权限不足的错误尝试使用图形API

Question

我想添加一个角色给用户添加角色时，如下图所示

/** 
passing values to addUserToGroup method 
**/                     
addUserToGroup("e5911e4e-3d44-448c-bb42-dd6d51855cd4", "d405c6df-0af8-4e3b-95e4-4d06e542189e", "role"); 

private static String addUserToGroup(
     String userId, 
     String groupId, 
     String objectName) throws OfficeException { 

    String newKey = null;    

     /** 
     * Setup the JSON Body 
     */   
     JSONObject jsonObj=new JSONObject(); 

     String objectLink = String.format("https://%s/%s/directoryObjects/%s", 
        AppParameter.getProtectedResourceHostName(), 
        AppParameter.getTenantContextId(), 
        userId); 

     try{ 
     jsonObj.put("url", objectLink); 

     /** 
     * Convert the JSON object into a string. 
     */ 
     String data = jsonObj.toString(); 


     if(objectName.equals("roledelete")) 
     { 

     } 
     else if(objectName.equals("role")) 
     { 
      newKey = handlRequestPostJSON(
        String.format("/%ss/%s/$links/members", objectName, groupId), 
        null, 
        data, 
        "addUserToGroup"); 

     } 

      return newKey; 

    }catch(Exception e){ 
     throw new OfficeException(AppParameter.ErrorCreatingJSON,e.getMessage(), e, null); 
     } 
} 

/** handlRequestPostJSON方法**/

public static String handlRequestPostJSON(String path, String queryOption, String data, String opName){ 

     URL url = null; 
     HttpURLConnection conn = null; 
     String queryOptionAdd = ""; 
     String apiVersion = AppParameter.getDataContractVersion(); 

     try { 
      /** 
      * Form the request uri by specifying the individual components of the 
      * URI. 
      */ 
      if (queryOption == null) 
      { 
       queryOptionAdd = apiVersion;     
      } 
      else 
      { 
       queryOptionAdd = queryOption + "&" + apiVersion;     
      } 

      URI uri = new URI(
        AppParameter.PROTOCOL_NAME, 
        AppParameter.getRestServiceHost(), 
        "/" + AppParameter.getTenantContextId() + path, 
        queryOptionAdd, 
        null); 



      /** 
      * Open an URL Connection. 
      */ 
      url = uri.toURL(); 
      conn = (HttpURLConnection) url.openConnection(); 

      /** 
      * Set method to POST. 
      */ 
      conn.setRequestMethod("POST"); 

      if(opName.equalsIgnoreCase("roledelete")) 
      { 
       conn.setRequestMethod("DELETE"); 
      } 

      /** 
      * Set the appropriate request header fields. 
      */ 
      conn.setRequestProperty(AppParameter.AUTHORIZATION_HEADER, AppParameter.getAccessToken()); 
      conn.setRequestProperty("Accept", "application/json"); 

      /** 
      * If the request for create an user or update an user, the appropriate content type would 
      * be application/json. 
      */ 
      if(opName.equalsIgnoreCase("createUser") || opName.equalsIgnoreCase("updateUser") ){ 
      conn.setRequestProperty("Content-Type", "application/json"); 
      } 

      /** 
      * If the operation is to add an user to a group/role, 
      * the content type should be set to "application/json". 
      */ 
      else if(opName.equalsIgnoreCase("addUserToGroup")){ 
       conn.setRequestProperty("Content-Type", "application/json"); 
      } 


      /** 
      * If the operation is for update user, then we need to send a 
      * PATCH request, not a POST request. Therefore, we use the X-HTTP-METHOD 
      * header field to specify that this request is intended to be used as a 
      * PATCH request. 
      */ 
      if(opName.equalsIgnoreCase("updateUser")){ 
       conn.setRequestProperty("X-HTTP-Method", "PATCH");   
      } 



      /** 
      * Send the http message payload to the server. 
      */ 
      conn.setDoOutput(true);   
      OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream()); 
      wr.write(data); 
      wr.flush(); 


      /** 
      * Get the message response from the server. 
      */ 
      BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));   
      String line, response = "";   
      while((line=rd.readLine()) != null){ 
       response += line; 
      } 

      /** 
      * Close the streams. 
      */ 
      wr.close(); 
      rd.close(); 

      int responseCode = conn.getResponseCode(); 
      System.out.println("Response Code: " + responseCode);  


      return (Integer.toString(responseCode)); 


     } catch (Exception e2) { 

      try { 
       int responseCode = conn.getResponseCode(); 
       System.out.println("Response Code: " + responseCode); 
      } catch (IOException e1) { 
       // TODO Auto-generated catch block 
       e1.printStackTrace(); 
      } 

      /** 
      * Get the error stream. 
      */ 
      BufferedReader reader = new BufferedReader(new InputStreamReader(conn.getErrorStream())); 
      StringBuffer stringBuf = new StringBuffer(); 
      String inputLine; 
      try { 
       while ((inputLine = reader.readLine()) != null) { 
        stringBuf.append(inputLine); 
       } 
      } catch (IOException e) { 
       // TODO HANDLE THE EXCEPTION 

      } 
      String response = stringBuf.toString(); 
      System.out.println(response); 
      return response; 

     } 

    } 

它显示错误如下

{“odata.error”：{“code”：“Authorization_RequestDenied”，“message”：{“lang”：“en”，“value”：“没有足够的权限来完成操作。 “}，” reques tId“：”05318157-1c3b-4410-9be5-ce6c6246514c“，”date“：”2016-11-23T04：27：53“}}

请帮帮我。提前致谢。

Answer 1

您的应用程序需要在AAD中配置必要的权限。

最好的办法是让它以与登录用户相同的权限访问AAD，然后以Azure AD管理员身份登录到应用程序。

查看经典Azure门户（https://manage.windowsazure.com）中应用程序配置上的“对其他应用程序的权限”选项卡。

Answer 2

要成功调用Azure AD图REST使用委托令牌，应该满足两个条件。首先是令牌包含足够的权限来操作资源。第二个是登录用户拥有足够的权限来操作资源。

例如，要将组成员添加到组中，令牌需要包含权限Directory.ReadWrite.All,Directory.AccessAsUser.All。而且这个登录用户还需要拥有像全局管理员那样的操作权限。

有关权限和范围的更多详细信息，请参阅here。