无法通过 Graph API 获取我所属的 Office 365 组 [英] Unable to get Office 365 groups I'm a member of via Graph API

问题描述

尝试获取用户所属的所有 Office 365 组.
我在 Azure 上注册了一个本机客户端应用程序"，并且只选择了一项权限:Microsoft Graph"范围下的读取所有组".

Trying to get all the Office 365 groups a user is a member of.
I've registered a 'Native client application' on Azure and selected only one permission: 'Read all groups' under the 'Microsoft Graph' scope.

问题:来自其他租户的用户收到由于缺少权限，调用主体无法同意".错误，并且没有进入同意步骤.

The problem: users from other tenants got the 'Calling principal cannot consent due to lack of permissions.' error, and did not get to the consent step.

如果用户拥有管理员权限，或者如果我在第二个租户上注册了另一个应用程序，我能够通过同意步骤并获得组列表.

If the user has admin rights or if I register another app on a second tenant, I was able to pass the consent step and also got the groups list.

顺便说一句，注册Web 应用程序"并在多租户"选项中选择是"也无济于事.

BTW, registering a 'Web application' and selecting 'Yes' in the Multi-tenant option didn't help either.

有人知道Group.Read.All"是否需要管理员同意吗?根据 this 它没有.
我还尝试运行此查询 https://graph.microsoft.com/v1.0/me/memberOf/$/microsoft.graph.group?$filter=groupTypes/any(a:a%20eq%20'unified') 如 here 在 'GET 我是的成员，但没有运气.

Does anybody know if 'Group.Read.All' requires admin consent? According to this it doesn't.
I also tried to run this query https://graph.microsoft.com/v1.0/me/memberOf/$/microsoft.graph.group?$filter=groupTypes/any(a:a%20eq%20'unified') as mentioned here under 'GET unified groups I’m member of', but with no luck.

另一个问题，有没有办法将 Native 应用程序配置为多租户应用程序?

Another question, is there a way to configure the Native app as a multi-tenant app?

推荐答案

你有几个问题在这里，所以我会尽力帮助.让我知道我是否遗漏了什么或者您需要更多说明.

You have a few questions in here, so I'll try to help. Let me know if I've missed something or you need more clarification.

Azure AD 中的本机应用程序本质上是多租户的，因此无需像使用 Web 应用程序那样设置多租户切换.

Native applications in Azure AD are multi-tenant by nature, so there's no need to set the multi-tenant toggle like you do with Web apps.

Group.ReadAll 确实需要管理员同意.当我尝试确定我的应用程序所需的权限时，我发现以下页面非常有用:http://graph.microsoft.io/en-us/docs/authorization/permission_scopes.

Group.ReadAll does require admin consent. I've found the following page to be super useful as I try to determine the permissions needed for my applications: http://graph.microsoft.io/en-us/docs/authorization/permission_scopes.

在开发过程中，我有时需要更新应用的权限.每当更新权限时，我发现转到 http://myapps.microsoft.com 撤销同意很有用对于我的应用程序.然后我下次登录应用程序时，总是会提示我输入内容，这样我就可以清楚地看到用户会看到什么.

During development I have sometimes needed to update the permissions for my app. Whenever permissions are updated I've found it useful to go to http://myapps.microsoft.com to revoke consent for my app. Then the next time I log in to the app, I am always prompted for content so I can clearly see exactly what users will see.

这篇关于无法通过 Graph API 获取我所属的 Office 365 组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！