Azure active directory 从Microsoft Graph Beta端点查询/Policys/authenticationFlowsPolicy
我正在尝试使用Microsoft Graph API为租户获取所有可能的策略 目前,我遇到了一个问题,请求此端点:Azure active directory 从Microsoft Graph Beta端点查询/Policys/authenticationFlowsPolicy,azure-active-directory,microsoft-graph-api,Azure Active Directory,Microsoft Graph Api,我正在尝试使用Microsoft Graph API为租户获取所有可能的策略 目前,我遇到了一个问题,请求此端点:https://graph.microsoft.com/beta/policies/authenticationFlowsPolicy 我正在使用在我的租户中注册的应用程序,并已向其授予必要的策略.ReadAll和策略.ReadWrite.AuthenticationFlows权限 以下是我在Azure门户中的API权限 然而,我得到了一个奇怪的错误: { "error
https://graph.microsoft.com/beta/policies/authenticationFlowsPolicy策略.ReadAll策略.ReadWrite.AuthenticationFlows{
"error": {
"code": "AADB2C",
"message": "User Authorization: Access is denied.",
"innerError": {
"correlationId": "42c3423b-b1a3-42ee-9868-c3d18bbe0e8b",
"date": "2021-01-14T18:45:11",
"request-id": "6c9015d2-e320-41b5-85cf-0199b54d1198",
"client-request-id": "6c9015d2-e320-41b5-85cf-0199b54d1198"
}
}
}
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/authenticationFlowsPolicy/$entity",
"id": "authenticationFlowsPolicy",
"displayName": "Authentication flows policy",
"description": "Authentication flows policy allows modification of settings related to authentication flows in AAD tenant, such as self-service sign up configuration.",
"selfServiceSignUp": {
"isEnabled": false
}
}
客户端\u凭据授权类型获取访问令牌。我使用应用程序ID和应用程序机密获取访问令牌来执行这些请求
有人知道我的问题是什么,以及我如何解决这个问题吗?我还没有找到一个明确的答案或解释为什么这个请求不起作用
编辑:
以下是我的JWT在应用程序中的外观:
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/2b13d287-fc73-46c4-9803-0c4cc0fb8707/",
"iat": 1610670358,
"nbf": 1610670358,
"exp": 1610674258,
"aio": "E2JgYDi/9NvXFY4udyr5X/xm9p/sBQA=",
"app_displayname": "ucic-endpoint",
"appid": "f55c9031-dec0-47c4-8d25-b61c7dd1cc48",
"appidacr": "1",
"idp": "https://sts.windows.net/2b13d287-fc73-46c4-9803-0c4cc0fb8707/",
"idtyp": "app",
"oid": "49f39001-30d5-42cf-8754-f4d2502c4d22",
"rh": "0.AAAAh9ITK3P8xEaYAwxMwPuHBzGQXPXA3sRHjSW2HH3RzEhSAAA.",
"roles": [
"User.ReadWrite.All",
"Policy.ReadWrite.AuthenticationFlows",
"Policy.ReadWrite.ApplicationConfiguration",
"Directory.ReadWrite.All",
"User.Invite.All",
"User.Read.All",
"Policy.Read.All"
],
"sub": "49f39001-30d5-42cf-8754-f4d2502c4d22",
"tenant_region_scope": "NA",
"tid": "2b13d287-fc73-46c4-9803-0c4cc0fb8707",
"uti": "YD03wmyyvUO86aVsJ4AEAA",
"ver": "1.0",
"xms_tcdt": 1585168975
}
这就是从Graph Explorer执行请求时访问令牌的外观
{
"aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/2b13d287-fc73-46c4-9803-0c4cc0fb8707/",
"iat": 1610669274,
"nbf": 1610669274,
"exp": 1610673174,
"acct": 0,
"acr": "1",
"acrs": [
"urn:user:registersecurityinfo",
"urn:microsoft:req1",
"urn:microsoft:req2",
"urn:microsoft:req3",
"c1",
"c2",
"c3",
"c4",
"c5",
"c6",
"c7",
"c8",
"c9",
"c10",
"c11",
"c12",
"c13",
"c14",
"c15",
"c16",
"c17",
"c18",
"c19",
"c20",
"c21",
"c22",
"c23",
"c24",
"c25"
],
