我正在尝试使用以下端点访问Microsoft Graph API以查询用户所属的组的列表
https://graph.microsoft.com/v1.0/users/ {userID} / memberOf
但是自最近两天以来,我的查询失败,并出现以下响应
{ error: {
code: 'Authorization_RequestDenied',
message: 'Insufficient privileges to complete the operation.',
innerError: {
'request-id': '7d8a5602-19ca-4cc7-a84d-60cc0c9c09d5',
date: '2020-04-28T11:44:24'
} } }
我已经具有作为管理员的权限和权限,我提供的访问权限包括
Directory.Read.All
Directory.ReadWrite.All
Group.Read.All
如Microsoft文档中所述:https://docs.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http
此文档https://docs.microsoft.com/en-us/graph/auth-v2-service之后,API请求与访问令牌的自动化标头一起发送(来自服务)
在授权头中传递的已解码JWT令牌:
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/TENANTID_REMOVED_FOR_SECURITY/",
"iat": 1588150105,
"nbf": 1588150105,
"exp": 1588154005,
"aio": "42dgYOCaN0c46++enU1fZx+98Lc3DQA=",
"app_displayname": "dspIT",
"appid": "MYAPPID_REMOVED_FOR_SECURITY",
"appidacr": "1",
"idp": "https://sts.windows.net/TENANTID_REMOVED_FOR_SECURITY/",
"oid": "fc709ea2-887e-4794-9417-ac578ab825e8",
"rh": "0.ATEAfGSULqtSkUqIuFyy2LRFJyPSTnvDYjVDlpuh_cMocSgxAAA.",
"roles": [
"User.ReadWrite.All",
"RoleManagement.Read.Directory",
"Group.Read.All",
"Directory.ReadWrite.All",
"Group.Create",
"Group.ReadWrite.All",
"User.Invite.All",
"Directory.Read.All",
"User.Read.All",
"GroupMember.Read.All",
"User.Export.All",
"PrivilegedAccess.Read.AzureADGroup",
"User.ManageIdentities.All",
"RoleManagement.ReadWrite.Directory",
"GroupMember.ReadWrite.All",
"Group.Selected",
"PrivilegedAccess.ReadWrite.AzureADGroup"
],
"sub": "fc709ea2-887e-4794-9417-ac578ab825e8",
"tid": "TENANTID_REMOVED_FOR_SECURITY",
"uti": "wvHXdAZomUefp2RpSGBPAA",
"ver": "1.0",
"xms_tcdt": 1519129156
}
感谢您的帮助。
根据您的解码后的JWT令牌,我进行了快速测试,并找到了原因。
似乎有一个应用程序许可权Group.Selected
,它会影响此API端点/memberOf
的调用。
此权限有问题,它影响了其他一些端点。我在here之前回答了类似的帖子。
因此,如果不需要,只需将其从Azure AD应用程序中删除。然后此错误将消失。
如果需要此权限,恐怕您需要创建一个新的Azure AD应用程序以在其中添加权限以供使用。