英文:
Microsoft Graph API authentication without the CLI
问题
From an environment where the Azure cli is not installed and cannot be installed, you can obtain an Auth token from a Service Principal to run queries like:
curl -X -H 'Authorization: Bearer <auth-token>' \
https://graph.microsoft.com/beta/groups
Without the Azure CLI, you can try the following approach:
# -- attempt 1
# Obtain an access token with this request:
curl -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&client_id=<azure-client-id>&resource=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d&client_secret=<azure-client-secret>' \
https://login.microsoftonline.com/<tenant-id>/oauth2/token
However, please note that this token may not be valid for the Microsoft Graph API.
英文:
From an environment where the Azure cli is and cannot be installed, how can I get an Auth token from a Service Principal? So I can run queries like:
curl -X -H 'Authorization: Bearer <auth-token>' \
https://graph.microsoft.com/beta/groups
With the CLI this is fairly simple, I have a tenant_id
, an azure_client_id
and an azure_client_secret
:
az login --service-principal -u <az_client_id> -p <az_client_secret> --tenant <tenant_id>
and then run for example:
az rest --method get --url https://graph.microsoft.com/beta/groups
-- attempt 1
I do get an access token with request:
curl -X GET \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&client_id=<azure-client-id>&resource=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d&client_secret=<azure-client-secret>' \
https://login.microsoftonline.com/<tenant-id>/oauth2/token
but is is apperantly not valid for the Microsoft graph API.
答案1
得分: 1
这段适用于我在Windows命令提示符下的工作:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id={client_id}&client_secret={client_secret}&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default" https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
结果:
{
"token_type":"Bearer",
"expires_in":3599,
"ext_expires_in":3599,
"access_token":"eyJ0...LUEQ"
}
您遗漏了 scope=https://graph.microsoft.com/.default
,请求URL应该是 https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
,方法应该是 POST
。
我用双引号代替单引号作为头部和正文参数。
资源:
英文:
This work for me from Windows Command Prompt:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id={client_id}&client_secret={client_secret}&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default" https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
Result:
{
"token_type":"Bearer",
"expires_in":3599,
"ext_expires_in":3599,
"access_token":"eyJ0...LUEQ"
}
You are missing scope=https://graph.microsoft.com/.default
, request URL should be https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
and method should be POST
.
I used double quotes instead of single quote for header and body parameters.
Resources:
答案2
得分: 0
I agree with @user2250152, you are using wrong resource value to generate access token.
You can just change the value of resource
parameter to https://graph.microsoft.com while generating access token like below:
curl -X GET \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&client_id=<azure-client-id>&resource=https://graph.microsoft.com&client_secret=<azure-client-secret>' \
https://login.microsoftonline.com/<tenant-id>/oauth2/token
When I ran the same in Postman, I got access token with Microsoft Graph as resource
like below:
Now, use below curl command to run Graph query by including above access token like this:
curl -X -H 'Authorization: Bearer <auth-token>' \
https://graph.microsoft.com/beta/groups
When I ran the same query in Postman, I got groups successfully like below:
GET https://graph.microsoft.com/beta/groups
Authorization: Bearer <auth-token>
Response:
英文:
I agree with @user2250152, you are using wrong resource value to generate access token.
You can just change the value of resource
parameter to https://graph.microsoft.com while generating access token like below:
curl -X GET \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&client_id=<azure-client-id>&resource=https://graph.microsoft.com&client_secret=<azure-client-secret>' \
https://login.microsoftonline.com/<tenant-id>/oauth2/token
When I ran the same in Postman, I got access token with Microsoft Graph as resource
like below:
Now, use below curl command to run Graph query by including above access token like this:
curl -X -H 'Authorization: Bearer <auth-token>' \
https://graph.microsoft.com/beta/groups
When I ran same query in Postman, I got groups successfully like below:
GET https://graph.microsoft.com/beta/groups
Authorization: Bearer <auth-token>
Response:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论