Azure AD / Microsoft.Graph C# 授权问题,但在 Graph Explorer 中没有
Azure AD / Microsoft.Graph C# Authorization problem, but not in Graph Explorer
大家好,提前感谢所有反馈。非常感谢!
我使用 NuGet 包:
Microsoft.Graph 3.27.0
Micfosoft.Graph.Auth1.0.0
和 OnBehalfOfProvider,基本上只是想列出用户或从 Azure Active Directory 中过滤到特定用户,但我似乎无法弄清楚如何使用 Graph Explorer 执行相同的操作(https://developer.microsoft.com/en-us/graph/graph-explorer).使用在线浏览器我没有任何问题:
Everything fine with Graph Explorer and listing users
但是在我的 C# .NET 应用程序中,当我尝试做同样的事情时
使用范围参数:
string[] graphScopes = { "User.Read","profile", "Sites.ReadWrite.All"};要么
string[] graphScopes = { "https://graph.microsoft.com/user.read+offline_access"};
我收到状态 500 内部服务器错误和这些详细信息:
"error": {
"code": "generalException",
"message": "Unexpected exception returned from MSAL."
...
"innerException": {
"classification": 4,
"statusCode": 400,
"claims": null,
"responseBody": "{"error":"invalid_grant","error_description":"AADSTS65001: The
user or administrator has not consented to use the application with ID
'c0fb187f-daa8-4566-a7fb-2decd05ef980' named 'platform-test-ad'. Send
an interactive authorization request for this user and resource.
以及范围参数:
string[] graphScopes = new string[] { "https://graph.microsoft.com/.default" };
我得到 403:
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
...
"statusCode": 403,
"rawResponseBody": "{\r\n "error": {\r\n "code": "Authorization_RequestDenied",\r\n "message": "Insufficient
privileges to complete the operation."
在 Azure 内部,企业应用程序 |用户设置如下所示:
Enterprice applications User settings
我的 C# 代码如下所示:
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
.Create(authSettings.FunctionApplicationId)
.WithTenantId(authSettings.FunctionTenantId)
.WithAuthority(authSettings.Authority)
.WithClientSecret(authSettings.FunctionClientSecret)
.Build();
string[] graphScopes = new string[] { "https://graph.microsoft.com/user.read+offline_access" };
OnBehalfOfProvider authProvider = new OnBehalfOfProvider(confidentialClientApplication, graphScopes);
var userAssertion = new UserAssertion(token);
var usersRequest = confidentialClientApplication.Users
.Request()
.WithUserAssertion(userAssertion);
var usersResult = await usersRequest.GetAsync();
对此有任何提示或解释吗?
在调用 Microsoft Graph API 至 list users 时,请确保您的帐户不是 个人(受邀)帐户
并且您需要在 API Azure 门户的权限中添加 delegated 权限之一,例如 User.Read.All。您问题中的范围 User.Read 没有足够的权限。
string[] graphScopes = new string[] { "User.Read.All" };
OnBehalfOfProvider authProvider = new OnBehalfOfProvider(confidentialClientApplication, graphScopes);
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var users = await graphClient.Users
.Request()
.GetAsync();
添加:在API权限中点击grant admin consent for your tenant,因为User.Read.All需要管理员同意。
事实证明,Pamela's 的答案是答案的一半,但它引导我找到了解决方案。
我还需要在 API 权限内添加权限,如下所示:
API App Permissions
要读取单个用户、所有用户并在 Azure 活动目录中创建用户,我使用这个范围:
string[] graphScopes = { "User.ReadWrite.All" };
但是对于上面的例子你是对的,“User.Read.All”就足够了。
我过去有一些 AADSTS65001 在 AcquireTokenSilent 上使用 MSAL,当时范围没有完全写入。对于 Powerbi,我必须更改
App.Read.All
至
https://analysis.windows.net/powerbi/api/App.Read.All
奇怪的是,在没有此更改(特别是同意)的情况下,身份验证周期工作正常,但仅在 AcquireTokenSilent 上失败。
大家好,提前感谢所有反馈。非常感谢!
我使用 NuGet 包: Microsoft.Graph 3.27.0 Micfosoft.Graph.Auth1.0.0
和 OnBehalfOfProvider,基本上只是想列出用户或从 Azure Active Directory 中过滤到特定用户,但我似乎无法弄清楚如何使用 Graph Explorer 执行相同的操作(https://developer.microsoft.com/en-us/graph/graph-explorer).使用在线浏览器我没有任何问题:
Everything fine with Graph Explorer and listing users
但是在我的 C# .NET 应用程序中,当我尝试做同样的事情时 使用范围参数: string[] graphScopes = { "User.Read","profile", "Sites.ReadWrite.All"};要么 string[] graphScopes = { "https://graph.microsoft.com/user.read+offline_access"};
我收到状态 500 内部服务器错误和这些详细信息:
"error": { "code": "generalException", "message": "Unexpected exception returned from MSAL." ... "innerException": { "classification": 4, "statusCode": 400, "claims": null, "responseBody": "{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'c0fb187f-daa8-4566-a7fb-2decd05ef980' named 'platform-test-ad'. Send an interactive authorization request for this user and resource.
以及范围参数: string[] graphScopes = new string[] { "https://graph.microsoft.com/.default" };
我得到 403:
"error": { "code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", ... "statusCode": 403, "rawResponseBody": "{\r\n "error": {\r\n "code": "Authorization_RequestDenied",\r\n "message": "Insufficient privileges to complete the operation."
在 Azure 内部,企业应用程序 |用户设置如下所示: Enterprice applications User settings
我的 C# 代码如下所示:
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
.Create(authSettings.FunctionApplicationId)
.WithTenantId(authSettings.FunctionTenantId)
.WithAuthority(authSettings.Authority)
.WithClientSecret(authSettings.FunctionClientSecret)
.Build();
string[] graphScopes = new string[] { "https://graph.microsoft.com/user.read+offline_access" };
OnBehalfOfProvider authProvider = new OnBehalfOfProvider(confidentialClientApplication, graphScopes);
var userAssertion = new UserAssertion(token);
var usersRequest = confidentialClientApplication.Users
.Request()
.WithUserAssertion(userAssertion);
var usersResult = await usersRequest.GetAsync();
对此有任何提示或解释吗?
在调用 Microsoft Graph API 至 list users 时,请确保您的帐户不是 个人(受邀)帐户
并且您需要在 API Azure 门户的权限中添加 delegated 权限之一,例如 User.Read.All。您问题中的范围 User.Read 没有足够的权限。
string[] graphScopes = new string[] { "User.Read.All" };
OnBehalfOfProvider authProvider = new OnBehalfOfProvider(confidentialClientApplication, graphScopes);
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var users = await graphClient.Users
.Request()
.GetAsync();
添加:在API权限中点击grant admin consent for your tenant,因为User.Read.All需要管理员同意。
事实证明,Pamela's 的答案是答案的一半,但它引导我找到了解决方案。 我还需要在 API 权限内添加权限,如下所示: API App Permissions
要读取单个用户、所有用户并在 Azure 活动目录中创建用户,我使用这个范围:
string[] graphScopes = { "User.ReadWrite.All" };
但是对于上面的例子你是对的,“User.Read.All”就足够了。
我过去有一些 AADSTS65001 在 AcquireTokenSilent 上使用 MSAL,当时范围没有完全写入。对于 Powerbi,我必须更改
App.Read.All
至
https://analysis.windows.net/powerbi/api/App.Read.All
奇怪的是,在没有此更改(特别是同意)的情况下,身份验证周期工作正常,但仅在 AcquireTokenSilent 上失败。