从 Microsoft graph api 中列出用户所需的权限
Required Permisions to list users from Microsoft graph api
在我的应用程序中,我使用 passport-azure-ad 的 OIDCStrategy 策略实现了 Azure AD 的登录模式。现在我正在尝试使用登录 Microsoft 后收到的访问令牌调用 Graph 的列表用户 api。但是我收到了这个错误。
GraphError {
statusCode: 403,
code: 'Authorization_RequestDenied',
message: 'Insufficient privileges to complete the operation.',
request-id:"XXXX",
date: 2020-11-24T09:24:05.000Z,
body: '{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2020-11-24T14:54:05","request-id":"XXXX","client-request-id":"XXXXXXX"}}'
}
我的应用程序有这么多权限,但我仍然收到上述错误。我做错了什么?
这是解码后的访问令牌对象:
{"aud":"00000003-0000-0000-c000-000000000000","iss":"https://sts.windows.net/7adbf72e-a1bf-48dc-8646-f09a986d8cf5/","iat":1606229343,"nbf":1606229343,"exp":1606233243,"acct":1,"acr":"1","acrs":["urn:user:registersecurityinfo","urn:microsoft:req1","urn:microsoft:req2","urn:microsoft:req3","c1","c2","c3","c4","c5","c6","c7","c8","c9","c10","c11","c12","c13","c14","c15","c16","c17","c18","c19","c20","c21","c22","c23","c24","c25"],"aio":"AUQAu/8RAAAAOsguW0xieoa2CFuuDvL0jrUAtSMCWcD3IdbuCmn3lJuENH6iLn9d8hRFHUma9pcCBZX/wJfdyN6bA61m7ntpgg==","altsecid":"5::10032000C782425B","amr":["pwd"],"app_displayname":"ODP Local App","appid":"57ceab52-f7b8-4de4-a3ad-25dad057c497","appidacr":"1","email":"xxxx@xxxx.com","idp":"https://sts.windows.net/f6e57c1b-6cbc-42a4-8e89-39e1bef6c49f/","idtyp":"user","ipaddr":"49.207.220.153","name":"xxxx.xxxx","oid":"e4c3eda9-513d-4cb6-bfb7-d13a856226bc","platf":"5","puid":"10032000C7758CA0","rh":"0.AAAALvfber-h3EiGRvCamG2M9VKrzle49-RNo60l2tBXxJceAJc.","scp":"Directory.Read.All Mail.Read openid profile User.Read User.Read.All User.ReadBasic.All email","sub":"nFYoEl4fstYqfN3kFRucklSfbW6dOoYKBf4KkCDwrkk","tenant_region_scope":"NA","tid":"7adbf72e-a1bf-48dc-8646-f09a986d8cf5","unique_name":"xxxx@xxxx.com","uti":"IjWpoZpXkEex8C9Om31AAA","ver":"1.0","wids":["13bd1c72-6f4a-4dcf-985f-18d3b80f208a"],"xms_st":{"sub":"Hg0g_xypTWd5nXzHsNNOTQQwBlABxJ-NlyRDj8JqsuM"},"xms_tcdt":1540458072}
PS:当登录用户被分配 Application administrator 角色时,API 成功。用户是否需要 /users api 的单独角色?应用权限是否不够?
由于您是以访客用户身份登录,您无法获得与会员用户相同的访问权限,因此您无法列出所有用户。当您授予来宾用户管理员角色时,他们具有完全的读写权限,因此他们可以列出所有用户。可以查看member and guest users:
的区别
Guest users have restricted directory permissions. They can manage
their own profile, change their own password and retrieve some
information about other users, groups and apps, however, they cannot
read all directory information. For example, guest users cannot
enumerate the list of all users, groups and other directory objects.
Guests can be added to administrator roles, which grant them full read
and write permissions contained in the role. Guests can also invite
other guests.
