Azure MS Graph API-我可以读取B2C Active Directory中的用户,但无法创建用户
我使用azure函数作为前端应用程序和MS Graph之间的安全api 我有一个B2C广告,我可以使用azure功能获取单个用户并列出所有用户 当我试图创建一个用户时,我得到了未经授权的401 我的API应用程序已在B2C中注册,权限为Directory.Read.All、Directory.ReadWrite.All、Application.ReadWrite.All、AuditLog.Read.All和User.ReadWrite.All-所有这些应用程序均表示已获得管理员同意 客户端机密是有序的,并用作令牌请求的一部分 我从id}/oauth2/v2.0/token端点获取访问令牌。以下是我获取令牌的方式:Azure MS Graph API-我可以读取B2C Active Directory中的用户,但无法创建用户,azure,azure-functions,microsoft-graph-api,azure-ad-b2c,Azure,Azure Functions,Microsoft Graph Api,Azure Ad B2c,我使用azure函数作为前端应用程序和MS Graph之间的安全api 我有一个B2C广告,我可以使用azure功能获取单个用户并列出所有用户 当我试图创建一个用户时,我得到了未经授权的401 我的API应用程序已在B2C中注册,权限为Directory.Read.All、Directory.ReadWrite.All、Application.ReadWrite.All、AuditLog.Read.All和User.ReadWrite.All-所有这些应用程序均表示已获得管理员同意 客户端机密是
const APP_ID = 'XXXXXXX';
const APP_SECERET = 'XXXXXXXX';
const TOKEN_ENDPOINT ='https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/token';
const MS_GRAPH_SCOPE = 'https://graph.microsoft.com/.default';
const MS_GRAPH_USER = "https://graph.microsoft.com/v1.0/users"
const axios = require('axios');
const qs = require('qs');
const postData = {
client_id: APP_ID,
scope: MS_GRAPH_SCOPE,
client_secret: APP_SECERET,
grant_type: 'client_credentials'
};
let token = null
await axios
.post(TOKEN_ENDPOINT, qs.stringify(postData))
.then(async (response) => {
token = response.data.access_token}) etc etc etc...
错误响应只是一个未经授权的401。如果需要,我可以发布完整的消息
我哪里做错了
谢谢
错误响应如下所示:
response: {
status: 401,
statusText: 'Unauthorized',
headers: {
'cache-control': 'private',
'content-type': 'application/json',
'request-id': '93918a37-f0ed-44c9-85ad-d22157e88239',
'client-request-id': '93918a37-f0ed-44c9-85ad-d22157e88239',
'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"UK South","Slice":"SliceC","Ring":"4","ScaleUnit":"002","RoleInstance":"AGSFE_IN_40"}}',
'www-authenticate': 'Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000"',
'strict-transport-security': 'max-age=31536000',
date: 'Tue, 15 Dec 2020 15:20:10 GMT',
connection: 'close',
'content-length': '302'
},
config: {
url: 'https://graph.microsoft.com/v1.0/users',
method: 'post',
data: 'accountEnabled=true&mailNickname=TT&passwordProfile%5BforceChangePasswordNextSignIn%5D=true&passwordProfile%5Bpassword%5D=XXX',
headers: [Object],
transformRequest: [Array],
transformResponse: [Array],
timeout: 0,
adapter: [Function: httpAdapter],
xsrfCookieName: 'XSRF-TOKEN',
xsrfHeaderName: 'X-XSRF-TOKEN',
maxContentLength: -1,
maxBodyLength: -1,
validateStatus: [Function: validateStatus],
'content-type': 'application/json',
Authorization: 'Bearer XXX (removed)'
},
request: ClientRequest {
_events: [Object: null prototype],
_eventsCount: 7,
_maxListeners: undefined,
outputData: [],
outputSize: 0,
writable: true,
_last: true,
chunkedEncoding: false,
shouldKeepAlive: false,
useChunkedEncodingByDefault: true,
sendDate: false,
_removedConnection: false,
_removedContLen: false,
_removedTE: false,
_contentLength: null,
_hasBody: true,
_trailer: '',
