[英]"User not found" for Graph API request in the Azure enterprise app security group with client credentials auth flow
Design设计
Goal目标
Get calendar events for a given user.获取给定用户的日历事件。
Requirements要求
Implementation / Setup实施/设置
application permissions
application permissions
security group
- as described here - was created with a limited number of users with the related policy
that included related permissions (see here ).security group
- 如此处所述 - 由有限数量的用户创建,这些用户具有包含相关权限的相关policy
(参见此处)。 The group was later connected to the app following this instruction.Calendar.Read
and Calendar.ReadWrite
as required by the actions here and here were added to the policy mentioned in the previous setup step.Calendar.Read
和Calendar.ReadWrite
已添加到上一个设置步骤中提到的策略中。 Testing测试
Two HTTP requests were used: one to get the token and another to read events.使用了两个 HTTP 请求:一个用于获取令牌,另一个用于读取事件。
Identity Platform
Identity Platform
的令牌请求curl --location --request POST 'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token' \
--data-raw 'client_id=<APPLICATION_TOKEN>&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=<APPLICATION_SECRET>&grant_type=client_credentials'
Upon inspection of the token here I see that it contains required permissions:在此处检查令牌后,我发现它包含所需的权限:
"roles": [
"Calendars.Read",
"Calendars.ReadWrite"
]
Graph API
Graph API
获取日历事件的请求curl --location --request GET 'https://graph.microsoft.com/v1.0/users/<USER_ID>/calendar/events' \
--header 'Authorization: Bearer <TOKEN>'
results in the following error:导致以下错误:
{
"error": {
"code": "ResourceNotFound",
"message": "User not found",
"innerError": {
"date": "2022-02-08T08:25:39",
"request-id": "bfaca1f9-e79b-491c-8d75-5a62317e299b",
"client-request-id": "bfaca1f9-e79b-491c-8d75-5a62317e299b"
}
}
}
The user id is from my account that I found in the Azure Active Directory details of the Azure Tenant.用户 ID 来自我在 Azure 租户的 Azure Active Directory 详细信息中找到的帐户。 I double-checked that after adding other users.
添加其他用户后,我仔细检查了这一点。
Before-asking investigation询问前调查
This issue looks closest to my case as it uses the client credentials auth flow. 这个问题看起来最接近我的情况,因为它使用客户端凭据身份验证流程。 But it uses global permissions for all users in the AAD, while we use more fine-grained approach with a
security group
.但它对 AAD 中的所有用户使用全局权限,而我们对
security group
使用更细粒度的方法。 It also shows a different error "Resource could not be discovered."
它还显示不同的错误
"Resource could not be discovered."
versus "User not found"
in my case.与我的情况下的
"User not found"
相比。
In order to call /{user-id}/calendar/events to work the user must have mailbox on Exchange Online if you are using client credentials for Daemon applications.为了调用 /{user-id}/calendar/events 来工作,如果您使用守护程序应用程序的客户端凭据,用户必须在 Exchange Online 上拥有邮箱。
Also, It seems assigning license to a guest account (Personal account in this case) is not possible and hence the user account never gets access to the calendar service (part of o365 exchange online) due to which it cannot retrieve the calendar information of personal account.此外,似乎无法向来宾帐户(在这种情况下为个人帐户)分配许可证,因此用户帐户永远无法访问日历服务(o365 在线交换的一部分),因此无法检索个人的日历信息帐户。
Please refer my answer similar to this in Q&A for detailed description.详细说明请参考我在Q&A中类似的回答。
Short Version简洁版本
I was missing the application permissions
and assumed that they are assigned on the level of security group
.我缺少
application permissions
并假设它们是在security group
级别上分配的。 Only restriction happen on that level.只有限制发生在那个层面上。
Long Version长版
The updated mental model looks like this:更新后的心理 model 如下所示:
It means that the application permissions
for MS Graph API
are required.也就是说需要
MS Graph API
的application permissions
。
The security group
is only restricting / limiting the access to the users mentioned in the policy
. security group
仅限制/限制对policy
中提到的用户的访问。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.