问题
I'm able to retrieve profile photos just fine, but run into ErrorAccessDenied when trying to update photos. According to this:
https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/profilephoto_update
The User.ReadWrite permission should be sufficient. I have assigned my application this privilege using manage.windowsazure.com (and also tried granting all kinds of other privileges), but still get the error. Here's the current set of privileges I've granted to the app:
Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All email Group.Read.All Group.ReadWrite.All MailboxSettings.ReadWrite offline_access profile User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All
I'm obtaining the Bearer token with the client_credentials flow as follows:
curl -d grant_type=client_credentials \
-d client_id=CLIENT_ID \
-d client_secret=CLIENT_SECRET
-d resource=https://graph.microsoft.com \
https://login.microsoftonline.com/DOMAINNAME/oauth2/token
I then try to update the profile photo like this:
curl -H "Authorization: Bearer BEARERTOKEN" \
--request PATCH \
-H "Content-Type: image/jpeg" \
-d @photo.jpg
https://graph.microsoft.com/v1.0/users/USERPRINCIPALNAME/photo/\$value
And I get the following error:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "REQUESTID",
"date": "2016-05-23T16:42:21"
}
}
}
回答1:
It looks like you listed delegated permissions configured for your app, but retrieved the token using the client credentials flow, which uses separate application permissions. As per the documentation page that you referenced the scope required to update user profile photo is User.ReadWrite. This can't be done with the app-only scopes, including User.ReadWrite.All. User photo can be updated using the Authorization Code Grant Flow (see https://graph.microsoft.io/en-us/docs/authorization/app_authorization)
来源:https://stackoverflow.com/questions/37396426/cant-update-profilephoto-with-microsoft-graph-api