我想創建一個與我的Office365租戶中的所有用戶的下拉菜單。我在Azure AD中創建了一個應用程序,併爲其提供了所有必要的權限。我實際上給了它Microsoft Graph的所有權限,應用程序和委託。他們全部。對非管理員的Microsoft Graph API權限?
然後我寫了腳本來查詢所有用戶https://graph.microsoft.com/v1.0/users
。
我讓我的租戶管理員進入並接受權限,然後輸出用戶界面中的用戶列表。做工精細的管理
我不是管理員,但是當我去的網頁我得到以下錯誤:
This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
我需要知道這是否會爲用戶的工作和更低的權限。從我所瞭解的API請求和應用程序在Azure中給予應用程序的權限下運行。因此,即使用戶爲只讀,請求未在用戶下運行,它仍在我設置的應用程序下運行。那麼,爲什麼我會得到有關權限的錯誤?
這是我使用的代碼:
(function() {
"use strict";
// Some samples will use the tenant name here like "tenant.onmicrosoft.com"
// I prefer to user the subscription Id
var subscriptionId = "metenant.onmicrosoft.com";
// Copy the client ID of your AAD app here once you have registered one, configured the required permissions, and
// allowed implicit flow https://msdn.microsoft.com/en-us/office/office365/howto/get-started-with-office-365-unified-api
var clientId = "cccb1f2f-xxx-x-xxxxx-x-x-x-x-x-";
window.config = {
// subscriptionId: subscriptionId,
clientId: clientId,
postLogoutRedirectUri: window.location.origin,
endpoints: {
graphApiUri: 'https://graph.microsoft.com'
},
cacheLocation: 'localStorage' // enable this for IE, as sessionStorage does not work for localhost.
};
var authContext = new AuthenticationContext(config);
// Check For & Handle Redirect From AAD After Login
var isCallback = authContext.isCallback(window.location.hash);
authContext.handleWindowCallback();
if (isCallback && !authContext.getLoginError()) {
window.location = authContext._getItem(authContext.CONSTANTS.STORAGE.LOGIN_REQUEST);
}
// If not logged in force login
var user = authContext.getCachedUser();
// NOTE: you may want to render the page for anonymous users and render
// a login button which runs the login function upon click.
if (!user) authContext.login();
// Acquire token for Files resource.
authContext.acquireToken(config.endpoints.graphApiUri, function (error, token) {
// Handle ADAL Errors.
if (error || !token) {
console.log('ADAL error occurred: ' + error);
return;
}
// Execute GET request to Files API.
var filesUri = config.endpoints.graphApiUri + "/v1.0/users";
$.ajax({
type: "GET",
url: filesUri,
headers: {
'Authorization': 'Bearer ' + token,
}
}).done(function (response) {
console.log('Successfully fetched from Graph.');
console.log(response);
var container = $(".container")
container.empty();
$.each(response.value, function(index, item) {
container.append($('<li>').text(item.displayName + " " + item.mail + " " + item.mobilePhone))
})
}).fail(function (response) {
var err = JSON.parse(response.responseText)
console.log('Failed:', err.error.message);
});
});
})();
看起來你逝去的登錄用戶的令牌圖形API的電流。您可以授予租戶中服務主體的適當權限,然後獲取服務主體令牌並將其用於Graph調用。 – Aram
如果我正在使用ADAL,並且應用程序的clientID不應該傳入應用程序登錄到Graph API而不是當前用戶?我已經添加了我用來執行此操作的代碼 – Batman