我最近尝试以编程方式在我的 Azure AD B2C(预览版)实例中创建用户。阻碍我的部分只是试图检索 token 。到目前为止我已经尝试过:
var clientId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
var clientSecret = @"xxxxxxxxxxxxxxxx";
var tenant = "xxxxxxxxxxxx.onmicrosoft.com";
var authContext = new AuthenticationContext("https://login.microsoftonline.com/" + tenant);
var credential = new ClientCredential(clientId, clientSecret);
var result = await authContext.AcquireTokenAsync("https://graph.windows.net", credential);
当执行到达最后一行尝试获取 token 时,我得到:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS70001: Application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not supported for this API version.
我可以从这个错误中推断出什么?这是否意味着 Azure AD B2C 的图形访问已暂时删除?或者我需要启用某些功能吗?或者我的某个端点 URL 是否有误?
最佳答案
要连接到 Graph API,您需要设置单独的 clientId 和 key 。按照此 B2C 教程创建服务主体并附加 3 个 Graph API 权限:
请务必使用 ADAL v2(或刚刚发布的 ADAL v3),而不是仅针对 B2C 的实验性 ADAL v4。
将来,MSAL 库有望将所有这些结合起来。
以下脚本允许您在 1 个 powershell 脚本中创建此脚本:
$msolcred = Get-Credential
Connect-MsolService -credential $msolcred
$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$rand.Dispose()
$newClientSecret = [System.Convert]::ToBase64String($bytes)
$principal = New-MsolServicePrincipal -DisplayName "Dummy" -Type password -Value $newClientSecret
Add-MsolRoleMember -RoleObjectId 88d8e3e3-8f55-4a1e-953a-9b9898b8876b -RoleMemberObjectId $principal.ObjectId -RoleMemberType servicePrincipal
Add-MsolRoleMember -RoleObjectId 9360feb5-f418-4baa-8175-e2a00bac4301 -RoleMemberObjectId $principal.ObjectId -RoleMemberType servicePrincipal
Add-MsolRoleMember -RoleObjectId fe930be7-5e62-47db-91af-98c3a49a38b1 -RoleMemberObjectId $principal.ObjectId -RoleMemberType servicePrincipal
Write-Host "clientsecret = $newClientSecret"
Write-Host "clientId = $(($principal).AppPrincipalId)"
Write-Host "tenant = $((Get-MsolDomain).Name)"
关于azure-ad-graph-api - 以编程方式创建 Azure AD B2C(预览)用户,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/37303809/