如何通过 Graph API 创建 Azure AD 组并将 SP 设置为所有者？

Question

我想要实现的是通过 Graph API 使用服务主体来创建一个新的 AAD 组，其中创建的 SP 是所有者。我的 SP 拥有Group.create 的权限。在我的尝试中，我使用 Node SDK for Graph API。

client.api("/groups").post({
    displayName: "aad-mgmt-group",
    mailEnabled: false,
    mailNickname: "aad-mgmt-group",
    securityEnabled: true,
    "owners@odata.bind": [
        "https://graph.microsoft.com/v1.0/users/<objectID-of-appregistration>"
    ]
}).then((x) => console.log(x))

我收到错误：

GraphError: Insufficient privileges to complete the operation.
    at new GraphError (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphError.js:32:28)
    at Function.GraphErrorHandler.constructErrorFromResponse (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphErrorHandler.js:62:22)
    at Function.<anonymous> (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphErrorHandler.js:89:48)
    at step (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:143:27)
    at Object.next (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:124:57)
    at /Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:117:75
    at new Promise (<anonymous>)
    at Object.__awaiter (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:113:16)
    at Function.GraphErrorHandler.getError (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphErrorHandler.js:85:24)
    at GraphRequest.<anonymous> (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphRequest.js:315:84) {
  statusCode: 403,
  code: 'Authorization_RequestDenied',
  requestId: '984562d5-5ebd-483b-b61c-9603bf57aade',
  date: 2021-09-27T07:41:19.000Z,
  body: '{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2021-09-27T09:41:19","request-id":"984562d5-5ebd-483b-171c-9603bf57eade","client-request-id":"23f8c6ce-fdc8-1a66-3403-8650fc884d90"}}'
}

如果我更改权限并另外授予Group.ReadWrite.All，我会得到：

GraphError: Resource '<objectID-of-appregistration>' does not exist or one of its queried reference-property objects are not present.
    at new GraphError (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphError.js:32:28)
    at Function.GraphErrorHandler.constructErrorFromResponse (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphErrorHandler.js:62:22)
    at Function.<anonymous> (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphErrorHandler.js:89:48)
    at step (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:143:27)
    at Object.next (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:124:57)
    at /Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:117:75
    at new Promise (<anonymous>)
    at Object.__awaiter (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:113:16)
    at Function.GraphErrorHandler.getError (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphErrorHandler.js:85:24)
    at GraphRequest.<anonymous> (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphRequest.js:315:84) {
  statusCode: 404,
  code: 'Request_ResourceNotFound',
  requestId: 'c9fddfeb-955f-4dd2-8b22-56dcf73f303b',
  date: 2021-09-27T17:00:56.000Z,
  body: `{"code":"Request_ResourceNotFound","message":"Resource 'fd0f22f8-d107-4ab1-adcc-c171fecb4e89' does not exist or one of its queried reference-property objects are not present.","innerError":{"date":"2021-09-27T19:00:56","request-id":"a9fddfeb-955f-4dd2-8b22-43dcf73f303b","client-request-id":"a1a0f14a-82b9-a02b-5f6c-485c4fbb869b"}}`
}

为什么它不起作用？ ReadWrite.All 是否需要在创建时分配所有者？哪个 ObjectID 是正确的？ Enterprise App 或 App registrations 对象 ID？

Answer 1

这里有几件事可以尝试 -

1. 确保您的 Azure AD 设置到位。对于您注册的应用程序，重要的部分是获取其应用程序 ID 并为其提供足够的权限来创建组。
2. 还要检查同一端点，利用 Graph Explorer/Postman 将问题与您的代码隔离开来。

谢谢。

Answer 2

添加User.Read.All和User.ReadWrite.All权限，并允许服务主体为所有者读取用户数据。

示例：

试试这个link的例子

const options = {
    authProvider,
};

const client = Client.init(options);

const group = {
  description: 'Group with designated owner and members',
  displayName: 'Operations group',
  groupTypes: [
  ],
  mailEnabled: false,
  mailNickname: 'operations2019',
  securityEnabled: true,
  'owners@odata.bind': [
    'https://graph.microsoft.com/v1.0/users/26be1845-4119-4801-a799-aea79d09f1a2'
  ],
  'members@odata.bind': [
    'https://graph.microsoft.com/v1.0/users/ff7cb387-6688-423c-8188-3da9532a73cc',
    'https://graph.microsoft.com/v1.0/users/69456242-0067-49d3-ba96-9de6f2728e14'
  ]
};

await client.api('/groups')
    .post(group);

将其替换为 /servicePrincipals，如下所示：

"owners@odata.bind": [
    "https://graph.microsoft.com/v1.0/servicePrincipals/00964c82-a7c2-4675-bbed-54bcf16328b3"
  ]   

ObjectID需要从Enterprise application

获取

我在邮递员中尝试了这个例子，输出是：