尝试使用 Microsoft.Graph 检索 AD 组的所有成员时出现授权错误
Getting Authorization error when trying to retrieve all members of an AD Group using Microsoft.Graph
我正在使用 Microsoft Graph 检索群组的所有成员。但我收到以下授权错误消息。从今天开始学习时,我无法弄清楚。我也浏览了一些与此相关的博客,但找不到根本原因。
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: Microsoft.Graph.ServiceException: Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
Inner error:
AdditionalData:
date: 2021-09-24T11:25:11
request-id: ef3e82a6-f1df-4018-bccb-2eea075a934f
client-request-id: ef3e82a6-f1df-4018-bccb-2eea075a934f
ClientRequestId: ef3e82a6-f1df-4018-bccb-2eea075a934f
以下是我的代码:
private static string appId = ConfigurationManager.AppSettings["ida:AppId"];
private static string appSecret = ConfigurationManager.AppSettings["ida:AppSecret"];
private static string redirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"];
private static List<string> graphScopes =
new List<string>(ConfigurationManager.AppSettings["ida:AppScopes"].Split(' '));
public static async Task<IEnumerable<Event>> GetEventsAsync()
{
var graphClient = GetAuthenticatedClient();
var members = await graphClient.Groups["00000000-0000-0000-0000-000000000000"].Members.Request().GetAsync();
}
private static GraphServiceClient GetAuthenticatedClient()
{
return new GraphServiceClient(
new DelegateAuthenticationProvider(
async (requestMessage) =>
{
var idClient = ConfidentialClientApplicationBuilder.Create(appId)
.WithRedirectUri(redirectUri)
.WithClientSecret(appSecret)
.Build();
var tokenStore = new SessionTokenStore(idClient.UserTokenCache,
HttpContext.Current, ClaimsPrincipal.Current);
var accounts = await idClient.GetAccountsAsync();
var result = await idClient.AcquireTokenSilent(graphScopes, accounts.FirstOrDefault())
.ExecuteAsync();
requestMessage.Headers.Authorization =
new AuthenticationHeaderValue("Bearer", result.AccessToken);
}));
}
应用程序设置:
<appSettings>
<add key="ida:AppID" value=[App Id] />
<add key="ida:AppSecret" value=[App Secret] />
<add key="ida:RedirectUri" value="https://localhost:44359/" />
<add key="ida:AppScopes" value="User.Read.All Calendars.Read" />
</appSettings>
我假设我可能需要调整 appSettings 中的 AppScopes 值但不确定。任何人都可以提供一些点击来解决这个问题吗?
提前致谢。
要获取群组成员列表,您需要以下权限
在您的应用设置中,您指定了不同的权限集:User.Read.All Calendars.Read
在 Azure 门户中检查您的应用程序的权限
资源:
我正在使用 Microsoft Graph 检索群组的所有成员。但我收到以下授权错误消息。从今天开始学习时,我无法弄清楚。我也浏览了一些与此相关的博客,但找不到根本原因。
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: Microsoft.Graph.ServiceException: Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. Inner error: AdditionalData: date: 2021-09-24T11:25:11 request-id: ef3e82a6-f1df-4018-bccb-2eea075a934f client-request-id: ef3e82a6-f1df-4018-bccb-2eea075a934f ClientRequestId: ef3e82a6-f1df-4018-bccb-2eea075a934f
以下是我的代码:
private static string appId = ConfigurationManager.AppSettings["ida:AppId"];
private static string appSecret = ConfigurationManager.AppSettings["ida:AppSecret"];
private static string redirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"];
private static List<string> graphScopes =
new List<string>(ConfigurationManager.AppSettings["ida:AppScopes"].Split(' '));
public static async Task<IEnumerable<Event>> GetEventsAsync()
{
var graphClient = GetAuthenticatedClient();
var members = await graphClient.Groups["00000000-0000-0000-0000-000000000000"].Members.Request().GetAsync();
}
private static GraphServiceClient GetAuthenticatedClient()
{
return new GraphServiceClient(
new DelegateAuthenticationProvider(
async (requestMessage) =>
{
var idClient = ConfidentialClientApplicationBuilder.Create(appId)
.WithRedirectUri(redirectUri)
.WithClientSecret(appSecret)
.Build();
var tokenStore = new SessionTokenStore(idClient.UserTokenCache,
HttpContext.Current, ClaimsPrincipal.Current);
var accounts = await idClient.GetAccountsAsync();
var result = await idClient.AcquireTokenSilent(graphScopes, accounts.FirstOrDefault())
.ExecuteAsync();
requestMessage.Headers.Authorization =
new AuthenticationHeaderValue("Bearer", result.AccessToken);
}));
}
应用程序设置:
<appSettings>
<add key="ida:AppID" value=[App Id] />
<add key="ida:AppSecret" value=[App Secret] />
<add key="ida:RedirectUri" value="https://localhost:44359/" />
<add key="ida:AppScopes" value="User.Read.All Calendars.Read" />
</appSettings>
我假设我可能需要调整 appSettings 中的 AppScopes 值但不确定。任何人都可以提供一些点击来解决这个问题吗?
提前致谢。
要获取群组成员列表,您需要以下权限
在您的应用设置中,您指定了不同的权限集:User.Read.All Calendars.Read
在 Azure 门户中检查您的应用程序的权限
资源: