"Failed to authorize caller, the caller wasn't owner of the device or one of the admin roles." 微软图

"Failed to authorize caller, the caller wasn't owner of the device or one of the admin roles." microsoft-graph

似乎无法让 GraphAPI 从 PowerShell 中查询 Bitlocker 恢复密钥。使用 Azure AD 应用程序注册

Grant_Type    = "client_credentials"
Scope         = "https://graph.microsoft.com/.default"
client_Id     = $ApplicationID
Client_Secret = $AccessSecret
} 

$headr = @{
Authorization = "Bearer $($token)"
'ocp-client-name' = ""
'ocp-client-version' = "1.2"
}

$ConnectGraph = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenatDomainName/oauth2/v2.0/token" `
-Method POST -Body $Body

$token = $ConnectGraph.access_token

$GrapGroupUrl = 'https://graph.microsoft.com/beta/bitlocker/recoveryKeys'
(Invoke-RestMethod -Headers $headr -Uri $GrapGroupUrl -Method Get)

错误:

  "error": {
    "code": "UnknownError",
    "message": "{\"odata.error\":{\"Code\":\"authorization_error\",\"Message\":{\"Lang\":\"en\",\"Value\":\"Failed to authorize caller, the caller wasn't owner of the device 
or one of the admin roles.\"},\"Values\":[{\"Item\":\"subCode\",\"Value\":\"error_authorization_request_denied\"},{\"Item\":\"requestId\",\"Value\":\"xxxxxxxxxx\"},{\"Item\":\"time\",\"Value\":\"2020-11-19T04:43:13.6957327Z\"}]}}",
    "innerError": {
      "date": "2020-11-19T04:43:13",
      "request-id": "xxxxxxxxx",
      "client-request-id": "xxxxxx"
    }
  }
}```

对于这个问题,错误是由不正确的授权类型(授权流程)引起的。正如我们所见,document 向我们展示了这张图 api 需要 Delegated 权限 BitLocker.ReadBasic.All, BitLocker.Read.All,它不支持“申请”权限。

所以我们不能使用客户端凭证流来获取访问令牌,我们需要使用username/password流来获取。请在下面的屏幕截图中参考我的测试。

执行运行命令后,我们可以看到结果没有显示错误信息。