'Insufficient privileges to complete the operation' 尝试通过 Microsoft Graph 创建组时

Question

期望的行为

通过 Microsoft Graph 创建 group，在具有 delegated API 权限的 single tenant application 中使用 JavaScript SDK 和 MSAL。

实际行为

{
  "statusCode": 403,
  "code": "Authorization_RequestDenied",
  "message": "Insufficient privileges to complete the operation.",
  "requestId": "6e865d96-ef8b-408e-a905-5393b4adcfdc",
  "date": "2020-05-16T20:20:15.000Z",
  "body": "{\"code\":\"Authorization_RequestDenied\",\"message\":\"Insufficient privileges to complete the operation.\",\"innerError\":{\"request-id\":\"6e865d96-ef8b-408e-a905-5393b4adcfdc\",\"date\":\"2020-05-17T06:20:15\"}}"
}

我试过的

为了创建代码，我使用了以下 API 参考说明：

• Create group
• Group properties

Sign-in/sign-out 和所有其他 API 请求均有效。

订阅

Microsoft 365 Business Standard Trial

API 权限

Directory.AccessAsUser.All +++
Directory.ReadWrite.All ***
Group.ReadWrite.All  
GroupMember.ReadWrite.All ***
openid
profile
Sites.Read.All
Tasks.ReadWrite
User.Read

*** 我在阅读 后添加了这些，但仍然出现相同的错误。
+++ 我在下面的回答中提出建议后添加了这个。

我单击了 Azure 应用程序注册区域中的 'Grant admin consent' 按钮。

index.html

<!-- msal -->
<!-- from:  https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core -->
<script type="text/javascript" src="https://alcdn.msauth.net/lib/1.3.0/js/msal.js" integrity="****" crossorigin="anonymous"></script>

<!-- javascript sdk -->
<!-- from:  https://github.com/microsoftgraph/msgraph-sdk-javascript -->
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/@microsoft/microsoft-graph-client/lib/graph-js-sdk.js"></script>

config.js

// msal options
const msalConfig = {
    auth: {
        clientId: "client-id-here",
        redirectUri: "http://localhost:8080",
        authority: "https://login.microsoftonline.com/tenant-id-here"
    },
  cache: {
    cacheLocation: "sessionStorage",
    storeAuthStateInCookie: false,
    forceRefresh: false
  }
};

// define application permissions   
const scopes = ['directory.accessasuser.all', 'directory.readwrite.all', 'group.readwrite.all', 'groupmember.readwrite.all', 'openid', 'profile', 'sites.read.all', 'user.read', 'tasks.readwrite' ]; 

auth.js

const msalApplication = new Msal.UserAgentApplication(msalConfig);

const loginRequest = {
    scopes: scopes
}

async function sign_in() {
    try {
        await msalApplication.loginPopup(loginRequest);
        if (msalApplication.getAccount()) {
            console.log("sign in success");
        }
    } catch (error) {
        console.log("sign in error");
        console.log(error);
    }
}

function sign_out() {
    msalApplication.logout();
}

graph.js

var path = "/groups"; 
var group = {
  description: "Here is a description.",
  displayName: "test_test_test",
  groupTypes: [
    "Unified",
    "DynamicMembership"
  ],
  mailEnabled: true,
  mailNickname: "test_test_test",
  securityEnabled: false, // initially i had this as true, doesn't seem to make a difference either way  
  visibility: "Hiddenmembership",
  "owners@odata.bind": [
    "https://graph.microsoft.com/v1.0/users/my-user-id-here"
  ],
    "members@odata.bind": [
        "https://graph.microsoft.com/v1.0/users/my-user-id-here"
  ]
};

var response = await client.api(path)
                            .post(group);

相关阅读：

Compare groups

Learn about Microsoft 365 Groups

Overview of Microsoft 365 Groups for administrators

Working with groups in Microsoft Graph

Create, edit, or delete a security group in the Microsoft 365 admin center

Creating teams and managing members using Microsoft Graph

Overview of Office 365 groups in Microsoft Graph

关于可能导致错误的其他想法...

Visibility is supported only for unified groups; it is not supported for security groups.

Source

可能securityEnabled: true和visibility:Hiddenmembership的组合不兼容？

我尝试将其更改为 securityEnabled: false 并收到相同的消息。

令牌有问题吗？

我从 Chrome 开发工具控制台复制了 Authorisation: Bearer 值并粘贴到 https://jwt.io 并且在令牌 - 但所有其他范围都存在：

Answer 1

我看到您没有在您的权限集中授予Group.Create权限。 授予此权限以创建群组。

对于应用程序权限类型，需要以下所有权限：

• Group.Create
• Group.ReadWrite.All
• Directory.ReadWrite.All

对于委托用户权限类型:

• Group.ReadWrite.All
• Directory.ReadWrite.All
• Directory.AccessAsUser.All

Answer 2

我能够通过更改 graph.js 中的以下内容来创建 Group：

groupTypes: ["Unified","DynamicMembership"]  

至

groupTypes: ["Unified"]`   

我不知道为什么 DynamicMembership 会导致错误。

它是 Group > groupTypes 的有效 属性 值，在下面的 link 中列出，没有任何注意事项：

https://docs.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties

作为参考，上面的代码创建了：

• 组
• SharePoint 'Team Site'
• Outlook 电子邮件组

不会自动创建对应的：

• 团队
• 计划

您可以在以下位置看到列出的新组：

https://admin.microsoft.com/AdminPortal/Home#/groups

https://outlook.office365.com/people

https://portal.azure.com/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/AllGroups

您可以看到组 'Team Site' 列在：

https://your_account-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/siteManagement

Answer 3

从你的图表调用中，我看到你试图创建动态组并向该组分配一个成员，动态组不支持添加成员，这就是你删除 "dynamicMemberShip" 下的原因组类型可以解决这个问题，下面是通过图 API 调用创建动态组的示例：

{
    "description": "test1",
    "displayName": "test1",
    "groupTypes": [
        "Unified",
        "DynamicMembership"
    ],
    "mailEnabled": true,
    "membershipRule": "user.displayname -contains A",
    "membershipRuleProcessingState":"On",
    "mailNickname": "library",
    "securityEnabled": false,
}