通过Microsoft.Graph邀请用户会出现错误

Question

预期行为

应邀请用户，然后用更多信息更新该用户 https://docs.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0

实际行为

来源

"Microsoft.Graph.Core"

消息

"Code: Unauthorized\r\nMessage: Insufficient privileges to perform requested operation by the application '00000003-0000-0000-c000-000000000000'. ControllerName=MSGraphInviteAPI, ActionName=CreateInvite, URL absolute path=/api/9cXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/invites\r\n\r\nInner error\r\n"

Stacktrace

   at Microsoft.Graph.HttpProvider.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
   at Microsoft.Graph.BaseRequest.SendRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)
   at Microsoft.Graph.BaseRequest.SendAsync[T](Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)
   at Web.Api.Infrastructure.Infrastructure.Repositories.AzureRepository.CreateUser(CreateUserCommand user) in C:\Users\SamPrecious\source\repos\Adept\src\adept-web-api\Web.Api.Infrastructure\Infrastructure\Repositories\AzureRepository.cs:line 166

重现该行为的步骤

SDK版本： netcoreapp2.2
“ Microsoft.Graph”版本=“ 1.13.0” “ Microsoft.Graph.Core” Version =“ 1.13.0”

IDE版本： VS代码-1.31.1 Vsiual Studio Enterprise 2017-4.7.03056

我有此方法（将创建GraphServiceClient的代码移到方法中以证明观点） 客户端通过App注册进行身份验证（我获得了访问令牌），但是当运行Invite的代码运行时，authenticationContext.AcquireTokenAsync再次触发，并且上面的堆栈跟踪出现错误。根据API文档，客户端应用程序具有User.Invite.All，User.ReadWrite.All，Directory.ReadWrite.All。

为什么AppId会将代码更改为上述消息中的代码？

public async Task<string> CreateUser(CreateUserCommand user)
        {
            try
            {
                var clientCredential = new ClientCredential(_configuration["appId"], _configuration["secret"]);
                var authenticationContext = new AuthenticationContext(_configuration["authority"]);
                var authenticationResult = authenticationContext.AcquireTokenAsync("https://graph.microsoft.com", clientCredential).Result;

                var delegateAuthProvider = new DelegateAuthenticationProvider((requestMessage) =>
                {
                    requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", authenticationResult.AccessToken);

                    return Task.FromResult(0);
                });

                var con = new GraphServiceClient(delegateAuthProvider);

                //invite user
                Invitation invitation = new Invitation();
                invitation.InvitedUserDisplayName = user.Name;
                invitation.SendInvitationMessage = true;
                invitation.InvitedUserEmailAddress = user.Email;
                invitation.InviteRedirectUrl = "http://localhost";
                var result = await con.Invitations.Request().AddAsync(invitation);

                //update user
                var aadUser = _connection.GetConnection().ActiveDirectoryUsers.GetById(result.Id);
                var updateUser = result.InvitedUser;
                updateUser.DisplayName = user.Name;
                updateUser.Surname = user.Surname;
                updateUser.Mail = user.Email;
                updateUser.MobilePhone = user.Phone;
                await con.Users[result.InvitedUser.Id].Request().UpdateAsync(updateUser);
                return aadUser.UserPrincipalName;
            }
            catch (System.Exception)
            {

                throw;
            }


        }

CreateUserCommand：

public class CreateUserCommand
    {
        public string Name { get; set; }
        public string Surname { get; set; }
        public string Email { get; set; }
        public string Phone { get; set; }
    }

以下是应用注册的记录

权限：

IConfiguration对象中的

App ID

Answer 1

仅当在用户上下文中调用API时，委派的权限才重要。

由于您使用的是客户端凭据，因此没有用户。 仅应用程序权限适用，因此请在此处设置正确的权限。

此外，由于您具有异步功能，因此最好也等待令牌：

var authenticationResult = await authenticationContext.AcquireTokenAsync("https://graph.microsoft.com", clientCredential);