在Node.js中的Azure AD中创建AD安全组

时间:2020-08-17 21:30:06

标签: node.js azure azure-ad-b2c azure-ad-graph-api

我试图在我的azure AD目录中创建一个安全组,并将b2c用户(已登录)添加到该组中。

msRestAzure.loginWithServicePrincipalSecret('72a3198b-', '-FvUZZ4G', tenantId, { tokenAudience: 'graph' }, function (err, credentials, subscriptions) {
    if (err) console.log("error: " + err);
    else {
        console.log(util.inspect(credentials));
    }
    var client = new graphRbacManagementClient(credentials, tenantId);
    client.groups.list({}, function(err, result){
        if(err){
            console.log('Could not list groups', err)
        }
        else {
            console.log("result: " + result);
        }
    })

我已在Azure上启用API权限。...

Azure AD SP permissions

尽管我成功使用我的SP进行了身份验证,但无论是尝试创建新组还是列出现有组等,我都会收到403的回信。

对我在这里做错的任何想法吗?

更新:我更改了代码,改用msRestAzure.loginWithServicePrincipalSecret('72a3198b-', '-FvUZZ4G', tenantId, { tokenAudience: 'graph' }, function (err, credentials, subscriptions) { if (err) console.log("error: " + err); else { console.log(util.inspect(credentials)); } var client = new graphRbacManagementClient(credentials, tenantId); client.groups.list({}, function(err, result){ if(err){ console.log('Could not list groups', err) } else { console.log("result: " + result); } }) 。我使用的用户名和密码用于具有管理员权限的用户。更改后,代码起作用并创建/列出了该组。所以我的猜测是,SP需要某种我尚未启用的访问/ API权限。我就是不知道。

1 个答案:

答案 0 :(得分:0)

graphRbacManagementClient不支持调用MS graph api。它用于Azure AD Graph API。

这是一个您可以遵循的code sample。它使用microsoft-graph-client来调用Microsoft Graph。

使用客户端凭据流获取访问令牌:

const request = require("request");

const endpoint = "https://login.microsoftonline.com/[Tenant]/oauth2/v2.0/token";
const requestParams = {
    grant_type: "client_credentials",
    client_id: "[ApplicationID]",
    client_secret: "[Key]",
    scope: "https://graph.microsoft.com/.default"
};

request.post({ url:endpoint, form: requestParams }, function (err, response, body) {
    if (err) {
        console.log("error");
    }
    else {
        console.log("Body=" + body);
        let parsedBody = JSON.parse(body);         
        if (parsedBody.error_description) {
            console.log("Error=" + parsedBody.error_description);
        }
        else {
            console.log("Access Token=" + parsedBody.access_token);
        }
    }
});

调用MS Graph API:

// list groups
function testListGroupGraphAPI(accessToken) {
    request.get({
        url:"https://graph.microsoft.com/v1.0/groups",
        headers: {
          "Authorization": "Bearer " + accessToken
        }
    }, function(err, response, body) {
        console.log(body);
    });
}

// create group    
function testCreateGroupGraphAPI(accessToken) {
    request.post({
        url:"https://graph.microsoft.com/v1.0/groups",
        headers: {
           "Authorization": "Bearer " + accessToken
        },
        json: {
            "description": "Self help community for library",
            "displayName": "Library Assist",
            "groupTypes": [
                "Unified"
            ],
            "mailEnabled": true,
            "mailNickname": "library",
            "securityEnabled": false
            }
    }, function(err, response, body) {
        console.log(body);
    });
}

有关更多详细信息,请参见here

Azure AD Graph 的权限在这里:

enter image description here

相关问题
最新问题