How to use OAuth when there is no user delegation? — Microsoft Graph API

问题

I am trying to use the Microsoft Graph API to get some information about users in a particular group in Azure AD. I need to get the data as part of an ETL task of a data warehouse. When pulling data from other cloud applications, I have gotten an API key and placed the key in the Authorization header.

OAuth is new to me (except having experienced it as a user) and I feel like I understand the concept but I am sure there are things that I am not grasping properly.

Problem:

I get a 401 error on GET requests to http://graph.microsoft.com/v1.0/groups when using the access token that I have received.

Steps Taken:

1. Apparently I have to register an app -- even though I'm really not trying to build an app here -- so I did so on the registration portal at apps.dev.microsoft.com

2. I granted Microsoft Graph Permissions (Note that I am an Admin)

3. I tried using Powershell to test pulling of the data as seen in the code below:

$uri = "https://login.microsoftonline.com/7b...3h/oauth2/v2.0/token"

$body = @{ tenant="7b...3h"
client_id="12...67"
scope="https://graph.microsoft.com/.default"
client_secret="3g...x4"
grant_type="client_credentials"}

$token = Invoke-RestMethod -Uri $uri -Body $body -Method "Post"

$header = @{ Authorization="Bearer " + $token.access_token}
$groups_uri = "https://graph.microsoft.com/v1.0/groups"
$response = Invoke-RestMethod -Uri $groups_uri -Headers $header

I receive a token but when I try to do GET request, I receive a 401 error.

My Thoughts

I feel like the scope needs to be changed but when I change to scope to 'Groups.Read.All', I get a message that it is not a valid scope. I'm not really sure where to go next. Everything I read about OAuth is about delegating the permissions of a user which is not what I'm trying to do. I just want to periodically pull some data with a service.

回答1:

The Get access without a user article seems to align with your scenario -- perhaps compare the information in that article with what you're doing, to determine if there's a disconnect somewhere?

Given that you're receiving a 401 error (unauthorized), I'd suspect that perhaps your application hasn't explicitly been granted consent by an Administrator for the action(s) you're trying to perform. In the article that I've linked to above, see section 3. Get administrator consent for details about how to get admin consent.

来源：https://stackoverflow.com/questions/44464831/how-to-use-oauth-when-there-is-no-user-delegation-microsoft-graph-api