【发布时间】:2023-03-19 13:39:01
【问题描述】:
期望的行为
通过 Microsoft Graph 创建一个 group,在具有 delegated API 权限的 single tenant application 中使用 JavaScript SDK 和 MSAL。
实际行为
{
"statusCode": 403,
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"requestId": "6e865d96-ef8b-408e-a905-5393b4adcfdc",
"date": "2020-05-16T20:20:15.000Z",
"body": "{\"code\":\"Authorization_RequestDenied\",\"message\":\"Insufficient privileges to complete the operation.\",\"innerError\":{\"request-id\":\"6e865d96-ef8b-408e-a905-5393b4adcfdc\",\"date\":\"2020-05-17T06:20:15\"}}"
}
我的尝试
为了创建代码,我使用了以下 API 参考说明:
登录/注销和所有其他 API 请求都正常工作。
订阅
Microsoft 365 Business Standard Trial
API 权限
Directory.AccessAsUser.All +++
Directory.ReadWrite.All ***
Group.ReadWrite.All
GroupMember.ReadWrite.All ***
openid
profile
Sites.Read.All
Tasks.ReadWrite
User.Read
*** 我在阅读this answer 后添加了这些,但仍然出现相同的错误。
+++ 我在下面的回答中提出建议后添加了这个。
我已单击 Azure 应用注册区域中的“授予管理员同意”按钮。
index.html
<!-- msal -->
<!-- from: https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core -->
<script type="text/javascript" src="https://alcdn.msauth.net/lib/1.3.0/js/msal.js" integrity="****" crossorigin="anonymous"></script>
<!-- javascript sdk -->
<!-- from: https://github.com/microsoftgraph/msgraph-sdk-javascript -->
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/@microsoft/microsoft-graph-client/lib/graph-js-sdk.js"></script>
config.js
// msal options
const msalConfig = {
auth: {
clientId: "client-id-here",
redirectUri: "http://localhost:8080",
authority: "https://login.microsoftonline.com/tenant-id-here"
},
cache: {
cacheLocation: "sessionStorage",
storeAuthStateInCookie: false,
forceRefresh: false
}
};
// define application permissions
const scopes = ['directory.accessasuser.all', 'directory.readwrite.all', 'group.readwrite.all', 'groupmember.readwrite.all', 'openid', 'profile', 'sites.read.all', 'user.read', 'tasks.readwrite' ];
auth.js
const msalApplication = new Msal.UserAgentApplication(msalConfig);
const loginRequest = {
scopes: scopes
}
async function sign_in() {
try {
await msalApplication.loginPopup(loginRequest);
if (msalApplication.getAccount()) {
console.log("sign in success");
}
} catch (error) {
console.log("sign in error");
console.log(error);
}
}
function sign_out() {
msalApplication.logout();
}
graph.js
var path = "/groups";
var group = {
description: "Here is a description.",
displayName: "test_test_test",
groupTypes: [
"Unified",
"DynamicMembership"
],
mailEnabled: true,
mailNickname: "test_test_test",
securityEnabled: false, // initially i had this as true, doesn't seem to make a difference either way
visibility: "Hiddenmembership",
"owners@odata.bind": [
"https://graph.microsoft.com/v1.0/users/my-user-id-here"
],
"members@odata.bind": [
"https://graph.microsoft.com/v1.0/users/my-user-id-here"
]
};
var response = await client.api(path)
.post(group);
相关阅读:
Learn about Microsoft 365 Groups
Overview of Microsoft 365 Groups for administrators
Working with groups in Microsoft Graph
Create, edit, or delete a security group in the Microsoft 365 admin center
Creating teams and managing members using Microsoft Graph
Overview of Office 365 groups in Microsoft Graph
关于可能导致错误的其他想法...
仅统一组支持可见性;安全组不支持它。
可能securityEnabled: true和visibility:Hiddenmembership的组合不兼容?
我尝试将其更改为 securityEnabled: false 并收到相同的消息。
令牌有问题吗?
我从 Chrome 开发工具控制台复制了 Authorisation: Bearer 值并粘贴到 https://jwt.io 并且令牌中提供了两个额外的范围 - 但所有其他范围都存在:
【问题讨论】:
-
它是否要求您的 Azure 广告租户管理员批准?在管理员批准之前,我无法使用 user.read.all 权限。此外,这适用于没有用户的守护程序应用程序。
-
我已单击 Azure 应用注册区域中的“授予管理员同意”按钮(将此信息添加到帖子中)。
标签: microsoft-graph-api microsoft-graph-sdks msal.js