問題描述

當(dāng)我嘗試訪問圖形服務(wù)客戶端時(shí)收到錯(cuò)誤消息:

When trying to access the Graph Service Client using I am receiving the error :

代碼:Authorization_RequestDenied
消息:權(quán)限不足，無法完成操作.

Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.

研究此錯(cuò)誤后，最常見的解決方案是為 API 設(shè)置權(quán)限.這已經(jīng)完成并且有權(quán)讀取基本/完整配置文件.

After researching this error the most common solution was to set the permissions for the API. This had already been done and has permissions to read basic/full profiles.

我已刪除并重新添加了 API.

I've delete and re-added the APIs.

下面是我的 AzureAuthenticationProvider 類中的代碼，它繼承自 IAuthenticationProvider:

Below is the code in my AzureAuthenticationProvider class which inherits from IAuthenticationProvider:

public class AzureAuthenticationProvider : IAuthenticationProvider
{
    private string _azureDomain = "myDevDom.onmicrosoft.com";

    public async Task AuthenticateRequestAsync(HttpRequestMessage request)
    {
        try
        {
            string clientId = "2b823c67-1b0d-4a10-a9e1-737142516f5q";
            string clientSecret = "xxxxxx";

            AuthenticationContext authContext = new AuthenticationContext("https://login.windows.net/" + _azureDomain + "/oauth2/token");

            ClientCredential credentials = new ClientCredential(clientId, clientSecret);

            AuthenticationResult authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", credentials);

            request.Headers.Add("Authorization", "Bearer " + authResult.AccessToken);
        }
        catch (Exception ex)
        {
        }
    }
}

我嘗試將客戶端密鑰更改為無效的 ID，但它引發(fā)了錯(cuò)誤，因此客戶端密鑰是正確的.我還嘗試通過更改訪問令牌來驗(yàn)證訪問令牌是否有效，這也會返回錯(cuò)誤.

I've tried changing the client secret to an invalid Id and it threw an error, so the client key is correct. I've also tried to verify that the access token is valid by altering the access token, this also returns a error.

上面的代碼似乎工作正常.

The above code seems to work fine.

下面是我嘗試訪問 Azure AD 的代碼:

Below is the code where I'm trying to access Azure AD:

public async Task<IGraphServiceUsersCollectionPage> GetUsersByLastName(string lastname)  
{
    GraphServiceClient graphClient = new GraphServiceClient(new AzureAuthenticationProvider());
    string filter = String.Format("startswith(surname, '{0}')", lastname);
    IGraphServiceUsersCollectionPage users = await graphClient.Users.Request().Filter(filter).GetAsync(); //Fails on this line
    return users;
}

非常感謝任何幫助，并提前感謝您的幫助.

Any help is much appreciated, and thanks in advance for any help.

推薦答案

請參考以下步驟:

1. 從您的屏幕截圖中，您似乎授予了 Windows Azure Active Directory(azure ad graph api) 的 Read and write directory data 應(yīng)用程序權(quán)限.由于您使用的是 microsoft graph (

1. From your screenshot , seems you grant Read and write directory data application permission for Windows Azure Active Directory(azure ad graph api) . Since you are using microsoft graph (https://graph.microsoft.com/) , you need to grant application permission for Microsoft Graph :

由于您是 AAD 中的管理員，您可以通過單擊上面屏幕截圖中顯示的 Grant permission 按鈕為組織中的用戶授予權(quán)限.

Since you are admin in your AAD, You could grant permission for users in organization by click Grant permission button shown in above screenshot .

然后您可以使用您的代碼(客戶端憑據(jù)流來獲取令牌)并查詢用戶信息.如果您檢查 azure ad 頒發(fā)的訪問令牌中的聲明，您可以在 roles 聲明中找到 Directory.Read.All 權(quán)限.

Then you could use your code (client credential flow to get the token) and query users information . If you check the claims in access token issued by azure ad , you could find Directory.Read.All permission in roles claim .

這篇關(guān)于Graph API - 權(quán)限不足，無法完成操作的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！