访问 azure graph api 用户列表时权限不足 [英] Insufficent privileges when accessing azure graph api users list

问题描述

我正在尝试使用图形 api 从 azure 活动目录中获取用户.我尝试了很多方法，但都没有奏效，但让我们坚持最简单的方法 - 使用

根据你的错误信息:

<块引用>

权限不足，无法完成操作

并且应用程序权限要求您的应用程序具有管理员权限.您可以尝试将您使用的 AD 应用的角色升级为管理员权限.在 PowerShell 中运行以下命令:

Connect-MsolService$ClientIdWebApp = '{your_AD_application_client_id}'$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp#use Add-MsolRoleMember 将其添加到公司管理员"角色).Add-MsolRoleMember -RoleName "公司管理员" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId

I'm trying to fetch users from azure active directory using graph api. I've tried many ways, none of them worked, but let's stick to simplest one - using this instruction and some app to make http requests (I'm using postman) I'm able to obtain autherization token with no problem. After that I want to get users list using https://graph.microsoft.com/v1.0/users, passing token in header. Instead of the users list I get "Insufficient privileges to complete the operation." This error message is very confusing to me because app registration has now all possible permissions and service account that owns this app is in role of Global Administrator, so I believe there aren't any more privileges that this app could get.

Task of the application I'm developing is to merge users data from few companies and display users list on web page hosted on azure account of one of them. What's even weirder for me in all of this, is that for one these domains accesing users data using graph api actually works, so logically configuration isn't set correctly everywhere, but I don't really know what can be difference that makes one them work and others fail on "Insufficent privileges error".

解决方案

As you are integrating AAD in app only applications, as the description at https://graph.microsoft.io/en-us/docs/authorization/app_only:

After you register the application, configure the application permissions that your service or daemon app requires.

So, firstly, you may check out whether you have configured the correct permission on Azure portal:

According to your error message:

Insufficient privileges to complete the operation

And the application permissions require that your application has admin privileges. You can try to upgrade the role of the AD application you use to a administrator permission. Run the following commands in PowerShell:

Connect-MsolService
$ClientIdWebApp = '{your_AD_application_client_id}'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp
#use Add-MsolRoleMember to add it to "Company Administrator" role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId

这篇关于访问 azure graph api 用户列表时权限不足的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！