我写了一个PowerShell工具来自动化Azure租户的初始设置(组,设备配置文件等)。为使此工作正常进行,我将Graph API与oauth 2.0授权代码一起使用,将其授予流程和委托权限。就我提供全局管理员凭据而言,此方法运行良好。
此外,我还有一个合作伙伴中心Azure AD租户,从中可以管理我的客户租户。
在使用我的PS工具时,我想使用我的合作伙伴中心帐户而不是全球管理员进行身份验证,因此我遵循了这些说明https://docs.microsoft.com/en-us/graph/auth-cloudsolutionprovider
这是我的问题,当我使用合作伙伴帐户运行工具时,此POST请求无法在AAD中添加组:
$body = @"
{
"displayName": "Intune Users",
"mailEnabled": false,
"mailNickname": "Intune Users",
"securityEnabled": true,
"description": "Dynamic groups with all Intune users",
"groupTypes": [
"DynamicMembership"
],
"membershipRule": "user.assignedPlans -any (assignedPlan.service -eq \"SCO\" -and assignedPlan.capabilityStatus -eq \"Enabled\")",
"membershipRuleProcessingState": "On"
}
"@
Invoke-WebRequest -Headers @{Authorization =("Bearer "+ $Authorization.access_token)} `
-Uri "https://graph.microsoft.com/beta/groups" `
-ContentType "application/json" `
-Method Post `
-body $body
{ "error": { "code": "BadRequest", "message": "Current authenticated context is not valid for this request. This occurs when a request is made to an endpoint that requires user sign-in. For example, /me
requires a signed-in user. Acquire a token on behalf of a user to make requests to these endpoints. Use the OAuth 2.0 authorization code flow for mobile and native apps and the OAuth 2.0 implicit flow for single-page web
apps.", "innerError": { "request-id": "1adb1bc7-7e79-48f9-b190-4ac9c8bc8212", "date": "2019-12-05T14:51:38" } } }
此GET请求正在工作并返回网上论坛
Invoke-WebRequest -Headers @{Authorization =("Bearer "+ $Authorization.access_token)} `
-Uri "https://graph.microsoft.com/beta/groups" `
-Method Get
如错误所述,我尝试了https://docs.microsoft.com/fr-fr/graph/auth-v2-user,但结果却完全相同。
我在做什么错了?
其他出现此错误消息的人正在使用应用程序权限和客户端凭证流,而我正在使用授权码流。
Microsoft Graph API BadRequest Current authenticated context is not valid
这是我用来获取访问令牌并重现我的问题的代码。
Function Show-OAuthWindow
{
param(
[System.Uri]$Url
)
Add-Type -AssemblyName System.Windows.Forms
$form = New-Object -TypeName System.Windows.Forms.Form -Property @{Width=440;Height=640}
$web = New-Object -TypeName System.Windows.Forms.WebBrowser -Property @{Width=420;Height=600;Url=($url ) }
$DocComp = {
$Global:uri = $web.Url.AbsoluteUri
if ($Global:Uri -match "error=[^&]*|code=[^&]*") {$form.Close() }
}
$web.ScriptErrorsSuppressed = $true
$web.Add_DocumentCompleted($DocComp)
$form.Controls.Add($web)
$form.Add_Shown({$form.Activate()})
$form.ShowDialog() | Out-Null
$queryOutput = [System.Web.HttpUtility]::ParseQueryString($web.Url.Query)
$output = @{}
foreach($key in $queryOutput.Keys){
$output["$key"] = $queryOutput[$key]
}
$output
}
Add-Type -AssemblyName System.Web
$client_id = "<clientId>"
$redirectUrl = "http://localhost"
# Build login URL
$loginUrl = "https://login.microsoftonline.com/<tenantId>/oauth2/authorize?" +
"response_type=code" +
"&redirect_uri=" + [System.Web.HttpUtility]::UrlEncode($redirectUrl) +
"&client_id=$client_id" +
"&prompt=login"
# Prompt for credentials
$queryOutput = Show-OAuthWindow -Url $loginUrl
# Build request for an access token
$AuthorizationPostRequest =
"grant_type=authorization_code" +
"&redirect_uri=" + [System.Web.HttpUtility]::UrlEncode($redirectUrl) +
"&client_id=$client_id" +
"&code=" + $queryOutput["code"] +
"&resource=" + [System.Web.HttpUtility]::UrlEncode("https://graph.microsoft.com/")
# Make the request an access token
$Authorization =
Invoke-RestMethod -Method Post `
-ContentType application/x-www-form-urlencoded `
-Uri "https://login.microsoftonline.com/<tenantId>/oauth2/token" `
-Body $AuthorizationPostRequest