我已在 Azure 门户中注册了该应用程序,并生成了 client_secret。 我需要客户端授权流程,并且我也授予了应用程序权限。我也已授予管理员同意,因为我自己就是管理员。
我可以使用给定的 url 生成访问令牌:
https://login.microsoftonline.com/47be0abf-c6a1-4f04-a665-dceb081c4ff1/oauth2/v2.0/token?client_id=********&client_secret=******&grant_type=client_credentials&scope=User.ReadBasic.All%20User.Read%20User.ReadWrite%20User.Read.All%20User.ReadWrite.All%20Directory.Read.All%20Directory.ReadWrite.All%20Directory.AccessAsUser.All
但是,当我使用生成的令牌访问以下网址时,我收到权限不足的消息。
https://graph.microsoft.com/v1.0/users
Authorization Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEQ29NcGpKWHJ4VHE5Vkc5dGUtN0ZYNndkRlV3aTBKbGlHcWhEWkgybFRlYWh6SUhUX0VsazFaYTFuUHRzNWo3SW5xMDBmbnNNRkpNUWRYdWdVZnpaZ0cxT19uenNPTXpwN2tpUFFIR2VHTnlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiQ3RmUUM4TGUtOE5zQzdvQzJ6UWtacGNyZk9jIiwia2lkIjoiQ3RmUUM4TGUtOE5zQzdvQzJ6UWtacGNyZk9jIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80N2JlMGFiZi1jNmExLTRmMDQtYTY2NS1kY2ViMDgxYzRmZjEvIiwiaWF0IjoxNTYwMjUzMDE1LCJuYmYiOjE1NjAyNTMwMTUsImV4cCI6MTU2MDI1NjkxNSwiYWlvIjoiNDJaZ1lQajhVdnBwWGMySEU1WGZwbnZxSG43akFnQT0iLCJhcHBfZGlzcGxheW5hbWUiOiJUdXRvcmlhbCBTYW1wbGUgQXBwIiwiYXBwaWQiOiI2NzMxZGU3Ni0xNGE2LTQ5YWUtOTdiYy02ZWJhNjkxNDM5MWUiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80N2JlMGFiZi1jNmExLTRmMDQtYTY2NS1kY2ViMDgxYzRmZjEvIiwib2lkIjoiNjg0ZjkzMjUtNjUyNS00Yjk5LTgwNzktOTEyOGZjZWNlNGViIiwic3ViIjoiNjg0ZjkzMjUtNjUyNS00Yjk5LTgwNzktOTEyOGZjZWNlNGViIiwidGlkIjoiNDdiZTBhYmYtYzZhMS00ZjA0LWE2NjUtZGNlYjA4MWM0ZmYxIiwidXRpIjoiSkZjUE9SSHRGVTJMMWludEpkY2RBQSIsInZlciI6IjEuMCIsInhtc190Y2R0IjoxMzQ0Njc5MzA0fQ.fXEs7eClm5SYXychcKXbTfcc5gtvyyMa5fDWuGu2vqQ4Zc6V0jJSHSeksRiOzYE8SOJXRTmI9vJtbs2XIMFr0CRHeTgoCDReV8JWJ8yhOKiDnc-_2AHtSoBnqt6ibF0eX4AzkyioJd24-uYTSkheC_zDpd6GS3T5T077BU_1M7kpngXDfEICi38VkddcpdBUG8FgHUSPq0S9fCosIB4_JPwspq3QC6jJyoRrj1Yj2oR8FwBA1dpgWq_e0QoGnWXgT6EhBKedjY0hwHGY-F73ndvRlAKKW63JYucdOtRyC2zFDc4DPwhN1nyPlh86_Y0Zru8UTb0QgWRFKbGZwQcEOg
我尝试过更改权限并添加和删除权限。
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "aa38f822-7325-44ad-9127-3cb4779578bf",
"date": "2019-06-11T11:42:16"
}
}
}
更新 :包含权限截图配置
令牌的 JWT 调试器输出:
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/f77804fb-8607-4e96-9fae-231360cc82b7/",
"iat": 1560273380,
"nbf": 1560273380,
"exp": 1560277280,
"aio": "42ZgYKjulnV3u/vJZNN0gz3ld2ZpAwA=",
"app_displayname": "clmapp",
"appid": "82ad79f2-27c7-4304-92f6-e3ffdb637e72",
"appidacr": "1",
"idp": "https://sts.windows.net/f77804fb-8607-4e96-9fae-231360cc82b7/",
"tid": "f77804fb-8607-4e96-9fae-231360cc82b7",
"uti": "BpTbRLEb5ECSO3qjslIgAA",
"ver": "1.0",
"xms_tcdt": 1376441181
}
您可以尝试以下方法:
允许:
确保您有以下内容允许:
在 Azure 门户上授予权限:
Step:1
Select Application Permission On API permissions menu
Step:2
Select User.ReadWrite.All under Application Permission部分但是User.Read.All也还好吧。
令牌请求格式:
URL:https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/token
对于 V2.0 网址:
https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/v2.0/token
HTTP Verb: POST
grant_type:client_credentials
client_id:b603c7be-a866-4-e6921e61f925
client_secret:Vxf1SluKbguf3wE5oGl/2XDSeZ8wL/Yp8ns4sc=
resource:https://graph.microsoft.com
对于 V2.0 范围将是:
scope:https://graph.microsoft.com/.default
请参阅下面的屏幕截图:
解码令牌并确认权限:
您可以使用https://jwt.io/解码您的令牌以确保您拥有所需的权限:请参阅下面的屏幕截图:
请求用户列表:
和你的Token在此端点上请求https://graph.microsoft.com/v1.0/users。请参阅下面的屏幕截图。我已经成功获取所有用户列表。
