尝试使用 MSGraph 访问 SharePointSiteUsageDetail 时,我的 SPFx Web 部件中出现 403(禁止)无效权限错误
403(Forbidden) Invalid permission error in my SPFx web part when trying to access SharePointSiteUsageDetail with MSGraph
我可以在 Graph Explorer 中从此 url 获取数据,但是当我在我的 SPFx 解决方案中尝试时,它给我一个 403(禁止)错误:
https://graph.microsoft.com/beta/reports/getSharePointSiteUsageDetail(period='D30')?$format=application/json
错误:
enter image description here
在包-solution.json文件中,我设置了这些权限:
"webApiPermissionRequests": [
{"resource": "Microsoft Graph","scope":"User.ReadBasic.All"},
{"resource": "Microsoft Graph","scope": "sites.Read.All"},
{"resource": "Microsoft Graph","scope": "Reports.Read.All"}]
MS Graph 取数据代码:
public GetUsageData = (): void => {
this.props.context.msGraphClientFactory
.getClient()
.then((msGraphClient: MSGraphClient) => {
const period = 7;
msGraphClient
.api(
"reports/getSharePointSiteUsagePages(period='D" +
period +
"')?$format=application/json"
)
.version("v1.0")
.get((err, report: any, res: any) => {
if (err) {
console.log("Error occured from usage", err);
}
console.log("Error occured usage data", err);
console.log("Response usage data", res);
res.value.map((result) => {
this.allUsage.push({
storageUsedInBytes: result.storageUsedInBytes,
storageAllocatedInBytes: result.storageAllocatedInBytes,
});
});
this.setState({ usageDataState: this.allUsage });
});
});
我已将所需的 Report.Read.All 权限设置为“SharePoint Online 客户端可扩展性 Web 应用程序主体”:
enter image description here
我在我的 sharePoint 管理中心批准了权限:enter image description here
Office 365 使用报告受权限和 azure 广告角色保护,支持两种 types of authorization,包括用户委托。
Reports.Read.All 使用工作或学校帐户登录时需要 delegated permission to > getSharePointSiteUsageDetail。然后还需要用户同意以及管理员同意,其中用户必须以下角色之一:
Company Administrator, Exchange Administrator, SharePoint
Administrator, Lync Administrator, Teams Service Administrator, Teams
Communications Administrator, Global Reader, Usage Summary Reports
Reader, or Reports Reader. The Global Reader and Usage Summary Reports
Reader roles will only have access to tenant-level data, without
visibility into detailed metrics., To consent on behalf of user, you
need to have
即;用户必须是 Azure AD 受限管理员角色的成员。
- MSGraphClient 使用
implicit authentication access token. 在 https://jwt.ms .It may not have had the "wids" claim 中解码后检查访问令牌(这表示通过应用程序清单的 groupMembershipClaims 属性 分配给该用户的租户范围的角色。 )。此声明列出了哪些 Azure AD 角色已分配给委派用户。因此,如果不存在则表示它没有权限。
解决方法:
SPFx 包中请求的权限需要由 SharePoint 管理员明确授予。即使是那些不需要管理员同意的。
这样一来,允许从 SPFx 自定义中使用的所有权限范围都必须经过管理员批准。所以 管理员必须再次 grant the permissions。
默认情况下,如果未授予任何权限,则唯一可用的权限范围是 user_impersonation,这允许您从图表中获取有限的信息。
请参阅以下链接了解更多详情:
- available-permission-scopes
- spfx/use-aadhttpclient
- Calling Microsoft Graph with Delegated Implicit Authentication(briantjackett.com)
- sharepoint - "Error 403, forbidden" while calling the Microsoft Graph -SPFx webpart? - Stack Overflow
我可以在 Graph Explorer 中从此 url 获取数据,但是当我在我的 SPFx 解决方案中尝试时,它给我一个 403(禁止)错误:
https://graph.microsoft.com/beta/reports/getSharePointSiteUsageDetail(period='D30')?$format=application/json
错误: enter image description here
在包-solution.json文件中,我设置了这些权限:
"webApiPermissionRequests": [
{"resource": "Microsoft Graph","scope":"User.ReadBasic.All"},
{"resource": "Microsoft Graph","scope": "sites.Read.All"},
{"resource": "Microsoft Graph","scope": "Reports.Read.All"}]
MS Graph 取数据代码:
public GetUsageData = (): void => {
this.props.context.msGraphClientFactory
.getClient()
.then((msGraphClient: MSGraphClient) => {
const period = 7;
msGraphClient
.api(
"reports/getSharePointSiteUsagePages(period='D" +
period +
"')?$format=application/json"
)
.version("v1.0")
.get((err, report: any, res: any) => {
if (err) {
console.log("Error occured from usage", err);
}
console.log("Error occured usage data", err);
console.log("Response usage data", res);
res.value.map((result) => {
this.allUsage.push({
storageUsedInBytes: result.storageUsedInBytes,
storageAllocatedInBytes: result.storageAllocatedInBytes,
});
});
this.setState({ usageDataState: this.allUsage });
});
});
我已将所需的 Report.Read.All 权限设置为“SharePoint Online 客户端可扩展性 Web 应用程序主体”: enter image description here
我在我的 sharePoint 管理中心批准了权限:enter image description here
Office 365 使用报告受权限和 azure 广告角色保护,支持两种 types of authorization,包括用户委托。
Reports.Read.All 使用工作或学校帐户登录时需要
delegated permissionto > getSharePointSiteUsageDetail。然后还需要用户同意以及管理员同意,其中用户必须以下角色之一:
Company Administrator, Exchange Administrator, SharePoint Administrator, Lync Administrator, Teams Service Administrator, Teams Communications Administrator, Global Reader, Usage Summary Reports Reader, or Reports Reader. The Global Reader and Usage Summary Reports Reader roles will only have access to tenant-level data, without visibility into detailed metrics., To consent on behalf of user, you need to have
即;用户必须是 Azure AD 受限管理员角色的成员。
- MSGraphClient 使用
implicit authentication access token.在 https://jwt.ms .It may not have had the "wids" claim 中解码后检查访问令牌(这表示通过应用程序清单的 groupMembershipClaims 属性 分配给该用户的租户范围的角色。 )。此声明列出了哪些 Azure AD 角色已分配给委派用户。因此,如果不存在则表示它没有权限。
解决方法:
SPFx 包中请求的权限需要由 SharePoint 管理员明确授予。即使是那些不需要管理员同意的。 这样一来,允许从 SPFx 自定义中使用的所有权限范围都必须经过管理员批准。所以 管理员必须再次 grant the permissions。
默认情况下,如果未授予任何权限,则唯一可用的权限范围是 user_impersonation,这允许您从图表中获取有限的信息。
请参阅以下链接了解更多详情:
- available-permission-scopes
- spfx/use-aadhttpclient
- Calling Microsoft Graph with Delegated Implicit Authentication(briantjackett.com)
- sharepoint - "Error 403, forbidden" while calling the Microsoft Graph -SPFx webpart? - Stack Overflow