msAccess VBA 中的 msGraph API - Planner 计划凭据问题 [英] msGraph API from msAccess VBA - Planner plans credentials issue

问题描述

我对 MS Graph 和 Office 365 非常陌生，并且取得了不错的进展.我是我的组织(一所学校)的 O365 全球管理员，并且有应用程序开发经验.在我们的上下文中使用 MS-Access 数据库来全局"管理 O365 内容有很大的范围.例如联系人、分发列表和计划任务.我们希望从一个或两个本地 ms-access 数据库中管理这些，并且最好由管理员验证 ms-graph 活动.

I am very new to MS Graph and Office 365 and have made good progress. I am an O365 Global Admin for my organisation (a school) and have app development experience. There is a lot of scope for using MS-Access databases in our context for "globally" managing the O365 content. eg contacts, distribution lists and planner tasks. We want to manage these from an on-premises ms-access database or two and with an admin person authenticating the ms-graph activity, ideally.

因此，为了进行测试，我创建了一个新数据库，并设法让它使用 VBA 使用以下端点，但目前没有用户身份验证.

So, to test, I created a new db and have managed to get it to consume the following endpoint using VBA but with no user authentication for now.

https://graph.microsoft.com/v1.0/groups

但是，当我尝试时

https://graph.microsoft.com/v1.0/planner/plans/with my plan id here

我得到 401 - Unauthorized: 由于凭据无效，访问被拒绝.

所以，很明显我的应用程序注册错误或我的身份验证或两者兼而有之！我花了几个小时寻找示例和帮助，并且由于生态系统不断发展的性质，我发现很难弄清楚我现在应该做什么(而不是一两年前).

So, clearly my Application registration is wrong or my authentication or both! I have spent hours searching for examples and help and because of the evolving nature of the ecosystem I am finding it pretty hard to work out what I should do now (as opposed to a year or two ago).

生成允许我访问组的 access_token 的授权是:

The authorisation that generates the access_token that works to allow me access to the groups is:

POST 
https://login.microsoftonline.com/{my tenant id here}/oauth2/token

grant_type=client_credentials
client_id={my client id}
client_secret={my url encoded secret}  resource=https://graph.microsoft.com

但对计划任务使用相同的 access_token 会引发 401 错误.

but using that same access_token for the planner tasks throws the 401 error.

我的应用权限如下所示:我认为这是因为 Application 和 Delegated 类型之间的差异，但还没有完全掌握.而且，我怀疑我无论如何都使用了错误的身份验证流程.:-(

My app permissions look like this: I presume this is because of the difference between the Application and Delegated types but have not fully grasped it all yet. And, I suspect I am using the wrong authentication flow anyway. :-(

所以，我的问题是:1. 我的权限看起来正确吗?2. 我的认证流程是否正确?我应该改用这些吗?即我是否一直在使用旧信息?

So, my questions are: 1. Do my permissions look right? 2. Is my authentication flow correct? Should I be using these instead? ie have I been working from old information?

https://login.microsoftonline.com/{my tenant id here}/oauth2/v2.0/authorize 
https://login.microsoftonline.com/{my tenant id here}/oauth2/v2.0/token

如你所知，我有些困惑.如果有人能根据我的尝试指出正确的总体方向，那将非常有帮助.

As you can tell I have become somewhat confused. If anyone can point me in the right overall direction given what I am attempting that would be so helpful.

非常感谢，穆雷

推荐答案

1.我的权限看起来正确吗?

是的，毫无疑问，您的 azure 门户权限似乎没问题.您需要专门的权限，还需要授予管理员同意，您已在屏幕截图上完美显示.

Yeah undoubtedly, your azure portal permission seems alright. You need dedicated permission for that also need to grant admin consent which you have done perfectly shown on screen shot.

2.我的身份验证流程是否正确?

当您使用 Client Credentials Grant Flow 请求格式似乎没问题.但我怀疑此流程是否适合您尝试调用的 API.因为这个 API 需要专门的权限.

As you are using Client Credentials Grant Flow request format seems alright. But I doubt this flow is suitable for the API you are trying to call. because this API requires dedicated permission.

3.我应该改用这些吗?

由于此 API 需要专用权限，您可以使用 授权码授予流程.

Since this API need dedicated permission you could use authorization code grant flow.

按照以下步骤使用授权码授予流程

获取授权码:

https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/v2.0/authorize?client_id={ClientId}&response_type=code&redirect_uri={redirectURI}&response_mode=query&scope=https://graph.microsoft.com/.default

使用您的代码请求令牌 oauth2/V2.0/token:

请求 URL: https://login.microsoftonline.com/common/oauth2/V2.0/token 或 https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/V2.0/token

方法: POST

请求正文格式

client_id:Your_Clinet_Id
scope:https://graph.microsoft.com/.default
redirect_uri:Your_Portal_Redirect_URI
grant_type:authorization_code
client_secret:Your_Client_Secret
code: Paste Code Here

解码令牌:

您可以在 https://jwt.io/ 上解码您的令牌，并确保您已获得所需的权限你的天蓝色门户.

You could decode your token on https://jwt.io/ and make sure you have required permission on your azure portal.

4.我是否一直在使用旧信息?

不，到目前为止，我所经历的信息都没有问题.

No, Information has no issue so far I have gone through.

注意:有关授权码授予流程的详细实现，您可以查看官方文档

Note: For for details implementation of Authorization Code grant flow you could take a look official docs

这篇关于msAccess VBA 中的 msGraph API - Planner 计划凭据问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！