AAD Graph 用户补丁授权问题
AAD Graph User Patch authorization issue
我在尝试 PATCH 具有 AAD 图形的用户实体(在 B2C 租户中)时遇到未经授权的错误。使用具有对称密钥的客户端信用流获取的令牌具有 Directory.ReadWrite.All 对 graph.windows.net 资源的权限。我错过了什么? (是否必须使用 X509 获取令牌?)
Response:
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
Request
https://graph.windows.net/xyz.onmicrosoft.com/users/c064a6a5-...1f5a0?api-version=1.6
Content-Type: application/json
Content-Length: 241
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IndVTG1ZZnNxZFF1V3RWXy1oeFZ0REpKWk00USIsImtpZCI6IndVTG1ZZnNxZFF1V3RWXy1oeFZ0REpKWk00USJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLndpbmRvd3MubmV0LyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzQwZmFiMTlkLTQ0ZjctNDY4MS04YTBhLWIyY2FlMzQ1ZGUwMy8iLCJpYXQiOjE1NDEwODU1MzUsIm5iZiI6MTU0MTA4NTUzNSwiZXhwIjoxNTQxMDg5NDM1LCJhaW8iOiI0MlJnWUZqL09ubUNscnpiTEZ1VFRVcytaQ1ZOQUFBPSIsImFwcGlkIjoiNDU1YzVjMzgtNDhlOC00MWZiLWEzMmMtZmQyZTc2YTc0YzllIiwiYXBwaWRhY3IiOiIxIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNDBmYWIxOWQtNDRmNy00NjgxLThhMGEtYjJjYWUzNDVkZTAzLyIsIm9pZCI6IjFmZGQzNDllLTUxZjMtNDkwNy05ZTg0LTZhMWQ5NjVmYWU3NyIsInJvbGVzIjpbIkRpcmVjdG9yeS5SZWFkV3JpdGUuQWxsIl0sInN1YiI6IjFmZGQzNDllLTUxZjMtNDkwNy05ZTg0LTZhMWQ5NjVmYWU3NyIsInRlbmFudF9yZWdpb25fc2NvcGUiOiJOQSIsInRpZCI6IjQwZmFiMTlkLTQ0ZjctNDY4MS04YTBhLWIyY2FlMzQ1ZGUwMyIsInV0aSI6Ii1XV0EwVjA3elVhbUdrZjA0TUFiQUEiLCJ2ZXIiOiIxLjAifQ.ZAARkTCSK1MYDj3TnDY8djUxienvmNySn0sNR1iZ4eDdYLSrtqjVG2E9EL4nlSYIIP92HZ6io3MdASxsfHrbZaSTvgy6gqe2dNJZ_aWh23TyHop3q5ctLCTqQpNEP1AGcq6vnXk2ceN5CMXkzK1d8R3Zlwa3ICo7lWFDKDEea0_Y87Hvm8U2-zjgzhqAiZi6sH3u7BxiZBqWop4Jn9Wddv2qq_lGU7UuzEwbTMFQ87BKWvts3K_H4UnzZDvDrwSi_GrwvG9VBQ1ST66qhGLRESnW0u_
I am getting an unauthorized error when trying to PATCH a User entity with AAD Graph
我想您正在使用 aad 图 reset a user's password。
如 doc 所述,对于 Directory.ReadWrite.All,无权重置用户密码。
如果你想重置密码,文档中也提到了,你应该使用delegated范围User.ReadWrite.All或Directory.AccessAsUser.All权限。
Important
Either delegated scope User.ReadWrite.All or Directory.AccessAsUser.All is required to reset a user's password. In addition to the correct scope, the signed-in user would need sufficient privileges to reset another user's password.
我在尝试 PATCH 具有 AAD 图形的用户实体(在 B2C 租户中)时遇到未经授权的错误。使用具有对称密钥的客户端信用流获取的令牌具有 Directory.ReadWrite.All 对 graph.windows.net 资源的权限。我错过了什么? (是否必须使用 X509 获取令牌?)
Response:
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
Request
https://graph.windows.net/xyz.onmicrosoft.com/users/c064a6a5-...1f5a0?api-version=1.6
Content-Type: application/json
Content-Length: 241
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IndVTG1ZZnNxZFF1V3RWXy1oeFZ0REpKWk00USIsImtpZCI6IndVTG1ZZnNxZFF1V3RWXy1oeFZ0REpKWk00USJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLndpbmRvd3MubmV0LyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzQwZmFiMTlkLTQ0ZjctNDY4MS04YTBhLWIyY2FlMzQ1ZGUwMy8iLCJpYXQiOjE1NDEwODU1MzUsIm5iZiI6MTU0MTA4NTUzNSwiZXhwIjoxNTQxMDg5NDM1LCJhaW8iOiI0MlJnWUZqL09ubUNscnpiTEZ1VFRVcytaQ1ZOQUFBPSIsImFwcGlkIjoiNDU1YzVjMzgtNDhlOC00MWZiLWEzMmMtZmQyZTc2YTc0YzllIiwiYXBwaWRhY3IiOiIxIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNDBmYWIxOWQtNDRmNy00NjgxLThhMGEtYjJjYWUzNDVkZTAzLyIsIm9pZCI6IjFmZGQzNDllLTUxZjMtNDkwNy05ZTg0LTZhMWQ5NjVmYWU3NyIsInJvbGVzIjpbIkRpcmVjdG9yeS5SZWFkV3JpdGUuQWxsIl0sInN1YiI6IjFmZGQzNDllLTUxZjMtNDkwNy05ZTg0LTZhMWQ5NjVmYWU3NyIsInRlbmFudF9yZWdpb25fc2NvcGUiOiJOQSIsInRpZCI6IjQwZmFiMTlkLTQ0ZjctNDY4MS04YTBhLWIyY2FlMzQ1ZGUwMyIsInV0aSI6Ii1XV0EwVjA3elVhbUdrZjA0TUFiQUEiLCJ2ZXIiOiIxLjAifQ.ZAARkTCSK1MYDj3TnDY8djUxienvmNySn0sNR1iZ4eDdYLSrtqjVG2E9EL4nlSYIIP92HZ6io3MdASxsfHrbZaSTvgy6gqe2dNJZ_aWh23TyHop3q5ctLCTqQpNEP1AGcq6vnXk2ceN5CMXkzK1d8R3Zlwa3ICo7lWFDKDEea0_Y87Hvm8U2-zjgzhqAiZi6sH3u7BxiZBqWop4Jn9Wddv2qq_lGU7UuzEwbTMFQ87BKWvts3K_H4UnzZDvDrwSi_GrwvG9VBQ1ST66qhGLRESnW0u_
I am getting an unauthorized error when trying to PATCH a User entity with AAD Graph
我想您正在使用 aad 图 reset a user's password。
如 doc 所述,对于 Directory.ReadWrite.All,无权重置用户密码。
如果你想重置密码,文档中也提到了,你应该使用delegated范围User.ReadWrite.All或Directory.AccessAsUser.All权限。
Important
Either
delegatedscopeUser.ReadWrite.AllorDirectory.AccessAsUser.Allis required to reset a user's password. In addition to the correct scope, the signed-in user would need sufficient privileges to reset another user's password.