久久久久久久av_日韩在线中文_看一级毛片视频_日本精品二区_成人深夜福利视频_武道仙尊动漫在线观看

使用 Azure AD Graph 客戶端 API 更改用戶密碼的權限

Permission issue changing user password using Azure AD Graph client API(使用 Azure AD Graph 客戶端 API 更改用戶密碼的權限問題)
本文介紹了使用 Azure AD Graph 客戶端 API 更改用戶密碼的權限問題的處理方法,對大家解決問題具有一定的參考價值,需要的朋友們下面隨著小編來一起學習吧!

問題描述

限時送ChatGPT賬號..

我正在嘗試在 ASP.Net MVC 中創建一個頁面來重置當前用戶的密碼.我正在使用 Azure 活動目錄進行用戶身份驗證.要訪問用戶的 AD 信息,我使用的是 C# Graph API 客戶端.我的代碼基于 GitHub

我可以更改用戶的信息(例如城市、州、電子郵件).但是,當我嘗試使用用戶對象上的 PasswordProfile 屬性更改密碼時,我收到一條錯誤消息,提示我權限不足.我正在嘗試將密碼更改為應用程序,并且我認為權限問題的根源在于應用程序.

我發現以下 PowerShell 腳本應該將公司管理員角色添加到應用程序.但是,對 Get-MsolServicePrincipal 的調用不會返回任何內容.查看命令的輸出,我看不到任何與我的應用程序名稱相似的條目.

#------------------------------------------------------------# 這將提示您輸入租戶的憑證# 你應該可以使用你的 Azure AD 管理用戶名#(以 admin@tenant.onmicrosoft.com 格式)#----------------------------------------------------------導入模塊 MSOnline連接-MsolService#----------------------------------------------------------# 將應用程序名稱替換為您的名稱# 應用服務主體#----------------------------------------------------------$displayName = "我的 Azure AD 應用程序"$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId#----------------------------------------------------------# 這會將您的應用程序服務主體添加到# 公司管理員角色#----------------------------------------------------------$roleName = "公司管理員"Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

我想我的第一個問題是我是否正確地認為權限問題與應用程序有關?

其次,我應該將 $displayName 變量設置為什么值?

解決方案

您需要確保 Azure Active Directory 中的應用程序配置具有適當的權限設置.使用上面的內容添加權限是矯枉過正的.您應該只向目錄中的應用程序添加所需的權限.

作為起點,我建議您查看 Graph API 同意權限 博客文章在這里.您只能以帳戶或全局管理員的身份使用傳統權限重置密碼,但您應該分配應用程序權限.

讀取和寫入目錄數據"用于提供此權限,但我相信這已被刪除.現在我相信用戶必須同意使用 OAuth 身份驗證流程才能重置密碼.

請參閱 changePassword 當前登錄用戶的方法以獲取更多信息.我有一個自定義桌面應用程序供用戶重置自己的密碼.

在我的應用程序中,我讓用戶使用他們現有的密碼進行身份驗證以獲取訪問令牌(這也有助于我在更改密碼之前驗證他們當前的憑據).

var authority = string.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/" + Domain);var ctx = new AuthenticationContext(authority, false);var result = ctx.AcquireToken("https://graph.windows.net", "ClientID", credential);返回結果.AccessToken;

憑據屬性是使用用戶 UPN 和密碼的 UserCredential 類型.然后我通過網絡請求更改密碼.

var client = new HttpClient();client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", UserAccessToken);var requestUri = $"https://graph.windows.net/me/changePassword?api-version={Constants.ApiVersion}";var pwdObject = new { currentPassword = curPassword, newPassword = newPass };var body = new JavaScriptSerializer().Serialize(pwdObject);var response = client.PostAsync(new Uri(requestUri), new StringContent(body, Encoding.UTF8, "application/json")).Result;

如果請求成功,這將返回 HTTP 204,我在獲取用戶令牌時也會捕獲 AADSTS50126 異常,因為這表明在獲取令牌時憑據無效.

I am trying to create a page in ASP.Net MVC to reset the current user's password. I am using Azure active directory for user authentication. To access, the user's AD information, I am using the C# Graph API client. My code is based on a sample found on GitHub

I am able to make changes to the user's information (such as city, state, email). However, when I attempt to change the password using the PasswordProfile attribute on the user object, I am getting an error saying I have insufficient permissions. I am attempting to change the password as the application and I believe that the source of the permission issue is with the application.

I found the following PowerShell script that is supposed to add the company administrator role to an application. However, the call to Get-MsolServicePrincipal does not return anything. Looking at the output of the command, I don't see any entries that even resemble the name of my application.

