1

在我的应用程序中,我使用 Azure AD 的OIDCStrategy策略实现了登录模式passport-azure-ad。现在我正在尝试使用登录微软后收到的访问令牌进行 Graph 的列表用户 api 调用。但我收到了这个错误。

GraphError {
   statusCode: 403,
   code: 'Authorization_RequestDenied',
   message: 'Insufficient privileges to complete the operation.',
   request-id:"XXXX",
   date: 2020-11-24T09:24:05.000Z,
   body: '{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2020-11-24T14:54:05","request-id":"XXXX","client-request-id":"XXXXXXX"}}'
}

我的应用程序有这么多权限,但我仍然收到上述错误。我究竟做错了什么?

应用程序权限

这是解码的访问令牌对象:

{"aud":"00000003-0000-0000-c000-000000000000","iss":"https://sts.windows.net/7adbf72e-a1bf-48dc-8646-f09a986d8cf5/","iat":1606229343,"nbf":1606229343,"exp":1606233243,"acct":1,"acr":"1","acrs":["urn:user:registersecurityinfo","urn:microsoft:req1","urn:microsoft:req2","urn:microsoft:req3","c1","c2","c3","c4","c5","c6","c7","c8","c9","c10","c11","c12","c13","c14","c15","c16","c17","c18","c19","c20","c21","c22","c23","c24","c25"],"aio":"AUQAu/8RAAAAOsguW0xieoa2CFuuDvL0jrUAtSMCWcD3IdbuCmn3lJuENH6iLn9d8hRFHUma9pcCBZX/wJfdyN6bA61m7ntpgg==","altsecid":"5::10032000C782425B","amr":["pwd"],"app_displayname":"ODP Local App","appid":"57ceab52-f7b8-4de4-a3ad-25dad057c497","appidacr":"1","email":"xxxx@xxxx.com","idp":"https://sts.windows.net/f6e57c1b-6cbc-42a4-8e89-39e1bef6c49f/","idtyp":"user","ipaddr":"49.207.220.153","name":"xxxx.xxxx","oid":"e4c3eda9-513d-4cb6-bfb7-d13a856226bc","platf":"5","puid":"10032000C7758CA0","rh":"0.AAAALvfber-h3EiGRvCamG2M9VKrzle49-RNo60l2tBXxJceAJc.","scp":"Directory.Read.All Mail.Read openid profile User.Read User.Read.All User.ReadBasic.All email","sub":"nFYoEl4fstYqfN3kFRucklSfbW6dOoYKBf4KkCDwrkk","tenant_region_scope":"NA","tid":"7adbf72e-a1bf-48dc-8646-f09a986d8cf5","unique_name":"xxxx@xxxx.com","uti":"IjWpoZpXkEex8C9Om31AAA","ver":"1.0","wids":["13bd1c72-6f4a-4dcf-985f-18d3b80f208a"],"xms_st":{"sub":"Hg0g_xypTWd5nXzHsNNOTQQwBlABxJ-NlyRDj8JqsuM"},"xms_tcdt":1540458072}

Application administratorPS:当登录的用户被分配角色时,API 会成功。用户是否需要单独的/usersapi 角色?应用程序权限是否不够?

4

1 回答 1

1

由于您以访客用户身份登录,因此您无法获得与会员用户相同的访问权限,因此您无法列出所有用户。当您授予来宾用户管理员角色时,他们具有完全的读取和写入权限,因此他们可以列出所有用户。您可以查看会员和访客用户之间的区别:

来宾用户具有受限的目录权限。他们可以管理自己的个人资料、更改自己的密码并检索有关其他用户、组和应用程序的一些信息,但是,他们无法读取所有目录信息。例如,来宾用户无法枚举所有用户、组和其他目录对象的列表。可以将来宾添加到管理员角色,从而授予他们角色中包含的完全读取和写入权限。客人也可以邀请其他客人。

或者你也可以尝试设置:Guest用户和members有相同的访问权限(包括最多),默认授予guest用户所有的member用户权限。但是,该功能目前处于预览状态,需要您以管理员身份登录 Azure 门户,然后进入:用户>用户设置>管理外部协作设置>来宾用户访问:

在此处输入图像描述

于 2020-11-25T06:42:58.807 回答