期望的行为
group
使用single tenant application
具有delegated
API 权限的 JavaScript SDK 和 MSAL创建一个via Microsoft Graph 。
实际行为
{
"statusCode": 403,
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"requestId": "6e865d96-ef8b-408e-a905-5393b4adcfdc",
"date": "2020-05-16T20:20:15.000Z",
"body": "{\"code\":\"Authorization_RequestDenied\",\"message\":\"Insufficient privileges to complete the operation.\",\"innerError\":{\"request-id\":\"6e865d96-ef8b-408e-a905-5393b4adcfdc\",\"date\":\"2020-05-17T06:20:15\"}}"
}
我试过的
为了创建代码,我使用了以下 API 参考说明:
登录/注销和所有其他 API 请求都在工作。
订阅
Microsoft 365 Business Standard Trial
API权限
Directory.AccessAsUser.All +++
Directory.ReadWrite.All ***
Group.ReadWrite.All
GroupMember.ReadWrite.All ***
openid
profile
Sites.Read.All
Tasks.ReadWrite
User.Read
*** 我在阅读此答案后添加了这些,但仍然出现相同的错误。
+++ 我在下面的答案中添加了这个建议。
我已单击 Azure 应用程序注册区域中的“授予管理员同意”按钮。
索引.html
<!-- msal -->
<!-- from: https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core -->
<script type="text/javascript" src="https://alcdn.msauth.net/lib/1.3.0/js/msal.js" integrity="****" crossorigin="anonymous"></script>
<!-- javascript sdk -->
<!-- from: https://github.com/microsoftgraph/msgraph-sdk-javascript -->
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/@microsoft/microsoft-graph-client/lib/graph-js-sdk.js"></script>
配置文件
// msal options
const msalConfig = {
auth: {
clientId: "client-id-here",
redirectUri: "http://localhost:8080",
authority: "https://login.microsoftonline.com/tenant-id-here"
},
cache: {
cacheLocation: "sessionStorage",
storeAuthStateInCookie: false,
forceRefresh: false
}
};
// define application permissions
const scopes = ['directory.accessasuser.all', 'directory.readwrite.all', 'group.readwrite.all', 'groupmember.readwrite.all', 'openid', 'profile', 'sites.read.all', 'user.read', 'tasks.readwrite' ];
认证.js
const msalApplication = new Msal.UserAgentApplication(msalConfig);
const loginRequest = {
scopes: scopes
}
async function sign_in() {
try {
await msalApplication.loginPopup(loginRequest);
if (msalApplication.getAccount()) {
console.log("sign in success");
}
} catch (error) {
console.log("sign in error");
console.log(error);
}
}
function sign_out() {
msalApplication.logout();
}
图.js
var path = "/groups";
var group = {
description: "Here is a description.",
displayName: "test_test_test",
groupTypes: [
"Unified",
"DynamicMembership"
],
mailEnabled: true,
mailNickname: "test_test_test",
securityEnabled: false, // initially i had this as true, doesn't seem to make a difference either way
visibility: "Hiddenmembership",
"[email protected]": [
"https://graph.microsoft.com/v1.0/users/my-user-id-here"
],
"[email protected]": [
"https://graph.microsoft.com/v1.0/users/my-user-id-here"
]
};
var response = await client.api(path)
.post(group);
相关阅读:
在 Microsoft 365 管理中心创建、编辑或删除安全组
Microsoft Graph 中的 Office 365 组概述
关于什么可能导致错误的其他想法......
可见性仅支持统一组;安全组不支持它。
也许的组合securityEnabled: true
和visibility:Hiddenmembership
不兼容?
我尝试将其更改为securityEnabled: false
并收到相同的消息。
令牌有问题吗?
我Authorisation: Bearer
从 Chrome 开发工具控制台复制了值并粘贴到https://jwt.io并且令牌中提供了两个额外的范围 - 但所有其他范围都存在:
我能够Group
通过更改以下内容来创建一个graph.js
:
groupTypes: ["Unified","DynamicMembership"]
到
groupTypes: ["Unified"]`
我不知道为什么DynamicMembership
会导致错误。
它是下面链接中列出的Group
>的有效属性值,groupTypes
没有任何警告:
https://docs.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties
作为参考,上面的代码创建:
它不会自动创建相应的:
您可以在以下位置看到列出的新组:
https://admin.microsoft.com/AdminPortal/Home#/groups
https://outlook.office365.com/people
https://portal.azure.com/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/AllGroups
您可以在以下位置看到“团队站点”组:
https://your_account-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/siteManagement
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句