#-----------------------------------------------------------
# This will prompt you for your tenant's credential
# You should be able to use your your Azure AD administrative user name
# (in the admin@tenant.onmicrosoft.com format)
#-----------------------------------------------------------
import-module MSOnline
Connect-MsolService

#-----------------------------------------------------------
# Replace the Application Name with the name of your 
# Application Service Principal
#-----------------------------------------------------------
$displayName = "My Azure AD Application"
$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId

#-----------------------------------------------------------
# This will add your Application Service Prinicpal to 
# the Company Administrator role
#-----------------------------------------------------------
$roleName = "Company Administrator"              
Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

I guess my first question is am I correct that the permission issue is with application?

Second, what value to which I should be setting the $displayName variable?

解決方案

You need to ensure that your application configuration in Azure Active Directory has the appropriate permissions setup. Adding the rights using what you have above is overkill. You should be adding the required permissions only to your application in the directory.

As a starting point I would suggest you review the Graph API Consent Permission blog post here. You can only reset a password as an account or global administrator using traditional rights but you should be assigning application permissions.

"Read and write directory data" used to provide this permission however I believe this was removed. Now I believe the user has to consent using the OAuth authentication flow to be able to reset a password.

See the changePassword method on the currently logged in user for more information on this. I have a custom desktop application for users to reset their own passwords.

In my application I have the users authenticate to get an access token using their existing password (this also helps me validate their current credentials before changing the password).

var authority = string.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/" + Domain);
var ctx = new AuthenticationContext(authority, false);
var result = ctx.AcquireToken("https://graph.windows.net", "ClientID", credential);
return result.AccessToken;

The credential property is a UserCredential type using the users UPN and password. I then pass a web request to change the password.

var client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", UserAccessToken);
var requestUri = $"https://graph.windows.net/me/changePassword?api-version={Constants.ApiVersion}";
var pwdObject = new { currentPassword = curPassword, newPassword = newPass };
var body = new JavaScriptSerializer().Serialize(pwdObject);
var response = client.PostAsync(new Uri(requestUri), new StringContent(body, Encoding.UTF8, "application/json")).Result;

This returns a HTTP 204 if the request was successful, I also trap a AADSTS50126 exception when getting the user token as this indicates the credentials are invalid when obtaining the token.

這篇關于使用 Azure AD Graph 客戶端 API 更改用戶密碼的權限問題的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!

【網站聲明】本站部分內容來源于互聯網,旨在幫助大家更快的解決問題,如果有圖片或者內容侵犯了您的權益,請聯系我們刪除處理,感謝您的支持!

相關文檔推薦

ASP.NET Core authenticating with Azure Active Directory and persisting custom Claims across requests(ASP.NET Core 使用 Azure Active Directory 進行身份驗證并跨請求保留自定義聲明)
ASP.NET Core 2.0 Web API Azure Ad v2 Token Authorization not working(ASP.NET Core 2.0 Web API Azure Ad v2 令牌授權不起作用)
ASP Core Azure Active Directory Login use roles(ASP Core Azure Active Directory 登錄使用角色)
How do I get Azure AD OAuth2 Access Token and Refresh token for Daemon or Server to C# ASP.NET Web API(如何獲取守護進程或服務器到 C# ASP.NET Web API 的 Azure AD OAuth2 訪問令牌和刷新令牌) - IT屋-程序員軟件開發技
.Net Core 2.0 - Get AAD access token to use with Microsoft Graph(.Net Core 2.0 - 獲取 AAD 訪問令牌以與 Microsoft Graph 一起使用)
Azure KeyVault Active Directory AcquireTokenAsync timeout when called asynchronously(異步調用時 Azure KeyVault Active Directory AcquireTokenAsync 超時)
主站蜘蛛池模板: 91精品国产91久久久久久密臀 | 精品中文字幕一区二区 | 国产乱码精品一区二区三区五月婷 | 国产午夜精品一区二区三区嫩草 | 日本免费视频在线观看 | 国产精品久久久久久久粉嫩 | 一区二区久久 | 亚洲国产精品久久 | 国产一区二区不卡 | 精品一区二区三区在线观看 | 伊人二区 | 第一区在线观看免费国语入口 | 一区二区电影 | 亚洲第1页| 欧美视频在线播放 | 丁香五月网久久综合 | 国产乱码精品一品二品 | 成人精品视频99在线观看免费 | 在线免费观看a级片 | 免费一区 | 亚洲一区二区三区视频 | 超碰97av| 国产一区二区三区在线 | www.4虎影院| 免费在线观看成人 | 久久精选 | 无码一区二区三区视频 | 欧美亚洲视频 | 伊人精品一区二区三区 | 日韩欧美福利视频 | 精品视频一区在线 | 精品久久久久一区二区国产 | 欧美精品黄 | 伊人网站 | 国产精品毛片 | 亚洲精选一区二区 | www一级片 | 欧美日韩久久精品 | 久久精品久久久 | 综合二区 | 亚洲三级免费看 |