ADAL没有足够的权限来完成操作

时间:2017-07-03 18:17:11

标签: azure-active-directory adal azure-ad-graph-api

我正在尝试获取一个简单的ADAL样本,以获取用户在AAD中所属的组。我已添加AAD和Office Graph的所有权限: Permissions

我一直收到以下错误:

"没有足够的权限来完成操作。"

我可以在其他线程中看到有相同错误的人,但因为他们没有设置图表权限。

代码:

public static async Task<string> AcquireTokenAsync()
{
    if (TokenForApplication == null)
    {

        Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext authenticationContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext("https://login.microsoftonline.com/thomaseg.onmicrosoft.com", false);

            ClientCredential clientCred = new ClientCredential(Constants.ClientId,
                Constants.AppKey);
            AuthenticationResult authenticationResult =
                await authenticationContext.AcquireTokenAsync("https://graph.windows.net",
                    clientCred);
            TokenForApplication = authenticationResult.AccessToken;
        }
        return TokenForApplication;
    }

    /// <summary>
    ///     Get Active Directory Client for Application.
    /// </summary>
    /// <returns>ActiveDirectoryClient for Application.</returns>
    public static ActiveDirectoryClient GetActiveDirectoryClient()
    {
        Uri baseServiceUri = new Uri("https://graph.windows.net/thomaseg.onmicrosoft.com");
        ActiveDirectoryClient activeDirectoryClient =
            new ActiveDirectoryClient(baseServiceUri,
                async () => await AcquireTokenAsync());
        return activeDirectoryClient;
    }

1 个答案:

答案 0 :(得分:1)

当您请求用户登录时,需要添加此参数prompt=admin_consent

查看这篇文章:https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent

这是Startup.Auth.cs

中的示例
RedirectToIdentityProvider = context =>
{
    context.ProtocolMessage.Prompt = "admin_consent";
    return Task.FromResult(0);
},