使用 Azure AD Graph 客户端 API 更改用户密码的权限问题

问题描述

我正在尝试在 ASP.Net MVC 中创建一个页面来重置当前用户的密码.我正在使用 Azure 活动目录进行用户身份验证.要访问用户的 AD 信息，我使用的是 C# Graph API 客户端.我的代码基于 GitHub

我可以更改用户的信息(例如城市、州、电子邮件).但是，当我尝试使用用户对象上的 PasswordProfile 属性更改密码时，我收到一条错误消息，提示我权限不足.我正在尝试将密码更改为应用程序，并且我认为权限问题的根源在于应用程序.

我发现以下 PowerShell 脚本应该将公司管理员角色添加到应用程序.但是，对 Get-MsolServicePrincipal 的调用不会返回任何内容.查看命令的输出，我看不到任何与我的应用程序名称相似的条目.

#------------------------------------------------------------# 这将提示您输入租户的凭证# 你应该可以使用你的 Azure AD 管理用户名#(以 admin@tenant.onmicrosoft.com 格式)#----------------------------------------------------------导入模块 MSOnline连接-MsolService#----------------------------------------------------------# 将应用程序名称替换为您的名称# 应用服务主体#----------------------------------------------------------$displayName = "我的 Azure AD 应用程序"$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId#----------------------------------------------------------# 这会将您的应用程序服务主体添加到# 公司管理员角色#----------------------------------------------------------$roleName = "公司管理员"Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

我想我的第一个问题是我是否正确地认为权限问题与应用程序有关?

其次，我应该将 $displayName 变量设置为什么值?

您需要确保 Azure Active Directory 中的应用程序配置具有适当的权限设置.使用上面的内容添加权限是矫枉过正的.您应该只向目录中的应用程序添加所需的权限.

作为起点，我建议您查看 Graph API 同意权限 博客文章在这里.您只能以帐户或全局管理员的身份使用传统权限重置密码，但您应该分配应用程序权限.

读取和写入目录数据"用于提供此权限，但我相信这已被删除.现在我相信用户必须同意使用 OAuth 身份验证流程才能重置密码.

请参阅 changePassword 当前登录用户的方法以获取更多信息.我有一个自定义桌面应用程序供用户重置自己的密码.

在我的应用程序中，我让用户使用他们现有的密码进行身份验证以获取访问令牌(这也有助于我在更改密码之前验证他们当前的凭据).

var authority = string.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/" + Domain);var ctx = new AuthenticationContext(authority, false);var result = ctx.AcquireToken("https://graph.windows.net", "ClientID", credential);返回结果.AccessToken;

凭据属性是使用用户 UPN 和密码的 UserCredential 类型.然后我通过网络请求更改密码.

var client = new HttpClient();client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", UserAccessToken);var requestUri = $"https://graph.windows.net/me/changePassword?api-version={Constants.ApiVersion}";var pwdObject = new { currentPassword = curPassword, newPassword = newPass };var body = new JavaScriptSerializer().Serialize(pwdObject);var response = client.PostAsync(new Uri(requestUri), new StringContent(body, Encoding.UTF8, "application/json")).Result;

如果请求成功，这将返回 HTTP 204，我在获取用户令牌时也会捕获 AADSTS50126 异常，因为这表明在获取令牌时凭据无效.

I am trying to create a page in ASP.Net MVC to reset the current user's password. I am using Azure active directory for user authentication. To access, the user's AD information, I am using the C# Graph API client. My code is based on a sample found on GitHub

I am able to make changes to the user's information (such as city, state, email). However, when I attempt to change the password using the PasswordProfile attribute on the user object, I am getting an error saying I have insufficient permissions. I am attempting to change the password as the application and I believe that the source of the permission issue is with the application.

I found the following PowerShell script that is supposed to add the company administrator role to an application. However, the call to Get-MsolServicePrincipal does not return anything. Looking at the output of the command, I don't see any entries that even resemble the name of my application.

#-----------------------------------------------------------
# This will prompt you for your tenant's credential
# You should be able to use your your Azure AD administrative user name
# (in the admin@tenant.onmicrosoft.com format)
#-----------------------------------------------------------
import-module MSOnline
Connect-MsolService

#-----------------------------------------------------------
# Replace the Application Name with the name of your 
# Application Service Principal
#-----------------------------------------------------------
$displayName = "My Azure AD Application"
$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId

#-----------------------------------------------------------
# This will add your Application Service Prinicpal to 
# the Company Administrator role
#-----------------------------------------------------------
$roleName = "Company Administrator"              
Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

I guess my first question is am I correct that the permission issue is with application?

Second, what value to which I should be setting the $displayName variable?

You need to ensure that your application configuration in Azure Active Directory has the appropriate permissions setup. Adding the rights using what you have above is overkill. You should be adding the required permissions only to your application in the directory.

As a starting point I would suggest you review the Graph API Consent Permission blog post here. You can only reset a password as an account or global administrator using traditional rights but you should be assigning application permissions.

"Read and write directory data" used to provide this permission however I believe this was removed. Now I believe the user has to consent using the OAuth authentication flow to be able to reset a password.

See the changePassword method on the currently logged in user for more information on this. I have a custom desktop application for users to reset their own passwords.

In my application I have the users authenticate to get an access token using their existing password (this also helps me validate their current credentials before changing the password).

var authority = string.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/" + Domain);
var ctx = new AuthenticationContext(authority, false);
var result = ctx.AcquireToken("https://graph.windows.net", "ClientID", credential);
return result.AccessToken;

The credential property is a UserCredential type using the users UPN and password. I then pass a web request to change the password.

var client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", UserAccessToken);
var requestUri = $"https://graph.windows.net/me/changePassword?api-version={Constants.ApiVersion}";
var pwdObject = new { currentPassword = curPassword, newPassword = newPass };
var body = new JavaScriptSerializer().Serialize(pwdObject);
var response = client.PostAsync(new Uri(requestUri), new StringContent(body, Encoding.UTF8, "application/json")).Result;

This returns a HTTP 204 if the request was successful, I also trap a AADSTS50126 exception when getting the user token as this indicates the credentials are invalid when obtaining the token.

这篇关于使用 Azure AD Graph 客户端 API 更改用户密码的权限问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！