Microsoft graph api 使用第一方应用程序调用Microsoft Graph API失败,权限不足,无法在“上完成操作”;订阅KUS API“;
调用microsoft graph API失败,原因是Microsoft graph api 使用第一方应用程序调用Microsoft Graph API失败,权限不足,无法在“上完成操作”;订阅KUS API“;,microsoft-graph-api,azure-ad-graph-api,Microsoft Graph Api,Azure Ad Graph Api,调用microsoft graph API失败,原因是 “代码”:“授权请求被拒绝”, “消息”:“权限不足,无法完成操作。”, 如果我们在租户中创建一个非管理员的新用户,就会发生这种情况。但是,当使用管理员用户调用这个时,它工作得很好。甚至它也适用于租户中的任何microsoft用户 这是下面我用来尝试的代码 public static async Task TestAadGraph() { // using obo token of the user.
“代码”:“授权请求被拒绝”, “消息”:“权限不足,无法完成操作。”, 如果我们在租户中创建一个非管理员的新用户,就会发生这种情况。但是,当使用管理员用户调用这个时,它工作得很好。甚至它也适用于租户中的任何microsoft用户 这是下面我用来尝试的代码
public static async Task TestAadGraph()
{
// using obo token of the user.
var graphToken = await GetTokenAsync(UserId, Token, "https://graph.microsoft.com");
var aadGraphClient = new AadGraphClient(new HttpClient());
var licenseResponse = await aadGraphClient.GetTenantLicenseDetailAsync(graphToken);
foreach (var license in licenseResponse)
{
Console.WriteLine("Sku ID: {0}", license.SkuId);
Console.WriteLine("Sku Part Number: {0}", license.SkuPartNumber);
foreach (var plan in license.ServicePlans)
{
Console.WriteLine("Plan Id: {0}", plan.ServicePlanId);
Console.WriteLine("Plan Name: {0}", plan.ServicePlanName);
}
}
}
public async Task<SubscribedSku[]> GetTenantLicenseDetailAsync(string accessToken)
{
var request = new RequestMessage
{
BearerToken = accessToken,
Endpoint = new Uri("http://graph.microsoft.com/v1.0/subscribedSkus"),
};
var response = await _httpClient.FetchAsync<SubscribedSkusResponse>(request);
return response.Value;
}
public static async Task<T> FetchAsync<T>(this HttpClient httpClient, RequestMessage request, Action<HttpResponseMessage, string> responseCallback) where T : class
{
request.Method = request.Method ?? HttpMethod.Get;
request.MediaType = request.MediaType ?? "application/json";
using (HttpRequestMessage message = new HttpRequestMessage(request.Method,
UrlHelper.AppendParameters(request.Params, request.Endpoint)))
{
if (!string.IsNullOrEmpty(request.BearerToken))
{
message.Headers.Authorization = new AuthenticationHeaderValue("Bearer",
request.BearerToken);
}
if (request.Headers != null)
{
foreach (KeyValuePair<string, string> header in request.Headers)
{
message.Headers.Add(header.Key, header.Value);
}
}
if (!string.IsNullOrEmpty(request.Content))
{
message.Content = new StringContent(request.Content, Encoding.UTF8,
request.MediaType);
}`
using (HttpResponseMessage response = await httpClient.SendAsync(message))
{
string json = await response.Content.ReadAsStringAsync();
if (responseCallback != null)
{
responseCallback?.Invoke(response, json);
}
if (response.IsSuccessStatusCode)
{
if (predictor != null)
{
json = predictor(JToken.Parse(json)).ToString();
}
return JsonConvert.DeserializeObject<T>(json);
}
else
{
throw new WebRequestException(response, json);
}
}
}
}
公共静态异步任务TestAadGraph()
{
//使用用户的obo令牌。
var graphToken=await GetTokenAsync(用户ID,令牌,“https://graph.microsoft.com");
var aadGraphClient=new aadGraphClient(new HttpClient());
var licensesponse=await aadGraphClient.GetTenantLicenseDetailAsync(graphToken);
foreach(licenseResponse中的var许可证)
{
WriteLine(“Sku ID:{0}”,license.SkuId);
WriteLine(“Sku部件号:{0}”,license.SkuPartNumber);
foreach(license.ServicePlans中的var计划)
{
WriteLine(“计划Id:{0}”,计划.ServicePlanId);
WriteLine(“计划名称:{0}”,计划.ServicePlanName);
}
}
}
公共异步任务GetTenantLicenseDetailAsync(字符串accessToken)
{
var request=newrequestmessage
{
BealerToken=accessToken,
端点=新Uri(“http://graph.microsoft.com/v1.0/subscribedSkus"),
};
var response=await\u httpClient.FetchAsync(请求);
返回响应值;
}
公共静态异步任务FetchAsync(此HttpClient HttpClient、RequestMessage请求、Action responseCallback),其中T:class
{
request.Method=request.Method??HttpMethod.Get;
request.MediaType=request.MediaType???“应用程序/json”;
使用(HttpRequestMessage message=新的HttpRequestMessage(request.Method,
UrlHelper.AppendParameters(request.Params,request.Endpoint)))
{
如果(!string.IsNullOrEmpty(request.BearerToken))
{
message.Headers.Authorization=新的AuthenticationHeaderValue(“承载人”,
请求(BearerToken);
}
if(request.Headers!=null)
{
foreach(request.Headers中的KeyValuePair头)
{
message.Headers.Add(header.Key,header.Value);
}
}
如果(!string.IsNullOrEmpty(request.Content))
{
message.Content=新的StringContent(request.Content,Encoding.UTF8,
请求类型(MediaType);
}`
使用(HttpResponseMessage响应=等待httpClient.SendAsync(消息))
{
string json=wait response.Content.ReadAsStringAsync();
if(responseCallback!=null)
{
responseCallback?.Invoke(响应,json);
}
if(响应。IsSuccessStatusCode)
{
if(预测器!=null)
{
json=predictor(JToken.Parse(json)).ToString();
}
返回JsonConvert.DeserializeObject(json);
}
其他的
{
抛出新的WebRequestException(响应,json);
}
}
}
}
首先,对中新创建的用户尝试相同的调用,以查看是否存在相同的场景。如果不是,则表示新用户没有问题
然后调试代码并将图形复制到中,查看解码结果是否具有所需的授权权限之一:Organization.Read.All,Directory.Read.All,Organization.ReadWrite.All,Directory.ReadWrite.All,Directory.accessUser.All
。请注意,“upn”应该是新创建的用户的用户名
如果所需权限不存在,则需要在Azure AD应用程序中分配权限。请参阅。完美。向第一方应用程序添加权限实际上是有效的。但如果开始使用,则在同一应用程序上完全没有例外。