Adding a group member fails with the application level "GroupMember.ReadWrite.All" permissions – works with "Group.ReadWrite.All"

huangapple go评论78阅读模式
英文:

Adding a group member fails with the application level "GroupMember.ReadWrite.All" permissions - works with "Group.ReadWrite.All"

问题

根据msdocs,仅具有"GroupMember.ReadWrite.All"应用程序级权限就足以将成员添加到安全组中。

我收到了授权错误(如下所示)- 如果我授予"Group.ReadWrite.All"权限,它按预期工作。

我是否错过了一些明显的东西?

语言是PowerShell - 与Graph API v1.0连接,使用"client_credentials"授权类型

错误消息:

Invoke-RestMethod:{
"error": {
"code": "Authorization_RequestDenied",
"message": "权限不足以完成操作。",
"innerError": {
"request-id": "71b06588-f9a2-48ef-ac3f-5223899cad68",
"date": "2020-01-03T09:30:31"
}
}
}

英文:

According to msdocs it should be sufficient to have the "GroupMember.ReadWrite.All" application level permissions to add members to a security group

I get an authorization error (see below) - it works as expected if I grant the "Group.ReadWrite.All" permissions

Did I miss something obvious here?

Language is PowerShell - connected to the Graph API v1.0 with the "client_credentials" grant type

Error message:

Invoke-RestMethod : {
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "71b06588-f9a2-48ef-ac3f-5223899cad68",
      "date": "2020-01-03T09:30:31"
    }
  }
}

答案1

得分: 2

Add member 端点文档 指出对于 Application 权限类型,需要以下权限之一:

> GroupMember.ReadWrite.AllGroup.ReadWrite.All
> Directory.ReadWrite.All

但是,似乎还取决于组类型

  • 对于 Office365 组,以下权限之一即可:GroupMember.ReadWrite.AllGroup.ReadWrite.All
  • 而对于 Security 组,除了需要 GroupMember.ReadWrite.All 权限外,还需要指定 Directory.ReadWrite.All

因此,解决方案是同时指定权限 Directory.ReadWrite.AllGroupMember.ReadWrite.All

英文:

Add member endpoint documentation states that for Application permission type one the following permissions are required:

> GroupMember.ReadWrite.All, Group.ReadWrite.All and
> Directory.ReadWrite.All

But, it appears, it also varies based on group type:

  • for Office365 group, one of the following permissions are
    sufficient: GroupMember.ReadWrite.All or Group.ReadWrite.All
  • while for Security group, along with GroupMember.ReadWrite.All permission, Directory.ReadWrite.All needs to be specified as well

So, the solution would be to specify permission Directory.ReadWrite.All along with GroupMember.ReadWrite.All

huangapple
  • 本文由 发表于 2020年1月3日 17:41:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/59576202.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定