[英]Access denied for application with client credentials flow
We have set up an application in AAD. 我们已经在AAD中建立了一个应用程序。
The application has been granted access to read/write all messages/mails and "read users profiles" and a global admin have pushed the "Grant permissions" button in the portal. 已授予该应用程序读取/写入所有消息/邮件和“读取用户个人资料”的权限,并且全局管理员已按下门户中的“授予权限”按钮。 Still We get
Access denied
error when trying to access 尝试访问时,仍然出现“
Access denied
错误
https://graph.microsoft.com/v1.0/users/{myId}/MailFolders/Inbox/ChildFolders
for my userid ( myId
). 为我的用户名(
myId
)。 The URL works fine in graph explorer when I'm logged in as my own user. 当我以自己的用户身份登录时,URL在图形浏览器中运行良好。
Also, decoding the JWT at jwt.io shows the application id, name and "aud" ( https://graph.microsoft.com ) - but no roles/scopes. 另外,在jwt.io解码JWT会显示应用程序ID,名称和“ aud”( https://graph.microsoft.com )-但没有角色/作用域。
What have we done wrong? 我们做错了什么?
These are delegated permissions... so you will need a user with the same rights and use the credentials of the user in your authorization flow for your app. 这些是委派的权限...因此,您将需要一个具有相同权限的用户,并在您的应用授权流中使用该用户的凭据。
The effective rights are the intersection of the user rights and and the rigths of the app . 有效权限是用户权限与应用程序的严格性的交集 。
"Effective permissions are the permissions that your app will have when making requests to an API. “有效权限是您的应用向API发出请求时所拥有的权限。
The user also needs permission to use the app in AAD. 用户还需要获得在AAD中使用该应用程序的许可。
If it is not a delegated permission, maybe there is the need for some global admin to grant the consent for all users. 如果不是委派的权限,则可能需要某些全局管理员为所有用户授予同意。 "Topic Admins" can only "request" the permissions for the app and the global admin can consent for all users.
“主题管理员”只能“请求”该应用程序的权限,而全局管理员可以同意所有用户。
Ok so I submitted a ticket to Microsoft Support. 好的,所以我向Microsoft支持提交了一张票。 I haven't received any response yet, but now it all works just fine.
我尚未收到任何回复,但现在一切正常。 I have no idea why, but when I was submitting the ticket this morning a warning was shown that an outage in Azure AD was recently fixed so maybe that is why things didn't work yesterday.
我不知道为什么,但是当我今天早上提交票证时,显示警告,最近修复了Azure AD的故障,因此也许这就是昨天事情不起作用的原因。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.