精简版:
如何正确设置应用程序权限和/或角色分配和/或我缺少的其他内容,以便可以使用应用程序 id/secret(OAuth 客户端凭据)创建共享邮箱?
到目前为止,我已经尝试了几种权限/角色的组合,例如Exchange.ManageAsApp
用户管理员 ( fe930be7-5e62-47db-91af-98c3a49a38b1
)、Exchange 管理员 ( 29232cdf-9323-42fd-ade2-1d097af3e4de
) 和其他一些。
细节:
我有一堆用于自动执行 Exchange Online 上的各种任务的 powershell 脚本。到目前为止,我一直在使用基本身份验证,我能够成功地将其转换为 OAuth 密码流。
但要完全摆脱对服务帐户的依赖,我更喜欢使用凭证流。在后台我试图做这样的事情:
var authenticationContext = new AuthenticationContext($"https://login.microsoftonline.com/{TenantId}", false, _tokenCache);
var clientCredential = new ClientCredential(ClientId, ClientSecret);
var authenticationResult = await authenticationContext.AcquireTokenAsync(Resource, clientCredential);
var username = "OAuthUser@" + TenantId;
var password = authenticationResult.CreateAuthorizationHeader();
var executor = new ExolExecutor(username, password);
await executor.Execute(Script, cancellationToken);
执行者在哪里做常规的事情:
- 创建 PSSession 到
https://outlook.office365.com/powershell-liveid?BasicAuthToOAuthConversion=true
- 使用执行 powershell 脚本
using PowerShell powershell = PowerShell.Create(); powershell.Runspace = runspace; powershell.AddScript(script); ... await Task.Factory.FromAsync(powershell.BeginInvoke(input, output), powershell.EndInvoke);
- 删除 PSSession
到目前为止,一切都很好。与Get-Mailbox -ResultSize 1
. 但是当尝试创建新的共享邮箱New-Mailbox -Name "pko222" -DisplayName "pko222" -Alias "pko222" -Shared
时,我得到了
CategoryInfo.Activity: New-Mailbox
CategoryInfo.Category: 1001
CategoryInfo.Reason: ADOperationException
CategoryInfo.TargetName:
CategoryInfo.TargetType:
ErrorDetails.Message:
ErrorDetails.RecommendedAction:
Exception.Message: Active Directory operation failed on DB7PR01A03DC005.EURPR01A003.prod.outlook.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152612, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
FullyQualifiedErrorId: [Server=BEXP281MB0087,RequestId=88419a8e-78a4-4967-9bca-71d40feb5150,TimeStamp=10/6/2020 11:57:38 AM] [FailureCategory=Cmdlet-ADOperationException] 2C0312E5,Microsoft.Exchange.Management.RecipientTasks.NewMailbox
JWT 令牌看起来像这样:
{
"aud": "https://outlook.office365.com",
"iss": "https://sts.windows.net/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/",
"iat": 1601985127,
"nbf": 1601985127,
"exp": 1601989027,
"aio": "E2RgYFCOsw1iZj34elV49CH5zyd5AQ==",
"app_displayname": "XXXXXXXXXXX",
"appid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"appidacr": "1",
"idp": "https://sts.windows.net/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/",
"oid": "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz",
"rh": "0.AAAAv9y4fwZQ_0G6_d1kLKJ_sarAXb_REQFHhc2EM1FNn9tIAAA.",
"roles": ["User.Read.All", "full_access_as_app", "Mail.ReadWrite", "MailboxSettings.ReadWrite", "User.ReadBasic.All", "Mailbox.Migration", "Mail.Read", "Mail.Send", "MailboxSettings.Read", "Exchange.ManageAsApp"],
"sid": "qqqqqqqq-qqqq-qqqq-qqqq-qqqqqqqqqqqq",
"sub": "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz",
"tid": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
"uti": "CRytfXbD80y3ATmQvd-VAQ",
"ver": "1.0",
"wids": ["29232cdf-9323-42fd-ade2-1d097af3e4de", "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "fe930be7-5e62-47db-91af-98c3a49a38b1", "9360feb5-f418-4baa-8175-e2a00bac4301", "62e90394-69f5-4237-9190-012177145e10", "0997a1d0-0d1d-4acb-b408-d5ca73121e90"]
}