403 禁止从 Azure Graph API

403 Forbidden from Azure Graph API

我在尝试使用 Graph 创建应用程序时收到来自 Azure AD 的 403 禁止响应 API:

private static void CreateApplicationViaPost(string tenantId, string clientId, string clientSecret)
{
    var authContext = new AuthenticationContext(
        string.Format("https://login.windows.net/{0}",
        tenantId));

    ClientCredential clientCred = new ClientCredential(clientId, clientSecret);

    AuthenticationResult result = authContext.AcquireToken(
        "https://graph.windows.net",
        clientCred);

    HttpClient client = new HttpClient();
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);

    const string json = @"{ displayName: ""My test app"", logoutUrl: ""http://logout.net"", identifierUris: [ ""http://identifier1.com"" ], replyUrls: [ ""http://replyUrl.net"" ] }";
    HttpResponseMessage response = client.PostAsync(
        string.Format("https://graph.windows.net/{0}/applications?api-version=1.6", tenantId),
        new StringContent(json, Encoding.UTF8, "application/json")).Result;

    Console.WriteLine(response.ToString());
}

在Azure AD中注册的客户端拥有所有权限:

我错过了什么?

编辑: 我在 Azure AD 中注册了一个本地客户端并授予它写入 Windows Azure Active Directory 的权限。此代码在 Azure AD 中创建一个应用程序:

private static void CreateApplicationViaPost(string tenantId, string clientId, string redirectUri)
        {
            var authContext = new AuthenticationContext(
                string.Format("https://login.windows.net/{0}",
                tenantId));

            AuthenticationResult result = authContext.AcquireToken("https://graph.windows.net", clientId, new Uri(redirectUri), PromptBehavior.Auto);

            HttpClient client = new HttpClient();
            client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);

            const string json = @"{ displayName: ""My test app1"", homepage: ""http://homepage.com"", logoutUrl: ""http://logout1.net"", identifierUris: [ ""http://identifier11.com"" ], replyUrls: [ ""http://replyUrl1.net"" ] }";
            HttpResponseMessage response = client.PostAsync(
                string.Format("https://graph.windows.net/{0}/applications?api-version=1.6", tenantId),
                new StringContent(json, Encoding.UTF8, "application/json")).Result;

            Console.WriteLine(response.ToString());
        }

正在修改目录requires consent from an admin user。因此,您需要从用户那里获取访​​问令牌,例如通过 OAuth,而不是客户端的令牌。

samples at GitHub that show the authorisation flow, e.g. https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet.

中有不少

另一种方法是使用 Microsoft.Azure.ActiveDirectory.GraphClient NuGet 包中的 ActiveDirectoryClient

private static async Task CreateApplication(string tenantId, string clientId,
    string redirectUri)
{
    var graphUri = new Uri("https://graph.windows.net");
    var serviceRoot = new Uri(graphUri, tenantId);
    var activeDirectoryClient = new ActiveDirectoryClient(serviceRoot,
        async () => AcquireTokenAsyncForUser("https://login.microsoftonline.com/" + tenantId,
            clientId, redirectUri));

    var app = new Application
        {
            Homepage = "https://localhost",
            DisplayName = "My Application",
            LogoutUrl = "https://localhost",
            IdentifierUris = new List<string> { "https://tenant.onmicrosoft.com/MyApp" },
            ReplyUrls = new List<string> { "https://localhost" }
        };

    await activeDirectoryClient.Applications.AddApplicationAsync(app);

    Console.WriteLine(app.ObjectId);
}

private static string AcquireTokenAsyncForUser(string authority, string clientId,
    string redirectUri)
{
    var authContext = new AuthenticationContext(authority, false);
    var result = authContext.AcquireToken("https://graph.windows.net",
        clientId, new Uri(redirectUri), PromptBehavior.Auto);

    return result.AccessToken;
} 

添加到@MrBrink 的回答 - 您需要确保在 Azure Active Directory UI 中添加权限的人实际上是管理员。如果您有权访问 Azure Active Directory 但不是管理员,它 仍然允许您分配权限 - 但是它们将仅适用于用户范围。