我创建了一个控制台应用程序来创建 Azure AD 用户,如下所示(文档引用: https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http ):
static async Task Main(string[] args)
{
var credential = new ClientCredential("<clientt-id>", "<client-seceret>");
var authProvider = new HttpRequestMessageAuthenticationProvider(
credential,
"https://login.windows.net/<tenant-id>",
"https://graph.microsoft.com/");
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
var user = new User
{
AccountEnabled = true,
DisplayName = "Test User",
MailNickname = "testuser",
UserPrincipalName = "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d8acbdabacadabbdaa9895ebeeeda0a0a0a0a0a0a0f6b7b6b5b1bbaab7abb7beacf6bbb7b5" rel="noreferrer noopener nofollow">[email protected]</a> ",
PasswordProfile = "xxxxxxxxxxxx"
OnPremisesImmutableId = "id"
};
await graphClient.Users
.Request()
.AddAsync(user);
}
添加到应用程序的 API 权限为 Group.ReadWrite.All 和 User.ReadWrite.All。
运行此代码时,我看到以下错误:
代码:Authorization_RequestDenied 消息:权限不足,无法完成操作。
我错过了什么?
最佳答案
对于这个问题,我总结了以下几点,您需要检查:
1. 您的代码似乎使用 client_credentials 作为授权流程来完成这项工作,因此请检查您是否添加了“应用程序”权限,而不是“委派”权限。并且不要忘记授予管理员同意。
2.如果仍然显示Authorization_RequestDenied
消息,请删除权限Group.ReadWrite.All
,因为此权限是不必要的。而且在我过去的测试中,Group
权限可能会影响其他权限。
3. 貌似你在HttpRequestMessageAuthenticationProvider
类中开发了具体的代码,实际上有一个现成的SDK可供我们使用。我在下面提供了我的代码供您引用,该代码可以很好地创建用户。
using Microsoft.Graph;
using Microsoft.Graph.Auth;
using Microsoft.Identity.Client;
using System;
using System.Threading.Tasks;
namespace ConsoleApp23
{
class Program
{
static async Task Main(string[] args)
{
Console.WriteLine("Hello World!");
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
.Create("<client_id>")
.WithTenantId("<tenant_id>")
.WithClientSecret("<client_secret>")
.Build();
ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
var user = new User
{
AccountEnabled = true,
DisplayName = "huryAdd",
MailNickname = "huryAdd",
UserPrincipalName = "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8be3fef9f2caefefcbf3f3f3a5e4e5e6e2e8f9e4f8e4edffa5e8e4e6" rel="noreferrer noopener nofollow">[email protected]</a>",
PasswordProfile = new PasswordProfile
{
ForceChangePasswordNextSignIn = true,
Password = "Password0123"
},
OnPremisesImmutableId = "testOnPre"
};
await graphClient.Users.Request().AddAsync(user);
Console.WriteLine("====success====");
}
}
}
并提供我的项目中安装的软件包。
Install-Package Microsoft.Identity.Client -Version 4.16.1
Install-Package Microsoft.Graph
Install-Package Microsoft.Graph.Auth -IncludePrerelease
4.顺便说一下,您的UserPrincipalName
末尾有一个空格。请删除它,否则会显示无效的主体名称。
希望对你有帮助~
关于c# - 权限不足,无法添加 Azure AD 用户,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63042106/