All geek questions in one place

Microsoft Graph API: 403 Forbidden error while trying to get policies for tenant

I am trying to get the policies created for my tenant in the Azure AD portal using the Microsoft Graph API. As I understand from the diagram API documentation, all CRUD policy operations require the Directory.AccessAsUser.All scope.

This area is transferred to the Access access directory as a registered user, as indicated here - https://developer.microsoft.com/en-us/graph/docs/authorization/permission_scopes

I am trying to configure my application both on the new Azure portal and on the old one with different points of failure.

On the new portal:

I created a web application with my tenant following the instructions https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal .

When setting up access control, the only subscription for my tenant is Access to Azure Active Directory, and I can’t configure access control on this in the new portal. In the browser, when I select Access Control (IAM), I see an error - "Error calling ARM using httpCode = BadRequest, errorCode = DisallowedOperation, message = The current type of subscription is not allowed to perform operations with any namespace provider. Use a different subscription., reason = Bad Request ... The Add Roles button is also disabled.

? Azure Active Directory? , API?

:

:

Microsoft Graph
Windows Azure Active Directory

, API- . 403, https://graph.microsoft.com/beta/policies, .

, (https://login.microsoftonline.com/{my }/oauth2/token)

{
    "aud": "https://graph.microsoft.com",
    "iss": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/",
    "iat": 1491256764,
    "nbf": 1491256764,
    "exp": 1491260664,
    "aio": "Y2ZgYAi68q2XUTk0ykH7/TZzrhYbAA==",
    "app_displayname": "test-app",
    "appid": "951bb92d-5b68-45ae-bb8b-d768b2696ccc",
    "appidacr": "1",
    "idp": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/",
    "oid": "7ccea836-d389-4328-a155-67092e2805e9",
    "roles": [
        "Device.ReadWrite.All",
        "User.ReadWrite.All",
        "Directory.ReadWrite.All",
        "Group.ReadWrite.All",
        "IdentityRiskEvent.Read.All"
      ],
  "sub": "7ccea836-d389-4328-a155-67092e2805e9",
  "tid": "8b49696d-462a-4a71-9c5c-f570b2222727",
  "uti": "4fmUDNWWHkSoTn2-7gtTAA",
  "ver": "1.0"
}

, Directory.AccessAsUser.All, 403. - , API, . / !

:

  • -API, API- v1.0, API Azure Graph API API- Microsoft Graph.
  • API Azure Graph 403 Forbidden (https://msdn.microsoft.com/zh-cn/library/azure/ad/graph/api/policy - # -)
+4
1

, . .

, , . detail.

+4

Source: https://habr.com/ru/post/1673933/

More articles:


All Articles