问题描述
尝试获取用户所属的所有Office 365组.
我已经在Azure上注册了一个本机客户端应用程序",并且只选择了一个权限:"Microsoft Graph"作用域下的读取所有组".
Trying to get all the Office 365 groups a user is a member of.
I've registered a 'Native client application' on Azure and selected only one permission: 'Read all groups' under the 'Microsoft Graph' scope.
问题:其他租户的用户收到呼叫主体由于权限不足而无法同意".错误,但未进入同意步骤.
The problem: users from other tenants got the 'Calling principal cannot consent due to lack of permissions.' error, and did not get to the consent step.
如果用户具有管理员权限,或者如果我在第二个租户上注册了另一个应用程序,则我可以通过同意步骤并获得组列表.
If the user has admin rights or if I register another app on a second tenant, I was able to pass the consent step and also got the groups list.
顺便说一句,注册"Web应用程序"并在多租户"选项中选择是"也无济于事.
BTW, registering a 'Web application' and selecting 'Yes' in the Multi-tenant option didn't help either.
有人知道"Group.Read.All"是否需要管理员同意吗?根据此,它不是.
我还尝试运行此查询https://graph.microsoft.com/v1.0/me/memberOf/$/microsoft.graph.group?$filter=groupTypes/any(a:a%20eq%20'unified')
,如此处在获取统一组I"下所述是的成员",但没有运气.
Does anybody know if 'Group.Read.All' requires admin consent? According to this it doesn't.
I also tried to run this query https://graph.microsoft.com/v1.0/me/memberOf/$/microsoft.graph.group?$filter=groupTypes/any(a:a%20eq%20'unified')
as mentioned here under 'GET unified groups I’m member of', but with no luck.
另一个问题,是否可以将本机应用程序配置为多租户应用程序?
Another question, is there a way to configure the Native app as a multi-tenant app?
推荐答案
您在这里有几个问题,所以我将尽力提供帮助.如果我错过了什么,或者您需要进一步澄清,请告诉我.
You have a few questions in here, so I'll try to help. Let me know if I've missed something or you need more clarification.
Azure AD中的本地应用程序本质上是多租户的,因此无需像使用Web应用程序一样设置多租户切换.
Native applications in Azure AD are multi-tenant by nature, so there's no need to set the multi-tenant toggle like you do with Web apps.
Group.ReadAll确实需要管理员同意.我发现以下页面在尝试确定应用程序所需的权限时超级有用: http://graph.microsoft.io/en-us/docs/authorization/permission_scopes .
Group.ReadAll does require admin consent. I've found the following page to be super useful as I try to determine the permissions needed for my applications: http://graph.microsoft.io/en-us/docs/authorization/permission_scopes.
在开发过程中,有时我需要更新我的应用程序的权限.每当更新权限时,我发现转到 http://myapps.microsoft.com 撤消同意很有用.为我的应用程序.然后,下次我登录该应用程序时,系统总是会提示我输入内容,以便我可以清楚地看到用户将看到的内容.
During development I have sometimes needed to update the permissions for my app. Whenever permissions are updated I've found it useful to go to http://myapps.microsoft.com to revoke consent for my app. Then the next time I log in to the app, I am always prompted for content so I can clearly see exactly what users will see.
这篇关于无法通过Graph API获得我所属的Office 365组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!