久久久久久久av_日韩在线中文_看一级毛片视频_日本精品二区_成人深夜福利视频_武道仙尊动漫在线观看

使用 Azure AD Graph 客戶端 API 更改用戶密碼的權限

Permission issue changing user password using Azure AD Graph client API(使用 Azure AD Graph 客戶端 API 更改用戶密碼的權限問題)
本文介紹了使用 Azure AD Graph 客戶端 API 更改用戶密碼的權限問題的處理方法,對大家解決問題具有一定的參考價值,需要的朋友們下面隨著小編來一起學習吧!

問題描述

限時送ChatGPT賬號..

我正在嘗試在 ASP.Net MVC 中創建一個頁面來重置當前用戶的密碼.我正在使用 Azure 活動目錄進行用戶身份驗證.要訪問用戶的 AD 信息,我使用的是 C# Graph API 客戶端.我的代碼基于 GitHub

我可以更改用戶的信息(例如城市、州、電子郵件).但是,當我嘗試使用用戶對象上的 PasswordProfile 屬性更改密碼時,我收到一條錯誤消息,提示我權限不足.我正在嘗試將密碼更改為應用程序,并且我認為權限問題的根源在于應用程序.

我發現以下 PowerShell 腳本應該將公司管理員角色添加到應用程序.但是,對 Get-MsolServicePrincipal 的調用不會返回任何內容.查看命令的輸出,我看不到任何與我的應用程序名稱相似的條目.

#------------------------------------------------------------# 這將提示您輸入租戶的憑證# 你應該可以使用你的 Azure AD 管理用戶名#(以 admin@tenant.onmicrosoft.com 格式)#----------------------------------------------------------導入模塊 MSOnline連接-MsolService#----------------------------------------------------------# 將應用程序名稱替換為您的名稱# 應用服務主體#----------------------------------------------------------$displayName = "我的 Azure AD 應用程序"$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId#----------------------------------------------------------# 這會將您的應用程序服務主體添加到# 公司管理員角色#----------------------------------------------------------$roleName = "公司管理員"Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

我想我的第一個問題是我是否正確地認為權限問題與應用程序有關?

其次,我應該將 $displayName 變量設置為什么值?

解決方案

您需要確保 Azure Active Directory 中的應用程序配置具有適當的權限設置.使用上面的內容添加權限是矯枉過正的.您應該只向目錄中的應用程序添加所需的權限.

作為起點,我建議您查看 Graph API 同意權限 博客文章在這里.您只能以帳戶或全局管理員的身份使用傳統權限重置密碼,但您應該分配應用程序權限.

讀取和寫入目錄數據"用于提供此權限,但我相信這已被刪除.現在我相信用戶必須同意使用 OAuth 身份驗證流程才能重置密碼.

請參閱 changePassword 當前登錄用戶的方法以獲取更多信息.我有一個自定義桌面應用程序供用戶重置自己的密碼.

在我的應用程序中,我讓用戶使用他們現有的密碼進行身份驗證以獲取訪問令牌(這也有助于我在更改密碼之前驗證他們當前的憑據).

var authority = string.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/" + Domain);var ctx = new AuthenticationContext(authority, false);var result = ctx.AcquireToken("https://graph.windows.net", "ClientID", credential);返回結果.AccessToken;

憑據屬性是使用用戶 UPN 和密碼的 UserCredential 類型.然后我通過網絡請求更改密碼.

var client = new HttpClient();client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", UserAccessToken);var requestUri = $"https://graph.windows.net/me/changePassword?api-version={Constants.ApiVersion}";var pwdObject = new { currentPassword = curPassword, newPassword = newPass };var body = new JavaScriptSerializer().Serialize(pwdObject);var response = client.PostAsync(new Uri(requestUri), new StringContent(body, Encoding.UTF8, "application/json")).Result;

如果請求成功,這將返回 HTTP 204,我在獲取用戶令牌時也會捕獲 AADSTS50126 異常,因為這表明在獲取令牌時憑據無效.

I am trying to create a page in ASP.Net MVC to reset the current user's password. I am using Azure active directory for user authentication. To access, the user's AD information, I am using the C# Graph API client. My code is based on a sample found on GitHub

I am able to make changes to the user's information (such as city, state, email). However, when I attempt to change the password using the PasswordProfile attribute on the user object, I am getting an error saying I have insufficient permissions. I am attempting to change the password as the application and I believe that the source of the permission issue is with the application.

I found the following PowerShell script that is supposed to add the company administrator role to an application. However, the call to Get-MsolServicePrincipal does not return anything. Looking at the output of the command, I don't see any entries that even resemble the name of my application.

#-----------------------------------------------------------
# This will prompt you for your tenant's credential
# You should be able to use your your Azure AD administrative user name
# (in the admin@tenant.onmicrosoft.com format)
#-----------------------------------------------------------
import-module MSOnline
Connect-MsolService

#-----------------------------------------------------------
# Replace the Application Name with the name of your 
# Application Service Principal
#-----------------------------------------------------------
$displayName = "My Azure AD Application"
$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId

#-----------------------------------------------------------
# This will add your Application Service Prinicpal to 
# the Company Administrator role
#-----------------------------------------------------------
$roleName = "Company Administrator"              
Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

I guess my first question is am I correct that the permission issue is with application?

Second, what value to which I should be setting the $displayName variable?

解決方案

You need to ensure that your application configuration in Azure Active Directory has the appropriate permissions setup. Adding the rights using what you have above is overkill. You should be adding the required permissions only to your application in the directory.

As a starting point I would suggest you review the Graph API Consent Permission blog post here. You can only reset a password as an account or global administrator using traditional rights but you should be assigning application permissions.

"Read and write directory data" used to provide this permission however I believe this was removed. Now I believe the user has to consent using the OAuth authentication flow to be able to reset a password.

See the changePassword method on the currently logged in user for more information on this. I have a custom desktop application for users to reset their own passwords.

In my application I have the users authenticate to get an access token using their existing password (this also helps me validate their current credentials before changing the password).

var authority = string.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/" + Domain);
var ctx = new AuthenticationContext(authority, false);
var result = ctx.AcquireToken("https://graph.windows.net", "ClientID", credential);
return result.AccessToken;

The credential property is a UserCredential type using the users UPN and password. I then pass a web request to change the password.

var client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", UserAccessToken);
var requestUri = $"https://graph.windows.net/me/changePassword?api-version={Constants.ApiVersion}";
var pwdObject = new { currentPassword = curPassword, newPassword = newPass };
var body = new JavaScriptSerializer().Serialize(pwdObject);
var response = client.PostAsync(new Uri(requestUri), new StringContent(body, Encoding.UTF8, "application/json")).Result;

This returns a HTTP 204 if the request was successful, I also trap a AADSTS50126 exception when getting the user token as this indicates the credentials are invalid when obtaining the token.

這篇關于使用 Azure AD Graph 客戶端 API 更改用戶密碼的權限問題的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!

【網站聲明】本站部分內容來源于互聯網,旨在幫助大家更快的解決問題,如果有圖片或者內容侵犯了您的權益,請聯系我們刪除處理,感謝您的支持!

相關文檔推薦

ASP.NET Core authenticating with Azure Active Directory and persisting custom Claims across requests(ASP.NET Core 使用 Azure Active Directory 進行身份驗證并跨請求保留自定義聲明)
ASP.NET Core 2.0 Web API Azure Ad v2 Token Authorization not working(ASP.NET Core 2.0 Web API Azure Ad v2 令牌授權不起作用)
ASP Core Azure Active Directory Login use roles(ASP Core Azure Active Directory 登錄使用角色)
How do I get Azure AD OAuth2 Access Token and Refresh token for Daemon or Server to C# ASP.NET Web API(如何獲取守護進程或服務器到 C# ASP.NET Web API 的 Azure AD OAuth2 訪問令牌和刷新令牌) - IT屋-程序員軟件開發技
.Net Core 2.0 - Get AAD access token to use with Microsoft Graph(.Net Core 2.0 - 獲取 AAD 訪問令牌以與 Microsoft Graph 一起使用)
Azure KeyVault Active Directory AcquireTokenAsync timeout when called asynchronously(異步調用時 Azure KeyVault Active Directory AcquireTokenAsync 超時)
主站蜘蛛池模板: 亚洲视频免费在线观看 | 国产ts人妖一区二区三区 | 欧美亚洲成人网 | 欧美成人一区二区三区 | 不卡一区二区在线观看 | 操久久久| 成人一区av| 西西裸体做爰视频 | 欧美成人精品 | 精品美女久久久久久免费 | av喷水| 欧美性影院 | 国产一区二区三区久久久久久久久 | 一区视频 | 粉嫩av久久一区二区三区 | 四虎影院在线播放 | 97伦理电影网 | 美女久久久久久久久 | 国产精品揄拍一区二区 | 中文字幕亚洲一区二区va在线 | 色综合天天综合网国产成人网 | 91看片免费 | 成年网站在线观看 | 一区二区三区四区电影 | 亚洲精品一区二区三区中文字幕 | 激情国产| 一区二区三区在线电影 | 国产ts一区| 91久久国产综合久久91精品网站 | 国产伦精品一区二区三区照片91 | 色综合一区二区三区 | 99精品国产一区二区三区 | 99re视频精品 | 天天曰天天干 | 欧美一区二区在线看 | 亚洲 中文 欧美 日韩 在线观看 | 男人的天堂久久 | 国产成人免费视频网站视频社区 | 久久综合一区二区 | 亚洲成人一区二区 | 精品久久久久久亚洲精品 |