【Azure Developer】使用Microsoft Graph API創建用戶時候遇見「401 : Unauthorized」「403 : Forbidden」

問題描述

編寫Java代碼調用Mircrosoft Graph API創建用戶時,分別遇見了「401 : Unauthorized」和「403 : Forbidden」錯誤,調用的Java代碼片段如下:

選擇 Microsoft Graph 身份驗證

ClientCredentialProvider authProvider = new ClientCredentialProvider(
                                                    clientId,
                                                    scopes,
                                                    clientSecret,
                                                    tenant,
                                                    NationalCloud.Global);

創建用戶

IGraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();

User user = new User();
user.accountEnabled = true;
user.displayName = "Adele Vance";
user.mailNickname = "AdeleV";
user.userPrincipalName = "[email protected]";
PasswordProfile passwordProfile = new PasswordProfile();
passwordProfile.forceChangePasswordNextSignIn = true;
passwordProfile.password = "xWwvJ]6NMw+bWH-d";
user.passwordProfile = passwordProfile;

graphClient.users()
    .buildRequest()
    .post(user);

 

解決辦法

401:Unauthorized

因在代碼中使用的環境為NationalCloud.Global,所以需要修改為NationalCloud.China。開啟Debug模式,在對象graphClient中,發現Post請求的URL地址為//graph.microsoft.com/v1.0/users, 而這個地址為Global環境的Endpoint,需要修改為中國區的地址://microsoftgraph.chinacloudapi.cn/v1.0/users

修改後的代碼為:

ClientCredentialProvider authProvider = new ClientCredentialProvider(
                                                    clientId,
                                                    scopes,
                                                    clientSecret,
                                                    tenant,
                                                    NationalCloud.China);

IGraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();

User user = new User();
user.accountEnabled = true;
user.displayName = "Adele Vance";
user.mailNickname = "AdeleV";
user.userPrincipalName = "[email protected]";
PasswordProfile passwordProfile = new PasswordProfile();
passwordProfile.forceChangePasswordNextSignIn = true;
passwordProfile.password = "xWwvJ]6NMw+bWH-d";
user.passwordProfile = passwordProfile;

graphClient.setServiceRoot("//microsoftgraph.chinacloudapi.cn/v1.0");
graphClient.users()
    .buildRequest()
    .post(user);

403 : Forbidden

因為創建用戶需要對應的AAD授權,查看創建用戶文檔資料中,說明必須具有以下的授權:

 

所以可以在AAD Application中查看當前的API Permission是否包含並被授予權限。如下圖中,雖然包含了權限,但沒有被Admin授予權限

 

所以在調用創建用戶接口時,會拋出如下的錯誤

 

參考資料

創建用戶://docs.microsoft.com/zh-cn/graph/api/user-post-users?view=graph-rest-1.0&tabs=java#example

根據應用場景選擇 Microsoft Graph 身份驗證提供程序://docs.microsoft.com/zh-cn/graph/sdks/choose-authentication-providers?tabs=Java#client-credentials-provider

Grant an appRoleAssignment to a user://docs.microsoft.com/en-us/graph/api/user-post-approleassignments?view=graph-rest-1.0&tabs=http

權限://docs.microsoft.com/zh-cn/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#permissions

 

Tags:

VirMach 便宜 VPS

QNews

QNews