[英]Insufficient privileges to add Azure AD user
I created a console application to create an Azure AD user as follows (doc referred: https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http ):我创建了一个控制台应用程序来创建一个 Azure AD 用户,如下所示(参考文档: https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs= HTTP ):
static async Task Main(string[] args)
{
var credential = new ClientCredential("<clientt-id>", "<client-seceret>");
var authProvider = new HttpRequestMessageAuthenticationProvider(
credential,
"https://login.windows.net/<tenant-id>",
"https://graph.microsoft.com/");
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
var user = new User
{
AccountEnabled = true,
DisplayName = "Test User",
MailNickname = "testuser",
UserPrincipalName = "testuser@M365xxxxxxx.onmicrosoft.com ",
PasswordProfile = "xxxxxxxxxxxx"
OnPremisesImmutableId = "id"
};
await graphClient.Users
.Request()
.AddAsync(user);
}
API permissions added to app are Group.ReadWrite.All and User.ReadWrite.All. API 给app添加的权限是Group.ReadWrite.All和User.ReadWrite.All。
On running this code, I see the following error:运行此代码时,我看到以下错误:
Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.代码:Authorization_RequestDenied 消息:权限不足,无法完成操作。
What am I missing?我错过了什么?
For this problem, I summarize the points below which you need to check:对于这个问题,我总结了以下几点你需要检查:
1. It seems your code use client_credentials as grant flow to do the job, so please check you have added the permissions of "Application" but not "Delegated". 1.您的代码似乎使用client_credentials作为授权流程来完成这项工作,所以请检查您是否添加了“应用程序”而不是“委托”的权限。 And don't forget grant admin consent.
并且不要忘记授予管理员同意。
2. If still show Authorization_RequestDenied
message, please remove the permission Group.ReadWrite.All
because this permission is unnecessary. 2.如果仍然显示
Authorization_RequestDenied
消息,请移除Group.ReadWrite.All
权限,因为该权限是不必要的。 And the Group
permission may affect other permissions in my past tests.并且
Group
权限可能会影响我过去测试中的其他权限。
3. It seems you develop the specific code in class HttpRequestMessageAuthenticationProvider
, actually there is an off-the-shelf SDK avaiable for us to use. 3.好像你在 class
HttpRequestMessageAuthenticationProvider
中开发了具体的代码,实际上有一个现成的 SDK 可供我们使用。 I provide my code below for your reference, the code works fine to create a user.我在下面提供我的代码供您参考,该代码可以正常创建用户。
using Microsoft.Graph;
using Microsoft.Graph.Auth;
using Microsoft.Identity.Client;
using System;
using System.Threading.Tasks;
namespace ConsoleApp23
{
class Program
{
static async Task Main(string[] args)
{
Console.WriteLine("Hello World!");
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
.Create("<client_id>")
.WithTenantId("<tenant_id>")
.WithClientSecret("<client_secret>")
.Build();
ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
var user = new User
{
AccountEnabled = true,
DisplayName = "huryAdd",
MailNickname = "huryAdd",
UserPrincipalName = "huryAdd@xxx.onmicrosoft.com",
PasswordProfile = new PasswordProfile
{
ForceChangePasswordNextSignIn = true,
Password = "Password0123"
},
OnPremisesImmutableId = "testOnPre"
};
await graphClient.Users.Request().AddAsync(user);
Console.WriteLine("====success====");
}
}
}
And also provide the packages installed in my project.并提供我项目中安装的包。
Install-Package Microsoft.Identity.Client -Version 4.16.1
Install-Package Microsoft.Graph
Install-Package Microsoft.Graph.Auth -IncludePrerelease
4. By the way, there is a blank space in the end of your UserPrincipalName
. 4.顺便说一句,您的
UserPrincipalName
末尾有一个空格。 Please remove it, otherwise it will show invalid principal name.请删除它,否则它将显示无效的主体名称。
Hope it helps~希望有帮助~
I had the same issue and managed to solve it.我遇到了同样的问题并设法解决了。
I used the Directory.ReadWrite.All permission but still experienced the problem with setting the OnPremisesImmutableId attribute for our users.我使用了 Directory.ReadWrite.All 权限,但在为我们的用户设置 OnPremisesImmutableId 属性时仍然遇到问题。
After a bit of investigation, it turned out that i had to assign the roles "Group Administrator" and "User Administrator" to my application in Azure AD Portal (Azure AD > Roles and administrators > Click each group > Add Assignments).经过一番调查后,我发现我必须在 Azure AD 门户中为我的应用程序分配角色“组管理员”和“用户管理员”(Azure AD > 角色和管理员 > 单击每个组 > 添加分配)。 After both these roles had been applied to my application, the problem disappeard.
在将这两个角色应用到我的应用程序之后,问题就消失了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.