权限不足,无法添加Azure AD用户

时间:2020-07-22 19:49:48

标签: c# azure azure-active-directory

我创建了一个控制台应用程序来创建Azure AD用户,如下所示(文档参考:https://docs.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http):

static async Task Main(string[] args)
        {
            var credential = new ClientCredential("<clientt-id>", "<client-seceret>");
            var authProvider = new HttpRequestMessageAuthenticationProvider(
                                                        credential,
                                                        "https://login.windows.net/<tenant-id>",
                                                        "https://graph.microsoft.com/");

            GraphServiceClient graphClient = new GraphServiceClient(authProvider);

            var user = new User
            {
                AccountEnabled = true,
                DisplayName = "Test User",
                MailNickname = "testuser",
                UserPrincipalName = "testuser@M365xxxxxxx.onmicrosoft.com ",
                PasswordProfile = "xxxxxxxxxxxx"
                OnPremisesImmutableId = "id"
            };

            await graphClient.Users
                .Request()
                .AddAsync(user);
        }

添加到应用程序的API权限为Group.ReadWrite.All和User.ReadWrite.All。

在运行此代码时,我看到以下错误:

代码:Authorization_RequestDenied 消息:特权不足,无法完成操作。

我想念什么?

1 个答案:

答案 0 :(得分:1)

对于此问题,我总结了需要检查的要点:

1。。看来您的代码使用client_credentials作为授予流来完成这项工作,因此请检查您是否添加了“应用程序”的权限,但没有添加“委托的”权限。并且不要忘记授予管理员同意。

enter image description here

2。。如果仍然显示Authorization_RequestDenied消息,请删除权限Group.ReadWrite.All,因为此权限是不必要的。并且Group权限可能会影响我过去的测试中的其他权限。

3。。似乎您在类HttpRequestMessageAuthenticationProvider中开发了特定的代码,实际上我们可以使用现成的SDK。我在下面提供我的代码供您参考,该代码可以很好地创建用户。

using Microsoft.Graph;
using Microsoft.Graph.Auth;
using Microsoft.Identity.Client;
using System;
using System.Threading.Tasks;

namespace ConsoleApp23
{
    class Program
    {
        static async Task Main(string[] args)
        {
            Console.WriteLine("Hello World!");

            IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
                .Create("<client_id>")
                .WithTenantId("<tenant_id>")
                .WithClientSecret("<client_secret>")
                .Build();

            ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);

            GraphServiceClient graphClient = new GraphServiceClient(authProvider);

            var user = new User
            {
                AccountEnabled = true,
                DisplayName = "huryAdd",
                MailNickname = "huryAdd",
                UserPrincipalName = "huryAdd@xxx.onmicrosoft.com",
                PasswordProfile = new PasswordProfile
                {
                    ForceChangePasswordNextSignIn = true,
                    Password = "Password0123"
                },
                OnPremisesImmutableId = "testOnPre"
            };

            await graphClient.Users.Request().AddAsync(user);

            Console.WriteLine("====success====");
        }
    }
}

并提供我项目中安装的软件包。

enter image description here 

Install-Package Microsoft.Identity.Client -Version 4.16.1
Install-Package Microsoft.Graph
Install-Package Microsoft.Graph.Auth -IncludePrerelease

4。。顺便说一句,UserPrincipalName末尾有一个空格。请删除它,否则它将显示无效的主体名称。

希望有帮助〜

相关问题
最新问题