Azure AD B2B SSO,带有多租户应用程序,I';我得到的回应是“我的朋友们;权限不足,无法完成操作。”;
我使用了以下权限:Azure AD B2B SSO,带有多租户应用程序,I';我得到的回应是“我的朋友们;权限不足,无法完成操作。”;,azure,asp.net-core-mvc,azure-active-directory,microsoft-graph-api,azure-ad-graph-api,Azure,Asp.net Core Mvc,Azure Active Directory,Microsoft Graph Api,Azure Ad Graph Api,我使用了以下权限: 公共无效测试() { 尝试 { 字符串tenantId=User.FindFirst(“http://schemas.microsoft.com/identity/claims/tenantid1.价值; 字符串权限=”https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token?scope=openid%20profile%20User.ReadWrite%20User.ReadBasic.All%20Sit
公共无效测试()
{
尝试
{
字符串tenantId=User.FindFirst(“http://schemas.microsoft.com/identity/claims/tenantid1.价值;
字符串权限=”https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token?scope=openid%20profile%20User.ReadWrite%20User.ReadBasic.All%20Sites.ReadWrite.All%20Contacts.ReadWrite%20People.Read%20Notes.ReadWrite.All%20Tasks.ReadWrite%20Files.ReadWrite.All%20Calendars.ReadWrite”;
字符串graphResourceId=”https://graph.microsoft.com";
字符串clientId=“XXX-XXX-XXX-XXX”;
string secret=“xxxxxxxxxxxxxxxxxxxx”;
authority=String.Format(authority,tenantId);
AuthenticationContext authContext=新的AuthenticationContext(授权);
var accessToken=authContext.AcquireTokenAsync(graphResourceId,new ClientCredential(clientId,secret)).Result.accessToken;
var graphserviceClient=新graphserviceClient(新DelegateAuthenticationProvider(requestMessage=>
{
requestMessage.Headers.Authorization=新的AuthenticationHeaderValue(“承载者”,accessToken);
返回Task.FromResult(0);
}));
var_users=graphserviceClient.users.Request().GetAsync().Result;
}
捕获(例外情况除外)
{
掷骰子;
}
}
公共异步任务索引()
{
字符串tenantId=User.FindFirst(“http://schemas.microsoft.com/identity/claims/tenantid1.价值;
字符串ClientID=“xxx xxx xxx xxx”;
ActiveDirectoryClient adClient=新的ActiveDirectoryClient(新Uri(“https://graph.windows.net/“+tenantId),async()=>await-GetAppTokenAsync(tenantId).ConfigureAwait(true));
尝试
{
var naaaewuser=adClient.Users.ExecuteAsync().Result;
}
捕获(例外情况除外)
{
掷骰子;
}
返回视图();
}
“代码”:“授权请求被拒绝”
“值”:“权限不足,无法完成操作。”
有人能帮我吗?如何获取未经“管理员同意”登录的组织的用户列表?此外,请让我知道,如果有任何替代这一点
谢谢我获得了解决方案,并获得了我所在组织的用户基本资料。解决方案:使用AcquireTokenSilentAsync方法获取访问令牌。更多细节
谢谢大家因为您使用v2端点作为权限:
https://login.microsoftonline.com/{0}/common/oauth2/v2.0
,您是否在apps.dev.microsoft.com上注册了该应用程序?是的-这是我已经问过的同一个问题,但太大了,请检查此问题。您的权限应该是https://login.microsoftonline.com/{0}/common/oauth2/v2.0
btwAnd不是Azure广告图的GraphServiceClient
?您可能应该在MS Graph客户端中使用该令牌。虽然它可能对这两个都起作用..但您仅使用客户端凭据来获取访问权限。您需要管理员同意才能获得应用程序权限(在这种情况下您将使用该权限)。
public void Test()
{
try
{
string tenantId = User.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token?scope=openid%20profile%20User.ReadWrite%20User.ReadBasic.All%20Sites.ReadWrite.All%20Contacts.ReadWrite%20People.Read%20Notes.ReadWrite.All%20Tasks.ReadWrite%20Mail.ReadWrite%20Files.ReadWrite.All%20Calendars.ReadWrite";
string graphResourceId = "https://graph.microsoft.com";
string clientId = "XXX-XXX-XXX-XXX";
string secret = "XXXXXXXXXXXXXXXXXXXXXXXX";
authority = String.Format(authority, tenantId);
AuthenticationContext authContext = new AuthenticationContext(authority);
var accessToken = authContext.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId, secret)).Result.AccessToken;
var graphserviceClient = new GraphServiceClient(new DelegateAuthenticationProvider(requestMessage =>
{
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
return Task.FromResult(0);
}));
var _users = graphserviceClient.Users.Request().GetAsync().Result;
}
catch (Exception ex)
{
throw ex;
}
}
public async Task<IActionResult> Index()
{
string tenantId = User.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string ClientID = "xxx-xxx-xxx-xxx";
ActiveDirectoryClient adClient = new ActiveDirectoryClient(new Uri("https://graph.windows.net/" + tenantId), async () => await GetAppTokenAsync(tenantId).ConfigureAwait(true));
try
{
var naaaewuser = adClient.Users.ExecuteAsync().Result;
}
catch (Exception ex)
{
throw ex;
}
return View();
}