或者您也可以尝试设置:来宾用户拥有与会员相同的访问权限(最多),默认将所有会员用户权限授予来宾用户。不过该功能目前处于预览状态,需要以管理员身份登录Azure门户,然后进入:用户>用户设置>管理外部协作设置>来宾用户访问:
在我的应用程序中,我使用 passport-azure-ad 的 OIDCStrategy 策略实现了 Azure AD 的登录模式。现在我正在尝试使用登录 Microsoft 后收到的访问令牌调用 Graph 的列表用户 api。但是我收到了这个错误。
GraphError {
statusCode: 403,
code: 'Authorization_RequestDenied',
message: 'Insufficient privileges to complete the operation.',
request-id:"XXXX",
date: 2020-11-24T09:24:05.000Z,
body: '{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2020-11-24T14:54:05","request-id":"XXXX","client-request-id":"XXXXXXX"}}'
}
我的应用程序有这么多权限,但我仍然收到上述错误。我做错了什么?
这是解码后的访问令牌对象:
{"aud":"00000003-0000-0000-c000-000000000000","iss":"https://sts.windows.net/7adbf72e-a1bf-48dc-8646-f09a986d8cf5/","iat":1606229343,"nbf":1606229343,"exp":1606233243,"acct":1,"acr":"1","acrs":["urn:user:registersecurityinfo","urn:microsoft:req1","urn:microsoft:req2","urn:microsoft:req3","c1","c2","c3","c4","c5","c6","c7","c8","c9","c10","c11","c12","c13","c14","c15","c16","c17","c18","c19","c20","c21","c22","c23","c24","c25"],"aio":"AUQAu/8RAAAAOsguW0xieoa2CFuuDvL0jrUAtSMCWcD3IdbuCmn3lJuENH6iLn9d8hRFHUma9pcCBZX/wJfdyN6bA61m7ntpgg==","altsecid":"5::10032000C782425B","amr":["pwd"],"app_displayname":"ODP Local App","appid":"57ceab52-f7b8-4de4-a3ad-25dad057c497","appidacr":"1","email":"xxxx@xxxx.com","idp":"https://sts.windows.net/f6e57c1b-6cbc-42a4-8e89-39e1bef6c49f/","idtyp":"user","ipaddr":"49.207.220.153","name":"xxxx.xxxx","oid":"e4c3eda9-513d-4cb6-bfb7-d13a856226bc","platf":"5","puid":"10032000C7758CA0","rh":"0.AAAALvfber-h3EiGRvCamG2M9VKrzle49-RNo60l2tBXxJceAJc.","scp":"Directory.Read.All Mail.Read openid profile User.Read User.Read.All User.ReadBasic.All email","sub":"nFYoEl4fstYqfN3kFRucklSfbW6dOoYKBf4KkCDwrkk","tenant_region_scope":"NA","tid":"7adbf72e-a1bf-48dc-8646-f09a986d8cf5","unique_name":"xxxx@xxxx.com","uti":"IjWpoZpXkEex8C9Om31AAA","ver":"1.0","wids":["13bd1c72-6f4a-4dcf-985f-18d3b80f208a"],"xms_st":{"sub":"Hg0g_xypTWd5nXzHsNNOTQQwBlABxJ-NlyRDj8JqsuM"},"xms_tcdt":1540458072}
PS:当登录用户被分配 Application administrator 角色时,API 成功。用户是否需要 /users api 的单独角色?应用权限是否不够?
由于您是以访客用户身份登录,您无法获得与会员用户相同的访问权限,因此您无法列出所有用户。当您授予来宾用户管理员角色时,他们具有完全的读写权限,因此他们可以列出所有用户。可以查看member and guest users:
的区别Guest users have restricted directory permissions. They can manage their own profile, change their own password and retrieve some information about other users, groups and apps, however, they cannot read all directory information. For example, guest users cannot enumerate the list of all users, groups and other directory objects. Guests can be added to administrator roles, which grant them full read and write permissions contained in the role. Guests can also invite other guests.
或者您也可以尝试设置:来宾用户拥有与会员相同的访问权限(最多),默认将所有会员用户权限授予来宾用户。不过该功能目前处于预览状态,需要以管理员身份登录Azure门户,然后进入:用户>用户设置>管理外部协作设置>来宾用户访问: