c# - 权限不足，无法添加 Azure AD 用户

Question

我创建了一个控制台应用程序来创建 Azure AD 用户，如下所示(文档引用: https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http ):

static async Task Main(string[] args)
        {
            var credential = new ClientCredential("<clientt-id>", "<client-seceret>");
            var authProvider = new HttpRequestMessageAuthenticationProvider(
                                                        credential,
                                                        "https://login.windows.net/<tenant-id>",
                                                        "https://graph.microsoft.com/");

            GraphServiceClient graphClient = new GraphServiceClient(authProvider);

            var user = new User
            {
                AccountEnabled = true,
                DisplayName = "Test User",
                MailNickname = "testuser",
                UserPrincipalName = "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d8acbdabacadabbdaa9895ebeeeda0a0a0a0a0a0a0f6b7b6b5b1bbaab7abb7beacf6bbb7b5" rel="noreferrer noopener nofollow">[email protected]</a> ",
                PasswordProfile = "xxxxxxxxxxxx"
                OnPremisesImmutableId = "id"
            };

            await graphClient.Users
                .Request()
                .AddAsync(user);
        }

添加到应用程序的 API 权限为 Group.ReadWrite.All 和 User.ReadWrite.All。

运行此代码时，我看到以下错误:

代码:Authorization_RequestDenied 消息:权限不足，无法完成操作。

我错过了什么？

Answer 1

对于这个问题，我总结了以下几点，您需要检查:

1. 您的代码似乎使用 client_credentials 作为授权流程来完成这项工作，因此请检查您是否添加了“应用程序”权限，而不是“委派”权限。并且不要忘记授予管理员同意。

2.如果仍然显示Authorization_RequestDenied消息，请删除权限Group.ReadWrite.All，因为此权限是不必要的。而且在我过去的测试中，Group 权限可能会影响其他权限。

3. 貌似你在HttpRequestMessageAuthenticationProvider类中开发了具体的代码，实际上有一个现成的SDK可供我们使用。我在下面提供了我的代码供您引用，该代码可以很好地创建用户。

using Microsoft.Graph;
using Microsoft.Graph.Auth;
using Microsoft.Identity.Client;
using System;
using System.Threading.Tasks;

namespace ConsoleApp23
{
    class Program
    {
        static async Task Main(string[] args)
        {
            Console.WriteLine("Hello World!");

            IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
                .Create("<client_id>")
                .WithTenantId("<tenant_id>")
                .WithClientSecret("<client_secret>")
                .Build();

            ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);

            GraphServiceClient graphClient = new GraphServiceClient(authProvider);

            var user = new User
            {
                AccountEnabled = true,
                DisplayName = "huryAdd",
                MailNickname = "huryAdd",
                UserPrincipalName = "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8be3fef9f2caefefcbf3f3f3a5e4e5e6e2e8f9e4f8e4edffa5e8e4e6" rel="noreferrer noopener nofollow">[email protected]</a>",
                PasswordProfile = new PasswordProfile
                {
                    ForceChangePasswordNextSignIn = true,
                    Password = "Password0123"
                },
                OnPremisesImmutableId = "testOnPre"
            };

            await graphClient.Users.Request().AddAsync(user);

            Console.WriteLine("====success====");
        }
    }
}

并提供我的项目中安装的软件包。

Install-Package Microsoft.Identity.Client -Version 4.16.1
Install-Package Microsoft.Graph
Install-Package Microsoft.Graph.Auth -IncludePrerelease

4.顺便说一下，您的UserPrincipalName 末尾有一个空格。请删除它，否则会显示无效的主体名称。

希望对你有帮助~