Groups.ReadBasic.All 的替代方案 - 无需管理员同意即可访问组 [英] Alternative to Groups.ReadBasic.All - access Groups without Admin consent

问题描述

我有一个应用程序使用 Azure AD 访问 Microsoft Graph，而无需管理员同意.

I have an application that uses Azure AD to access Microsoft Graph without Admin Consent.

我想将 Office 365 组功能引入我的应用程序，以管理我的应用程序对象的可见性.基本上，我需要使用没有管理员同意的委托范围做两件事:

I would like to introduce the Office 365 Groups capabilities into my app to manage the visibility of my application objects. Basically, I need two things using delegated scopes without Admin Consent:

• 用户必须能够查看租户中组的基本信息
• 检查当前用户是否属于给定组

我看到了两种方法:

1. 等待 Groups.ReadBasic.All

确实，Groups.Read.All 确实需要管理员同意，因此目前无法在我们的场景中使用它.那么我的问题是，是否为 Microsoft Graph 计划了这样的范围?

Indeed, Groups.Read.All does require Admin Consent so it is not possible to use it right now in our scenario. My question is then, is such a scope is planned for Microsoft Graph?

将群组管理功能限制为仅限管理员.

Limit the Group management feature to Admin only.

我可以将组管理功能限制为管理员或等待管理员同意，但应用程序的其余部分必须仍可用于非管理员同意工作流.有没有办法做到这一点?

I could limit the Group management capabilities to Administrators or wait for Admin Consent but the rest of the application must be still available for non-Admin Consent workflows. Is there a way to achieve this?

我看到这一点的唯一方法是在 Azure AD 中注册两个不同的应用程序:myApp 和 myApp - Extended Permissions.但是，我认为这不是将两个 Azure AD 应用程序用于同一个逻辑应用程序的正确方法.

The only way I see this is to have two distinct applications registered in Azure AD: myApp and myApp - Extended Permissions. However, I do not believe this is the right way to go to have two Azure AD apps for the same logical app.

推荐答案

#1 即将推出，但我现在不能给你一个具体的 ETA，但我希望它很快就会出现.那应该给你你所追求的.

#1 is on the cards, but I cannot give you a concrete ETA right now, but I'm hoping it'll be available soon. That should give you what you are after.

在 #2 上，这是可能的，这是我们称之为增量或动态同意的功能.它只能通过新的 v2 身份验证端点.作为授权请求的一部分，您可以指定所需的权限范围， - 在后续请求中，您可以要求其他范围.但是，在您的情况下，您想要的附加范围是您希望管理员代表组织同意的范围.这还不太可能，但也即将推出.可能是 #1 和 #2 大约在同一时间降落；)

On #2, this is possible, and it's a feature we call incremental or dynamic consent. It's only available through the new v2 authentication endpoint. As part of the authorize request you can specify the permission scopes you need, - in subsequent requests you can ask for additional scopes. However in your case, the additional scope you want is a scope that you want the admin to consent on behalf of the organization for. This isn't quite possible yet, but is also coming soon. It might be that #1 and #2 land around the same time ;)

当 #1 和 #2 可用时，我们将更新此线程.

We'll update this thread when #1 and #2 are available.

这篇关于Groups.ReadBasic.All 的替代方案 - 无需管理员同意即可访问组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！