问题
I followed the ASP.NET Quick Start guide and got the project working.
The API succeeds in retrieving my email address just fine - great.
Now I want to get a list of users and retrieve some of their properties.
In GraphService:
public async Task GetUsers(GraphServiceClient graphClient)
{
var users = await graphClient.Users.Request().Select("mail").GetAsync();
}
Which I call with (copying the method to retrieve user email):
var graphClient = SDKHelper.GetAuthenticatedClient();
await graphService.GetUsers(graphClient);
But I get an error
{Code: Authorization_RequestDeniedMessage: Insufficient privileges to complete the operation.Inner error}
Even though I set these privelages:
Why must this be so difficult? I am connecting to the API and getting my own email address, but I can't do anything else...
When I run https://graph.microsoft.com/v1.0/users in the Graph Explorer it returns all the users just fine...
Please someone help
回答1:
If you are referring to this sample application, then i want to mention to acquire access token it utilizes ConfidentialClientApplication.AcquireTokenSilentAsync method which accepts as a first parameter the list of scopes requested for resource. Those scopes (delegated permissions) are specified in web.config file via ida:GraphScopes key. In another words, no matter what permissions have been granted via app registration, access token will be requested per scopes specified via ida:GraphScopes key.
Having said that, to make this request working:
public async Task<IGraphServiceUsersCollectionPage> GetUsers(GraphServiceClient graphClient)
{
return await graphClient.Users.Request().Select("mail").GetAsync();
}
you could explicitly update the delegated permissions in web.config:
<add key="ida:GraphScopes" value="User.Read User.ReadBasic.All"/>
How to validade access token
The permissions for access token could be validated via this or this service. Once decoded, delegated permissions are represented via scp attribute, for example:
scp: "Files.ReadWrite Mail.Send User.Read"
来源:https://stackoverflow.com/questions/49143264/graph-api-denies-access-even-though-i-granted-access