Azure.ActiveDirectory.GraphClient“在UpdateAsync中完成操作的权限不足”(密码重置)

时间:2018-03-05 10:39:27

标签: c# angularjs api azure-active-directory microsoft-graph

我正在尝试在我的安全应用程序中应用“重置密码”。

这个执行重置按钮的脚本

    $scope.resetPassword = function () {
        $http({ method: 'POST', url: 'api/tenant/admin/user/resetpassword', data: $scope.tenantUserPostModel }).success(function (response, status) {
            if (response) {
                console.log('inside response ' + response);
                noty({ timeout: 2000, layout: 'topRight', text: 'Changes saved successfully', type: 'success' });
                document.getElementById("passwordDetails").style.display = "block";
            }
        });
    };

我的api 

[HttpPost]
    [Route("api/tenant/admin/user/resetpassword")]
    public async Task<IHttpActionResult> ResetPassword([FromBody]TenantUserPostModel model)
    {
        #region update azure ad user

        string userPrincipalName = model.UserName;
        if (!model.UserName.Contains("@"))
        {
            var DefaultDomain = ConfigurationManager.AppSettings["DefaultDomain"];
            userPrincipalName = model.UserName + "@" + DefaultDomain;
        }

        //*********************************************************************************************
        // update azure ad user
        //*********************************************************************************************
        var activeDirectoryClient = GetActiveDirectoryClientAsApplication();
        IUser userToBeUpdated = new Microsoft.Azure.ActiveDirectory.GraphClient.User();
        try
        {
            List<IUser> users = activeDirectoryClient.Users
                .Where(user => user.UserPrincipalName.Equals(userPrincipalName))
                .ExecuteAsync().Result.CurrentPage.ToList();
            userToBeUpdated = users.First();
        }
        catch (Exception e)
        {
            throw e;
        }

        userToBeUpdated.DisplayName = model.DisplayName;
        userToBeUpdated.GivenName = model.FirstName;
        userToBeUpdated.Surname = model.LastName;
        userToBeUpdated.AccountEnabled = model.IsActive;
        userToBeUpdated.PasswordProfile = new PasswordProfile
        {
            Password = model.TempPassword,
            ForceChangePasswordNextLogin = true
        };

        try
        {
            //error here 'Insufficient privileges to complete the operation'
            await userToBeUpdated.UpdateAsync(false);
        }
        catch (Exception e)
        {
            throw e;
        }
        #endregion
        return this.Ok(model.Id);
    }

我的azure permissions

的屏幕截图

启用“以签名用户身份访问目录”

后,我已经单击授予权限

编辑:我添加了方法GetActiveDirectoryClientAsApplication。如果我做得不对,我不会。

    protected ActiveDirectoryClient GetActiveDirectoryClientAsApplication()
    {
        Uri servicePointUri = new Uri(_GraphResourceId);
        Uri serviceRoot = new Uri(servicePointUri, _Tenant);
        var activeDirectoryClient = new ActiveDirectoryClient(serviceRoot,
             async () => await AcquireTokenAsyncForApplication());
        return activeDirectoryClient;
    }

    private string GetTokenForApplication()
    {
        if (ExtendedUserProfile == null)
            throw new Exception("initialize ExtendedUserProfile...");
        string AuthString = _AadInstance + _Tenant;
        AuthenticationContext authenticationContext = new AuthenticationContext(AuthString, false);
        ClientCredential clientCred = new ClientCredential(_ClientId, _Key);
        AuthenticationResult authenticationResult = authenticationContext.AcquireTokenAsync(_GraphResourceId,
            clientCred).Result;
        string token = authenticationResult.AccessToken;
        return token;
    }

    private async Task<string> AcquireTokenAsyncForApplication()
    {
        return GetTokenForApplication();
    }

1 个答案:

答案 0 :(得分:2)

基于此函数的调用方式:GetActiveDirectoryClientAsApplication();

您可能正在获取具有客户端凭据的访问令牌,即作为应用程序。 这意味着委派的权限(如Access目录作为登录用户)不适用。 仅适用应用程序权限。

您需要使用On-Behalf-Of将您的API获取的访问令牌交换到Azure AD Graph API。 这将是用户上下文中的标记,因此适用委派权限。

相关问题
最新问题