權限不足的錯誤嘗試使用圖形API

Question

我想添加一個角色給用戶添加角色時，如下圖所示

/** 
passing values to addUserToGroup method 
**/                     
addUserToGroup("e5911e4e-3d44-448c-bb42-dd6d51855cd4", "d405c6df-0af8-4e3b-95e4-4d06e542189e", "role"); 

private static String addUserToGroup(
     String userId, 
     String groupId, 
     String objectName) throws OfficeException { 

    String newKey = null;    

     /** 
     * Setup the JSON Body 
     */   
     JSONObject jsonObj=new JSONObject(); 

     String objectLink = String.format("https://%s/%s/directoryObjects/%s", 
        AppParameter.getProtectedResourceHostName(), 
        AppParameter.getTenantContextId(), 
        userId); 

     try{ 
     jsonObj.put("url", objectLink); 

     /** 
     * Convert the JSON object into a string. 
     */ 
     String data = jsonObj.toString(); 


     if(objectName.equals("roledelete")) 
     { 

     } 
     else if(objectName.equals("role")) 
     { 
      newKey = handlRequestPostJSON(
        String.format("/%ss/%s/$links/members", objectName, groupId), 
        null, 
        data, 
        "addUserToGroup"); 

     } 

      return newKey; 

    }catch(Exception e){ 
     throw new OfficeException(AppParameter.ErrorCreatingJSON,e.getMessage(), e, null); 
     } 
} 

/** handlRequestPostJSON方法**/

public static String handlRequestPostJSON(String path, String queryOption, String data, String opName){ 

     URL url = null; 
     HttpURLConnection conn = null; 
     String queryOptionAdd = ""; 
     String apiVersion = AppParameter.getDataContractVersion(); 

     try { 
      /** 
      * Form the request uri by specifying the individual components of the 
      * URI. 
      */ 
      if (queryOption == null) 
      { 
       queryOptionAdd = apiVersion;     
      } 
      else 
      { 
       queryOptionAdd = queryOption + "&" + apiVersion;     
      } 

      URI uri = new URI(
        AppParameter.PROTOCOL_NAME, 
        AppParameter.getRestServiceHost(), 
        "/" + AppParameter.getTenantContextId() + path, 
        queryOptionAdd, 
        null); 



      /** 
      * Open an URL Connection. 
      */ 
      url = uri.toURL(); 
      conn = (HttpURLConnection) url.openConnection(); 

      /** 
      * Set method to POST. 
      */ 
      conn.setRequestMethod("POST"); 

      if(opName.equalsIgnoreCase("roledelete")) 
      { 
       conn.setRequestMethod("DELETE"); 
      } 

      /** 
      * Set the appropriate request header fields. 
      */ 
      conn.setRequestProperty(AppParameter.AUTHORIZATION_HEADER, AppParameter.getAccessToken()); 
      conn.setRequestProperty("Accept", "application/json"); 

      /** 
      * If the request for create an user or update an user, the appropriate content type would 
      * be application/json. 
      */ 
      if(opName.equalsIgnoreCase("createUser") || opName.equalsIgnoreCase("updateUser") ){ 
      conn.setRequestProperty("Content-Type", "application/json"); 
      } 

      /** 
      * If the operation is to add an user to a group/role, 
      * the content type should be set to "application/json". 
      */ 
      else if(opName.equalsIgnoreCase("addUserToGroup")){ 
       conn.setRequestProperty("Content-Type", "application/json"); 
      } 


      /** 
      * If the operation is for update user, then we need to send a 
      * PATCH request, not a POST request. Therefore, we use the X-HTTP-METHOD 
      * header field to specify that this request is intended to be used as a 
      * PATCH request. 
      */ 
      if(opName.equalsIgnoreCase("updateUser")){ 
       conn.setRequestProperty("X-HTTP-Method", "PATCH");   
      } 



      /** 
      * Send the http message payload to the server. 
      */ 
      conn.setDoOutput(true);   
      OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream()); 
      wr.write(data); 
      wr.flush(); 


      /** 
      * Get the message response from the server. 
      */ 
      BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));   
      String line, response = "";   
      while((line=rd.readLine()) != null){ 
       response += line; 
      } 

      /** 
      * Close the streams. 
      */ 
      wr.close(); 
      rd.close(); 

      int responseCode = conn.getResponseCode(); 
      System.out.println("Response Code: " + responseCode);  


      return (Integer.toString(responseCode)); 


     } catch (Exception e2) { 

      try { 
       int responseCode = conn.getResponseCode(); 
       System.out.println("Response Code: " + responseCode); 
      } catch (IOException e1) { 
       // TODO Auto-generated catch block 
       e1.printStackTrace(); 
      } 

      /** 
      * Get the error stream. 
      */ 
      BufferedReader reader = new BufferedReader(new InputStreamReader(conn.getErrorStream())); 
      StringBuffer stringBuf = new StringBuffer(); 
      String inputLine; 
      try { 
       while ((inputLine = reader.readLine()) != null) { 
        stringBuf.append(inputLine); 
       } 
      } catch (IOException e) { 
       // TODO HANDLE THE EXCEPTION 

      } 
      String response = stringBuf.toString(); 
      System.out.println(response); 
      return response; 

     } 

    } 

它顯示錯誤如下

{「odata.error」：{「code」：「Authorization_RequestDenied」，「message」：{「lang」：「en」，「value」：「沒有足夠的權限來完成操作。 「}，」 reques tId「：」05318157-1c3b-4410-9be5-ce6c6246514c「，」date「：」2016-11-23T04：27：53「}}

請幫幫我。提前致謝。

Answer 1

您的應用程序需要在AAD中配置必要的權限。

最好的辦法是讓它以與登錄用戶相同的權限訪問AAD，然後以Azure AD管理員身份登錄到應用程序。

查看經典Azure門戶（https://manage.windowsazure.com）中應用程序配置上的「對其他應用程序的權限」選項卡。

Answer 2

要成功調用Azure AD圖REST使用委託令牌，應該滿足兩個條件。首先是令牌包含足夠的權限來操作資源。第二個是登錄用戶擁有足夠的權限來操作資源。

例如，要將組成員添加到組中，令牌需要包含權限Directory.ReadWrite.All,Directory.AccessAsUser.All。而且這個登錄用戶還需要擁有像全局管理員那樣的操作權限。

有關權限和範圍的更多詳細信息，請參閱here。