AADSTS90093:由于缺少权限,主叫方无法同意
[英]AADSTS90093: Calling principal cannot consent due to lack of permissions
问题描述
I'm getting the following error when non-global admin users are trying to access graph explorer 2 within our tenant: 
当非全局管理员用户尝试访问我们的租户中的图形资源管理器2时,我收到以下错误:
Additional technical information: 其他技术信息:
Correlation ID: 2346b0f5-bb5f-4138-8f9d-07fa96dcf02f Timestamp: 2015-05-29 17:18:48Z AADSTS90093: Calling principal cannot consent due to lack of permissions.
From within Azure we have "users may give applications permission to access their data" set to use. 从Azure中我们有“用户可以授予应用程序访问其数据的权限”设置以供使用。 We also have "users may add integrated applications" to yes. 我们还有“用户可能会添加集成应用程序”。
3 个解决方案
解决方案1
2 2015-06-01 16:02:51
Just wanted to check which URL you are going to. 只想查看您要访问的网址。 We have 2 "graph explorers" - one is for exploring Azure AD Graph API, while the other (called API explorer) is for exploring the Office 365 unified API . 我们有2个“图形资源管理器” - 一个用于探索Azure AD Graph API,而另一个(称为API资源管理器)用于探索Office 365统一API 。
If you are going to https://graphexplorer2.cloudapp.net - this is (AAD) graph explorer, and should not require admin permissions. 如果您要访问https://graphexplorer2.cloudapp.net - 这是(AAD)图浏览器,不应该要求管理员权限。 Please let us know if this is what you are using and if this is causing issues. 如果这是你正在使用的,如果这是导致问题,请告诉我们。
If on the other hand you are going to https://graphexplorer2.azurewebsites.net - this is the API explorer, and due to the number of APIs it requires access to, it currently requires admin consent. 另一方面,如果您要访问https://graphexplorer2.azurewebsites.net - 这是API资源管理器,并且由于需要访问的API数量,它目前需要管理员同意。 We'll look into a way to reduce the number of scopes that this requires access to, to get to a place where users can consent (but that's not the case currently). 我们将研究一种减少这种需要访问的范围数量的方法,以便到达用户可以同意的地方(但目前情况并非如此)。
Hope this helps, 希望这可以帮助,
解决方案2
0 2017-01-24 00:19:56
I ran into this issue today and here what I did: 我今天遇到了这个问题,在这里我做了什么:
- Login to your AD application in classic portal ( https://manage.windowsazure.com/ ) 在经典门户网站( https://manage.windowsazure.com/ )中登录您的AD应用程序
- Under "Configure" section, there is "permissions to other applications", look at the "delegated permissions" for "Window Azure Active Directory". 在“配置”部分下,有“其他应用程序的权限”,查看“Window Azure Active Directory”的“委派权限”。
- Make sure you pick the correct permissions for your app. 确保为您的应用选择了正确的权限。 Normally, "Sign in and read user profile" is enough for user to login. 通常,“登录并读取用户配置文件”足以让用户登录。
- For more information you can take a look at this link https://graph.microsoft.io/en-us/docs/authorization/permission_scopes 有关更多信息,请查看此链接https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
解决方案3
0 2017-01-25 11:45:51
I worked for Skype for business online use case (WEB API). 我曾在Skype for Business for online use case(WEB API)工作。 I faced this issue for users not global admins. 我为用户而不是全局管理员面临这个问题。 The users who added by global admin. 由全局管理员添加的用户。
I managed to resolve the issue by passing extra parameter prompt=admin_consent . 我设法通过传递额外的参数prompt = admin_consent来解决问题。
var href = 'https://login.microsoftonline.com/common/oauth2/authorize?response_type=token&client_id=';
href += client_id + '&resource=https://webdir.online.lync.com&redirect_uri=' + window.location.href+'&prompt=admin_consent';
For more details visit link https://blogs.msdn.microsoft.com/exchangedev/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-office-365-exchange-online/ 有关详细信息,请访问链接https://blogs.msdn.microsoft.com/exchangedev/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-office-365-exchange -线上/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.