"aio": "ASQA2/8SAAAAgY7CqdLXB3yrB6Mys5jkqtPKVEgTHYgXYaeqYtBb4sY=",
"amr": [
"pwd"
],
"app_displayname": "Graph explorer (official site)",
"appid": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"appidacr": "0",
"idtyp": "user",
"ipaddr": "12.207.18.194",
"name": "Administrator",
"oid": "b2d12f10-42eb-44a7-ba56-76ed8d268055",
"platf": "3",
"puid": "10032000A881CA7C",
"rh": "0.AAAAh9ITK3P8xEaYAwxMwPuHB7XIi9752bFIqK23SNpyUGRSAAw.",
"scp": "Calendars.ReadWrite Chat.Read Chat.ReadBasic Contacts.ReadWrite DeviceManagementConfiguration.Read.All DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.Read.All DeviceManagementRBAC.Read.All DeviceManagementServiceConfig.Read.All Directory.ReadWrite.All Files.ReadWrite.All Group.ReadWrite.All IdentityRiskEvent.Read.All Mail.Read Mail.ReadWrite MailboxSettings.ReadWrite Notes.ReadWrite.All openid People.Read People.Read.All Place.Read Policy.Read.All Policy.Read.ConditionalAccess Policy.Read.PermissionGrant Policy.ReadWrite.ApplicationConfiguration Policy.ReadWrite.AuthenticationFlows Policy.ReadWrite.AuthenticationMethod Policy.ReadWrite.Authorization Policy.ReadWrite.ConditionalAccess Policy.ReadWrite.ConsentRequest Policy.ReadWrite.DeviceConfiguration Policy.ReadWrite.FeatureRollout Policy.ReadWrite.PermissionGrant Policy.ReadWrite.TrustFramework Presence.Read Presence.Read.All profile Reports.Read.All Sites.ReadWrite.All Tasks.ReadWrite User.Export.All User.Invite.All User.ManageIdentities.All User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All email",
"sub": "Hi_D6BEuypaElwi2021X5VX6HfX-PXHEdghMXtKM21Q",
"tenant_region_scope": "NA",
"tid": "2b13d287-fc73-46c4-9803-0c4cc0fb8707",
"unique_name": "admin@purplepandas.onmicrosoft.com",
"upn": "admin@purplepandas.onmicrosoft.com",
"uti": "rtRFD1UbsUmnTB-2DicBAA",
"ver": "1.0",
"wids": [
"62e90394-69f5-4237-9190-012177145e10",
"b79fbf4d-3ef9-4689-8143-76b194e85509"
],
"xms_st": {
"sub": "O1oVLPpYMLQUaf1LY5lh99yUz56LH9dOZl1IWIMKlJw"
},
"xms_tcdt": 1585168975
}
涉及AADB2C错误,肯定需要登录用户,所以不能使用基于守护进程的客户端\u凭证授予\u类型,因为它通常没有用户交互,所以应该使用获取访问令牌,这需要您登录用户并获取授权码,然后使用授权码兑换访问令牌
顺便说一句,我只是使用client_凭证流做了一个测试。它会提示我以用户身份登录。这很奇怪,因为文档声明可以使用应用程序权限,所以我认为这可能是一个未知错误
此外,调用api还需要用户具有管理员角色:
您必须具有以下用户角色之一才能访问:外部ID
用户流管理员,外部ID用户流属性
管理员,外部身份提供程序管理员,应用程序
管理员、安全管理员、安全读卡器、全局读卡器、,
全局管理员
用于解析您的访问令牌并提供屏幕截图。@CarlZhao我已将我的帖子中包含了这些JWT。但问题是,我的应用程序不使用委托权限。它使用应用程序权限。Graph Explorer不使用委派权限吗?Graph Explorer使用用户/密码流,默认为委派权限。谢谢Carl的帮助。所以,基本上,对于任何涉及AAD B2C的内容,我都不能使用客户端\u凭证授权流?但让我恼火的是,即使我的租户不是B2C租户,我也会收到AAD B2C错误。@deathcat05是的,AAD B2C涉及用户交互。它当前不支持客户端凭据流。至于您今天遇到的错误,我想这是一个bug,我注意到了:这是B2B函数,是一个新函数,至今仍在更新中。@deathcat05有一个类似的B2C策略:,与AAD策略非常相似。Graph api可以首先实现该端点,然后携带B2C错误消息。可能是开发人员忘记修改错误消息。我会将错误消息报告给微软,希望尽快修复错误。你怎么知道第一个链接只是一个B2B功能,第二个是B2C功能(除了第二个明确表示B2C之外)。我真的很想了解您是如何知道这一点的,以便我将来能够查找这些内容:)@deathcat05我单击文档中的链接,然后转到authenticationFlowsPolicy resource type
页面。该文件指出:代表租户级别的自助注册体验的策略配置,允许外部用户请求注册以获得批准。