图形API - 在Microsoft图形控制台应用程序中获得不足的权限

时间:2018-01-14 13:01:31

标签: c# microsoft-graph azure-ad-graph-api

我在控制台应用程序中使用的代码:

public static string GetAccessToken()
{
    // Create the authentication context (ADAL) 
    //Authority is something like https://login.microsoftonline.com/xyz.com
    var authenticationContext = new AuthenticationContext(Authority);  

    // Get the access token
    var credentials = new ClientCredential(ClientId, ClientSecret);

    //Graph Resource https://graph.microsoft.com/
    var authenticationResult = authenticationContext.AcquireTokenAsync(GraphResource, credentials);  

    var accessToken = authenticationResult.Result.AccessToken;
    return accessToken;  //we are getting access token here
}

public static HttpClient GetHttpClient(string accessToken)
{
    // Create the HTTP client with the access token
    var httpClient = new HttpClient();
    httpClient.DefaultRequestHeaders.Authorization =
        new AuthenticationHeaderValue("Bearer",
        accessToken);
    return httpClient;
}

public static async Task MakeRequest()
{
    // Get an access token and configure the HttpClient
    var accessToken = GetAccessToken();
    var httpClient = GetHttpClient(accessToken);

    var uri = "https://graph.microsoft.com/v1.0/users/abc@xyz.com/";

    // Get the current user (to extract the mail address)
    var response = await httpClient.GetAsync(uri);


    //var user = await MailClient.GetUserAsync(httpClient);   //this is also not working
    // Console.WriteLine(user.DisplayName);


    if (response.Content != null)
    {
        var responseString = await response.Content.ReadAsStringAsync();
        Console.WriteLine(responseString);
    }
}

在responseString中,我们得到了:

{  
   "error":{  
      "code":"Authorization_RequestDenied",
      "message":"Insufficient privileges to complete the operation.",
      "innerError":{  
         "request-id":"79267719-b160-4817-a200-xxxxxxxxxx",
         "date":"2018-01-14T11:00:00"
      }
   }
}

我们在应用程序权限中拥有的权限如下: enter image description here

在委派权限中,我们已阅读所有用户完整配置文件权限,但未读取应用程序权限。

查询:它实际上是权限问题还是别的什么?

1 个答案:

答案 0 :(得分:0)

我建议使用User.Read.All(阅读所有用户'完整个人资料)或User.ReadBasic.All(阅读所有用户'基本个人资料) - 有关权限的详情,请参阅https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference

设置这些权限仅表示"这些是我的应用所需的权限"。它实际上并未授予任何权限 - 您需要明确授予权限或让客户同意。如果这是您自己的租户,您可以点击"授予权限" Azure门户中的按钮。然后再次尝试该应用程序。有关配置权限,授予权限和同意的详细信息,请参阅https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications

希望这有帮助,

相关问题
最新问题