization", "Bearer " + authResult.AccessToken);
        }
        catch (Exception ex)
        {
        }
    }
}

我尝试将客户端密钥更改为无效的 ID，但它引发了错误，因此客户端密钥是正确的.我还尝试通过更改访问令牌来验证访问令牌是否有效，这也会返回错误.

I've tried changing the client secret to an invalid Id and it threw an error, so the client key is correct. I've also tried to verify that the access token is valid by altering the access token, this also returns a error.

上面的代码似乎工作正常.

The above code seems to work fine.

下面是我尝试访问 Azure AD 的代码:

Below is the code where I'm trying to access Azure AD:

public async Task<IGraphServiceUsersCollectionPage> GetUsersByLastName(string lastname)  
{
    GraphServiceClient graphClient = new GraphServiceClient(new AzureAuthenticationProvider());
    string filter = String.Format("startswith(surname, '{0}')", lastname);
    IGraphServiceUsersCollectionPage users = await graphClient.Users.Request().Filter(filter).GetAsync(); //Fails on this line
    return users;
}

非常感谢任何帮助，并提前感谢您的帮助.

Any help is much appreciated, and thanks in advance for any help.

推荐答案

请参考以下步骤:

1. 从您的屏幕截图中，您似乎授予了 Windows Azure Active Directory(azure ad graph api) 的 Read and write directory data 应用程序权限.由于您使用的是 microsoft graph (

1. From your screenshot , seems you grant Read and write directory data application permission for Windows Azure Active Directory(azure ad graph api) . Since you are using microsoft graph (https://graph.microsoft.com/) , you need to grant application permission for Microsoft Graph :

由于您是 AAD 中的管理员，您可以通过单击上面屏幕截图中显示的 Grant permission 按钮为组织中的用户授予权限.

Since you are admin in your AAD, You could grant permission for users in organization by click Grant permission button shown in above screenshot .

然后您可以使用您的代码(客户端凭据流来获取令牌)并查询用户信息.如果您检查 azure ad 颁发的访问令牌中的声明，您可以在 roles 声明中找到 Directory.Read.All 权限.

Then you could use your code (client credential flow to get the token) and query users information . If you check the claims in access token issued by azure ad , you could find Directory.Read.All permission in roles claim .

这篇关于Graph API - 权限不足，无法完成操作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！