Microsoft Graph API:尝试检索租户策略时出现 403 禁止错误 [英] Microsoft Graph API: 403 Forbidden error when trying to retrieve policies on tenant
问题描述
我正在尝试使用 Microsoft Graph API 在 Azure AD 门户上检索为我的租户创建的策略.正如我从图形 API 文档中了解到的那样,所有策略 CRUD 操作都需要 Directory.AccessAsUser.All 的范围.
此范围转换为此处提到的权限作为登录用户访问目录 - https://developer.microsoft.com/en-us/graph/docs/authorization/permission_scopes
我一直在尝试在新的 Azure 门户和具有不同故障点的旧门户上配置我的应用程序.
在新门户上:
在配置访问控制时,我的租户的唯一订阅是对 Azure Active Directory 的访问,我无法在新门户中为此配置访问控制.在浏览器中,当我选择 Access Control (IAM) 时,我看到错误 - "Call to ARM failed with httpCode=BadRequest, errorCode=DisallowedOperation, message=当前订阅类型不是允许对任何提供者命名空间执行操作.请使用不同的订阅.原因=错误请求."添加"角色按钮也被禁用.
我不能对订阅访问 Azure Active Directory 配置访问控制吗?如果是这样,是否没有其他方法可以使用 API 为我的租户检索策略?
在旧门户上:
对于我的应用,我配置了以下权限:
<代码>Microsoft GraphWindows Azure 活动目录
我在门户网站上验证了这两个 API 都配置了权限作为登录用户访问目录.即使在这种情况下,当我尝试访问https://graph.microsoft.com/beta/policies 端点列出我的租户的策略.
这是我获得的访问令牌上的有效负载 (https://login.microsoftonline.com/{我的租户名称}/oauth2/token)
{"aud": "https://graph.microsoft.com","iss": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/",iat":1491256764,nbf":1491256764,exp":1491260664,"aio": "Y2ZgYAi68q2XUTk0ykH7/TZzrhYbAA==","app_displayname": "测试应用","appid": "951bb92d-5b68-45ae-bb8b-d768b2696ccc",appidacr":1","idp": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/","oid": "7ccea836-d389-4328-a155-67092e2805e9",角色":["Device.ReadWrite.All","User.ReadWrite.All","目录.ReadWrite.All","Group.ReadWrite.All",IdentityRiskEvent.Read.All"],子":7ccea836-d389-4328-a155-67092e2805e9","tid": "8b49696d-462a-4a71-9c5c-f570b2222727","uti": "4fmUDNWWHkSoTn2-7gtTAA",版本":1.0"}显然,此令牌上缺少 Directory.AccessAsUser.All 角色,这会导致 403 错误.因此,要么我在这里遗漏了一些东西,要么 API 中有一个错误阻止了所有权限的正确配置.非常感谢任何帮助/指点!
请注意:
- 我只使用测试版 API,因为我没有找到 v1.0 API 上策略的相应端点,并且 Azure Graph API 文档建议使用 Microsoft Graph API.
- 使用相同的配置,使用 Azure Graph API 端点也会为策略端点返回 403 Forbidden 错误(https://msdn.microsoft.com/zh-cn/library/azure/ad/graph/api/policy-operations#list-policies)
根据访问令牌中的声明,您使用令牌用于委托的客户端凭据流获取访问令牌应用程序.这种令牌中的用户没有这样的委托权限.
要获取用户委托权限的访问令牌,您需要使用其他流程,例如授权码授予流程.您可以参考此链接了解详情.
I'm trying to retrieve the policies created for my tenant on the Azure AD portal using the Microsoft Graph API. As I understand from the graph API documentation, all the policy CRUD operations require a scope of Directory.AccessAsUser.All.
This scope translates to the permission Access directory as the signed-in user as mentioned here - https://developer.microsoft.com/en-us/graph/docs/authorization/permission_scopes
I have been trying to configure my application on the both the new Azure portal and the old one with different failure points.
On the new portal:
I have created a Web Application in my tenant following instructions on https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal.
When configuring access control, the only subscription for my tenant is Access to Azure Active Directory and I'm not able configure access control on this in the new portal. From the browser, when I select Access Control (IAM), I see the error - "Call to ARM failed with httpCode=BadRequest, errorCode=DisallowedOperation, message=The current subscription type is not permitted to perform operations on any provider namespace. Please use a different subscription., reason=Bad Request." The "Add" roles button is disabled as well.
Can I not configure Access control on the subscription Access to Azure Active Directory? If so, is there no other way to retrieve the policies for my tenant using the API?
On the old portal:
For my app, I configured permissions for:
Microsoft Graph
Windows Azure Active Directory
I verified on the portal that both the APIs are configured with the permission Access directory as the signed-in user. Even in this case, I keep getting a 403 Forbidden when I try to access the https://graph.microsoft.com/beta/policies endpoint to list the policies on my tenant.
Here is the payload on my access token I obtained (https://login.microsoftonline.com/{my tenant name}/oauth2/token)
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/",
"iat": 1491256764,
"nbf": 1491256764,
"exp": 1491260664,
"aio": "Y2ZgYAi68q2XUTk0ykH7/TZzrhYbAA==",
"app_displayname": "test-app",
"appid": "951bb92d-5b68-45ae-bb8b-d768b2696ccc",
"appidacr": "1",
"idp": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/",
"oid": "7ccea836-d389-4328-a155-67092e2805e9",
"roles": [
"Device.ReadWrite.All",
"User.ReadWrite.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityRiskEvent.Read.All"
],
"sub": "7ccea836-d389-4328-a155-67092e2805e9",
"tid": "8b49696d-462a-4a71-9c5c-f570b2222727",
"uti": "4fmUDNWWHkSoTn2-7gtTAA",
"ver": "1.0"
}
Obviously the Directory.AccessAsUser.All role is missing on this token which is causing the 403 error. So either I'm missing something here or there is a bug in the API that is preventing all the permissions from being correctly configured. Greatly appreciate any help/pointers on this!
Please note:
- I'm only using the beta APIs because I didn't find the corresponding endpoint for policies on the v1.0 APIs and the Azure Graph API documentation recommends using the Microsoft Graph API.
- With the same configuration, using the Azure Graph API endpoints also returns a 403 Forbidden error for the policies endpoint(https://msdn.microsoft.com/zh-cn/library/azure/ad/graph/api/policy-operations#list-policies)
Based on the claims in the access token, you were acquire the access token using the client credentials flow which the token used to delegate the app. There is no such delegate permission for user in this kind of token.
To get the access token for the delegate permission for users, you need to using the other flows like Authorization code grant flow. You can refer this link for the detail.
这篇关于Microsoft Graph API:尝试检索租户策略时出现 403 禁止错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