finished: true,
_headerSent: true,
socket: [TLSSocket],
connection: [TLSSocket],
_header: 'POST /v1.0/users HTTP/1.1\r\n' +
'Accept: application/json, text/plain, */*\r\n' +
'Content-Type: application/x-www-form-urlencoded\r\n' +
'User-Agent: axios/0.21.0\r\n' +
'Content-Length: 127\r\n' +
'Host: graph.microsoft.com\r\n' +
'Connection: close\r\n' +
'\r\n',
_onPendingData: [Function: noopPendingOutput],
agent: [Agent],
socketPath: undefined,
method: 'POST',
insecureHTTPParser: undefined,
path: '/v1.0/users',
_ended: true,
res: [IncomingMessage],
aborted: false,
timeoutCb: null,
upgradeOrConnect: false,
parser: null,
maxHeadersCount: null,
reusedSocket: false,
_redirectable: [Writable],
[Symbol(kCapture)]: false,
[Symbol(kNeedDrain)]: false,
[Symbol(corked)]: 0,
[Symbol(kOutHeaders)]: [Object: null prototype]
},
data: { error: [Object] }
},,
伊萨西奥塞罗:没错,
toJSON:[函数:toJSON]
}
编辑:
尝试了graph explorer,尽管对每个权限都有许可,但我还是得到了403的许可
我已经要求我的全局管理员确认,但我认为我有应用程序管理员的角色
另外,由于我注册的应用程序已授予管理员权限,我认为这会起作用,因为它不依赖于我的权限
谢谢请使用以下代码获取用户列表并创建新用户
const request = require('request');
let tokentest='';
const endpoint = "https://login.microsoftonline.com/tenantid/oauth2/v2.0/token";
const requestParams = {
grant_type: "client_credentials",
client_id : "clientid",
client_secret : "secret",
scope: "https://graph.microsoft.com/.default"
};
user = {
accountEnabled: true,
displayName: "Adele Vance",
mailNickname: "AdeleV",
userPrincipalName: "AdeleghhhVgghhh@xxx",
"passwordProfile" : {
forceChangePasswordNextSignIn: true,
password: "xWwvJ]6NMw+bWH-d"
}
};
request.post({ url:endpoint, form: requestParams }, function (err, response, body) {
if (err) {
console.log("error");
}
else {
console.log("Body=" + body);
let parsedBody = JSON.parse(body);
if (parsedBody.error_description) {
console.log("Error=" + parsedBody.error_description);
}
else {
console.log("Access Token=" + parsedBody.access_token);
createGraphAPI(parsedBody.access_token);
testGraphAPI(parsedBody.access_token)
}
}
});
function testGraphAPI(accessToken) {
request.get({
url:"https://graph.microsoft.com/v1.0/users",
headers: {
"Authorization": "Bearer " + accessToken
}
}, function(err, response, body) {
console.log(body);
});
}
function createGraphAPI(accessToken) {
request.post({
url:"https://graph.microsoft.com/v1.0/users",
headers: {
"Authorization": "Bearer " + accessToken,
'content-type': 'application/json'
},json:user
}, function(err, response, body) {
console.log(body);
});
}
你能提供错误的相关id和时间戳吗message@SruthiJ-MSFTIdentity我已将错误响应添加到正文中。无法明确查看您请求的属性请告诉我们您担任的角色,如果您遇到任何问题(相关id和时间戳),请尝试使用并共享错误详细信息。谢谢@SruthiJ MSFTIdentity-我添加了graph explorer反馈的详细信息以及一些评论。期待收到您的来信。请以文本格式提供请求id和时间戳谢谢@SruthiJ MSFTIdentity,但我不认为这与我正在使用的代码有什么不同。我感觉我的应用程序是在我的B2C租户中注册的,而不是在我的AAD租户中注册的,这可能是问题所在……不是。我仍然获得401 Unauthorized您是否可以确保您正确传递了访问令牌,并尝试了上述代码,替换为clientid、tenantid和secret。{错误:{代码:{code:'Authorization_IdentityNotFound',消息:'无法建立调用应用程序的身份',内部错误:{日期:'2020-12-17T14:19:00','请求id':'0e2bb9bb-968c-4be0-a412-a939dba034ef','客户端请求id':'0e2bb9bb-968c-4be0-a412-a939dba034ef'}}