stackoom
  简体   繁体   中英

Azure Web Application - how to use both delegated and Application permissions

 原文  2021-11-26 16:50:06       c#/ asp.net-core/ microsoft-graph-api/ sharepoint-online

Question

Background Information.

I would like my ASP.NET web application to use the MS Identity platform to authenicate users... and allow them to see their own profile. This part of my code is working. I also have a function that allows the end user to pick an file from their local computer and upload to SP via upload session via MS Graph. This is also currently working

The security configuration I have under "API Permissions" for my Azure Application registration is as follows:

  • Sites.ReadWrite.All->Delegated
  • User.Read->Delegated

But now I would like to have the application itself do the file upload. So I change the security settings to look like this:

  • Sites.ReadWrite.All->Application
  • User.Read->Delegated

When I try to upload, I get an access denied error message returned

I also added "Files.ReadWrite.All" for the application, but that didn't work either. Can someone point me in the right direction? Do i have to create a separate graphClient just for the application to the upload?

EDIT 1

I'm wondering if this is relevant:

https://docs.microsoft.com/en-us/answers/questions/354161/sitesselected-accessdenied-when-uploading-files.html

Does anyone know what the OP means when he says

Our application is registered to have access at target site collection with permission role "WRITE"

Or maybe a better question is how do you do this?

1 answers

solution1
 0  2021-11-29 09:30:28

After assign the application type api permission to your azure ad app, you need to use ClientCredentialFlow to generate the access token and used it to call the api.

Then you can use the access token to send http request directly. It's an division part so it should work in your scenario.

using Azure.Identity;
using Microsoft.Identity.Client;    

IConfidentialClientApplication app;
app = ConfidentialClientApplicationBuilder.Create("azure_ad_app_client_id")
                        .WithClientSecret("client_secret")
                        .WithAuthority(new Uri("https://login.microsoftonline.com/your_tanent_name.onmicrosoft.com"))
                        .Build();
AuthenticationResult result = null;
string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
result = await app.AcquireTokenForClient(scopes)
                        .ExecuteAsync();
string accesstoken = result.AccessToken;

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Can I merge permissions of delegated GraphServiceClient and application GraphServiceClient? How to use a dll in both windows application and web forms application even if it references web stuff (like nUnit)? Azure Web Application Login how to grant write permissions to an web api application in IIS? How can I deploy a Lightswitch application as both a web application and a desktop application? How do I set up permissions for an Azure Application so that an application can access a site and its drives? Get application URL for Azure MVC Web app for use with webhooks How to use Azure Ad multitenant for Sass Application How to acquire token for delegated permissions (microsoft graph) How to check the permissions of a Service Application?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM