php microsoft graph：无法执行请求的操作，令牌中缺少所需的作用域

70gysomp 于 2022-12-02 发布在 PHP

关注(0)|答案(2)|浏览(149)

此bounty已结束。回答此问题可获得+50声望奖励。奖励宽限期将在19小时后结束。Divyesh Jesadiya希望吸引更多人关注此问题。

我正在从PHP应用程序调用一个Microsoft图形API，API是**https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy**
我代码如下

$graph = new Graph();
$graph->setAccessToken(session('my_token'));
try{
    $response = $graph->createRequest("GET", "/policies/identitySecurityDefaultsEnforcementPolicy")->execute();
}
catch(Exception $e){
    dd($e);
}
$arr = $response->getBody();
dd($arr);

但它总是捕获异常并显示以下错误

Client error: `GET https://graph.microsoft.com/v1.0/policies/identitySecurityDefaultsEnforcementPolicy` resulted in a `403 Forbidden` response:
{"error":{"code":"AccessDenied","message":"You cannot perform the requested operation, required scopes are missing in the token.","innerError":{"date":"2022-11-23T06:47:39","request-id":"9a4573c7-fd72-44ae-8ac6-8e4589cf1497","client-request-id":"9a4573c7-fd72-44ae-8ac6-8e4589cf1497"}}}

所有其他Microsoft图形API都运行良好
我还授予了Policy.Read.All权限，并授予了管理员对我在此处使用的Microsoft应用程序的权限。
更新：当我打开Microsoft的在线令牌解析器https://jwt.ms/并解析我的令牌时，我看到了如下角色

"roles": [
"Mail.ReadWrite",
"User.ReadWrite.All",
"SecurityEvents.Read.All",
"Mail.ReadBasic.All",
"Group.Read.All",
"MailboxSettings.Read",
"Group.ReadWrite.All",
"SecurityEvents.ReadWrite.All",
"User.Invite.All",
"Directory.Read.All",
"User.Read.All",
"Domain.Read.All",
"GroupMember.Read.All",
"Mail.Read",
"User.Export.All",
"IdentityRiskyUser.Read.All",
"Mail.Send",
"User.ManageIdentities.All",
"MailboxSettings.ReadWrite",
"Organization.Read.All",
"GroupMember.ReadWrite.All",
"IdentityRiskEvent.Read.All",
"Mail.ReadBasic",
"Reports.Read.All"
]

但不包括策略。请阅读。全部
更新：正在获取身份验证令牌代码

$guzzle = new \GuzzleHttp\Client();
$url = 'https://login.microsoftonline.com/'.env("TANANT_ID").'/oauth2/token?api-version=beta';
$token = json_decode($guzzle->post($url, [
    'form_params' => [
        'client_id' => env("CLIENT_ID"),
        'client_secret' => env("CLIENT_SECRET"),
        'resource' => 'https://graph.microsoft.com/',
        'grant_type' => 'client_credentials',
    ],
])->getBody()->getContents());
// echo $token->access_token;
Session::put('my_token', $token->access_token);

php

来源：https://stackoverflow.com/questions/74542873/microsoft-graphyou-cannot-perform-the-requested-operation-required-scopes-are

2条答案

按热度按时间

rjee0c151#

在请求令牌时，需要提供一个范围URL，
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token
因此，作为一个基本的例子（这可能不会给予你需要的权限），但显示了你错过了什么。

$guzzle = new \GuzzleHttp\Client();
$url = 'https://login.microsoftonline.com/'.env("TANANT_ID").'/oauth2/token?api-version=beta';
$token = json_decode($guzzle->post($url, [
    'form_params' => [
        'client_id' => env("CLIENT_ID"),
        'client_secret' => env("CLIENT_SECRET"),
        'resource' => 'https://graph.microsoft.com/',
        'scope' => 'https://graph.microsoft.com/.default',
        'grant_type' => 'client_credentials',
    ],
])->getBody()->getContents());
// echo $token->access_token;
Session::put('my_token', $token->access_token);

请特别注意，我已经将'scope' => 'https://graph.microsoft.com/.default',添加到表单参数中

赞(0）回复(0）举报 2022-12-02

643ylb082#

看起来您没有Policy.Read.All权限，请通过Azure门户交叉检查权限并提供所需权限，然后重试。
谢谢

赞(0）回复(0）举报 2022-12-02