問題描述

我正在嘗試在 ASP.Net MVC 中創(chuàng)建一個頁面來重置當前用戶的密碼.我正在使用 Azure 活動目錄進行用戶身份驗證.要訪問用戶的 AD 信息，我使用的是 C# Graph API 客戶端.我的代碼基于 GitHub

我可以更改用戶的信息(例如城市、州、電子郵件).但是，當我嘗試使用用戶對象上的 PasswordProfile 屬性更改密碼時，我收到一條錯誤消息，提示我權限不足.我正在嘗試將密碼更改為應用程序，并且我認為權限問題的根源在于應用程序.

我發(fā)現(xiàn)以下 PowerShell 腳本應該將公司管理員角色添加到應用程序.但是，對 Get-MsolServicePrincipal 的調(diào)用不會返回任何內(nèi)容.查看命令的輸出，我看不到任何與我的應用程序名稱相似的條目.

#------------------------------------------------------------# 這將提示您輸入租戶的憑證# 你應該可以使用你的 Azure AD 管理用戶名#(以 admin@tenant.onmicrosoft.com 格式)#----------------------------------------------------------導入模塊 MSOnline連接-MsolService#----------------------------------------------------------# 將應用程序名稱替換為您的名稱# 應用服務主體#----------------------------------------------------------$displayName = "我的 Azure AD 應用程序"$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId#----------------------------------------------------------# 這會將您的應用程序服務主體添加到# 公司管理員角色#----------------------------------------------------------$roleName = "公司管理員"Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

我想我的第一個問題是我是否正確地認為權限問題與應用程序有關?

其次，我應該將 $displayName 變量設置為什么值?

您需要確保 Azure Active Directory 中的應用程序配置具有適當?shù)臋嘞拊O置.使用上面的內(nèi)容添加權限是矯枉過正的.您應該只向目錄中的應用程序添加所需的權限.

作為起點，我建議您查看 Graph API 同意權限 博客文章在這里.您只能以帳戶或全局管理員的身份使用傳統(tǒng)權限重置密碼，但您應該分配應用程序權限.

讀取和寫入目錄數(shù)據(jù)"用于提供此權限，但我相信這已被刪除.現(xiàn)在我相信用戶必須同意使用 OAuth 身份驗證流程才能重置密碼.

請參閱 changePassword 當前登錄用戶的方法以獲取更多信息.我有一個自定義桌面應用程序供用戶重置自己的密碼.

在我的應用程序中，我讓用戶使用他們現(xiàn)有的密碼進行身份驗證以獲取訪問令牌(這也有助于我在更改密碼之前驗證他們當前的憑據(jù)).

var authority = string.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/" + Domain);var ctx = new AuthenticationContext(authority, false);var result = ctx.AcquireToken("https://graph.windows.net", "ClientID", credential);返回結果.AccessToken;

憑據(jù)屬性是使用用戶 UPN 和密碼的 UserCredential 類型.然后我通過網(wǎng)絡請求更改密碼.

var client = new HttpClient();client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", UserAccessToken);var requestUri = $"https://graph.windows.net/me/changePassword?api-version={Constants.ApiVersion}";var pwdObject = new { currentPassword = curPassword, newPassword = newPass };var body = new JavaScriptSerializer().Serialize(pwdObject);var response = client.PostAsync(new Uri(requestUri), new StringContent(body, Encoding.UTF8, "application/json")).Result;

如果請求成功，這將返回 HTTP 204，我在獲取用戶令牌時也會捕獲 AADSTS50126 異常，因為這表明在獲取令牌時憑據(jù)無效.

I am trying to create a page in ASP.Net MVC to reset the current user's password. I am using Azure active directory for user authentication. To access, the user's AD information, I am using the C# Graph API client. My code is based on a sample found on GitHub

I am able to make changes to the user's information (such as city, state, email). However, when I attempt to change the password using the PasswordProfile attribute on the user object, I am getting an error saying I have insufficient permissions. I am attempting to change the password as the application and I believe that the source of the permission issue is with the application.

I found the following PowerShell script that is supposed to add the company administrator role to an application. However, the call to Get-MsolServicePrincipal does not return anything. Looking at the output of the command, I don't see any entries that even resemble the name of my application.

#-----------------------------------------------------------
# This will prompt you for your tenant's credential
# You should be able to use your your Azure AD administrative user name
# (in the admin@tenant.onmicrosoft.com format)
#-----------------------------------------------------------
import-module MSOnline
Connect-MsolService

#-----------------------------------------------------------
# Replace the Application Name with the name of your 
# Application Service Principal
#-----------------------------------------------------------
$displayName = "My Azure AD Application"
$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId

#-----------------------------------------------------------
# This will add your Application Service Prinicpal to 
# the Company Administrator role
#-----------------------------------------------------------
$roleName = "Company Administrator"              
Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

I guess my first question is am I correct that the permission issue is with application?

Second, what value to which I should be setting the $displayName variable?

You need to ensure that your application configuration in Azure Active Directory has the appropriate permissions setup. Adding the rights using what you have above is overkill. You should be adding the required permissions only to your application in the directory.

As a starting point I would suggest you review the Graph API Consent Permission blog post here. You can only reset a password as an account or global administrator using traditional rights but you should be assigning application permissions.

"Read and write directory data" used to provide this permission however I believe this was removed. Now I believe the user has to consent using the OAuth authentication flow to be able to reset a password.

See the changePassword method on the currently logged in user for more information on this. I have a custom desktop application for users to reset their own passwords.

In my application I have the users authenticate to get an access token using their existing password (this also helps me validate their current credentials before changing the password).

var authority = string.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/" + Domain);
var ctx = new AuthenticationContext(authority, false);
var result = ctx.AcquireToken("https://graph.windows.net", "ClientID", credential);
return result.AccessToken;

The credential property is a UserCredential type using the users UPN and password. I then pass a web request to change the password.

var client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", UserAccessToken);
var requestUri = $"https://graph.windows.net/me/changePassword?api-version={Constants.ApiVersion}";
var pwdObject = new { currentPassword = curPassword, newPassword = newPass };
var body = new JavaScriptSerializer().Serialize(pwdObject);
var response = client.PostAsync(new Uri(requestUri), new StringContent(body, Encoding.UTF8, "application/json")).Result;

This returns a HTTP 204 if the request was successful, I also trap a AADSTS50126 exception when getting the user token as this indicates the credentials are invalid when obtaining the token.

這篇關于使用 Azure AD Graph 客戶端 API 更改用戶密碼的權限問題的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！