问题
This situation made me create a real monstrous work-around, but sometimes, you don't have an option right?
The problem is basically bumping into 503: 'serviceUnavailable' messages when several (specific?) Azure AD Application permissions are set in your Azure AD Application, which should not happen.
Context and technical queries
The context is specifically for Application permissions (app-only auth) and NOT delegated permissions. Token is retrieved by:
HTTP POST https://login.microsoftonline.com/e6fcb01a-f706-4b1b-872b-1e7645d78491/oauth2/v2.0/token
headers:
Content-Type=application/x-www-form-urlencoded
-------------
client_id=<App GUID>
client_secret=<App SECRET>
scope=https://graph.microsoft.com/.default
grant_type=client_credentials
/sites/root query retrieved by:
HTTP GET https://graph.microsoft.com/v1.0/sites/root
headers: Authorization=Bearer <AccessToken>
-------------
Reproduce this situation:
- Create an Azure AD Application
- Add Application Permission > Sites.ReadWrite.All
- Grant Admin Consent for
- Create Secret
- Generate Access Token (using)
- Run Query with token (works)
Forcing it to break (either add all at once or 1-by-1)
- Add Application Permission > Group.Create
- Grant Admin Consent for
- Generate Access Token
- Run Query with token (fails?)
Does it work?
- Add Application Permission > Group.ReadWrite.All
- Grant Admin Consent for
- Generate Access Token
- Run Query with token (fails?)
- Repeat for another permission. until it breaks.
Does it break?
- Fails forever
Workaround:
Split up App Permission across multiple AD applications.
回答1:
I tested this and the issue is there but a workaround is you don't need Group.Create permission if you have Group.ReadWrite.All.
So in summary a single AD app can have Group.ReadWrite.All and Sites.ReadWrite.All permission and it will work but a single AD app will fail if it has all three permissions of Group.Create, Group.ReadWrite.All and Sites.ReadWrite.All
回答2:
Based on my test (Did not test all permissions), the issue does exist.
There are two main permissions that affect the calling of this API endpoint.
They are Group.Create and Group.Selected.
I'm not sure why they cause the failure of the calling of /sites/root. But it's strongly recommended to remove these two permissions (maybe there are some more other permissions) from the Azure AD app which is used to access /sites/root.
At the same time, opening a support ticket on Azure portal for your Graph request is a good choice.
回答3:
Unfortunately this was a previously known issue in SharePoint. A fix is on its way but I don't have an ETA for rollout to share.
来源:https://stackoverflow.com/questions/60985658/running-into-serviceunavailable-sharepoint-graph-query-forever-when-combining