stackoom
  简体   繁体   中英

Calling MS Graph with delegated privileges doesn't work while application privileges do

 原文  2022-03-29 16:34:58       azure/ azure-active-directory/ azure-ad-graph-api

Question

I try to get a user's custom attribute using a graph api call:

I have setup an app registration with User.ReadWrite.All Delegated privileges as stated in the documentation and Granted admin privileges :

在此处输入图像描述

Using python, I can fetch a token using my app registration secret:

def retrieve_token(endpoint, client_id, client_secret):
    # endpoint = "https://login.microsoftonline.com/<tenant-id>/oauth2/token"
    payload = {
        "grant_type":"client_credentials",
        "client_id": client_id,
        "client_secret": client_secret,
        "resource":"https://graph.microsoft.com"
    }
    r = requests.request("POST", endpoint,data=payload).json()["access_token"]
    return r # returns a valid jwt token

Using that token I then call a function to get my user's attributes:

def get_user_role(endpoint,user_uid, token):
    # endpoint = "https://graph.microsoft.com/v1.0/users/"
    url = endpoint + user_uid 
    headers = {
        "Authorization": "Bearer " + token, 
        "Content-Type": "application/json"
    }
    return requests.request("GET", url, headers=headers).json()

For some reason, it lacks of privileges:

{'error': {'code': 'Authorization_RequestDenied', 'message': 'Insufficient privileges to complete the operation.', 'innerError': {'date': '2022-03-29T16:11:38', 'request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', 'client-request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'}}}

If I go back to my api's permissions and change the User.ReadWrite.All from Delegated permissions to Application permissions it works.

From what I read in this scenario I should use Delegated permission but how to get that to work?

1 answers

solution1
 3 ACCPTED  2022-03-30 10:22:32

If you are using the client credentials follow (Authenticating using Client ID and Client Secret) so you should require to Application permissions to get token and call a function to get my user's attributes. So it won't Possible to calling an API with Client Crendetial Token using delegated permissions.

  • As junnas stated in comment is correct You typically use delegated permissions when you want to call the Web API as the logged on user.

  • Application Permissions: Your application needs to access the web API directly as itself (no user context).

So you should change the way to get the access token use eg authorization code flow or device code flow to get an access token as a signed in user

You can refer this Document can help Desktop app that calls web APIs: Acquire a token using Username and Password

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question MySQL/Amazon RDS error: "you do not have SUPER privileges..." How can I ensure that GCP service accounts do not have Admin privileges? Redshift: cannot drop user owner default privileges On flask application - the URI start with a question mark and it doesn't work Android app doesn't work while WiFi is on. (With Firebase and Admob) How to acquire token for delegated permissions (microsoft graph) Create multiple users, to have all privileges on each others relations/objects Trying to add delegated permission scopes defined in Azure Virtual Desktop RBAC to AAD App registration by calling Microsoft Graph API - /applications Deploying AWS SAM function with least privileges I added In-Reply-To and References in my headers while sending Email through SendGrid, however it doesn't work
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM