如何使用Microsoft Graph API创建用户(来自Graph Explorer和Java应用程序)
我是Microsoft Graph API的新手.我已经阅读了很多Web文章,以了解Microosft Garph API在Azure AD中管理用户的用法.我正在创建一个基于Springboot的REST API服务,该服务需要在Azure AD中创建用户.
I am new to Microsoft Graph API. I have read many articles on the web to understand the usage of Microosft Garph API for managing users in Azure AD. I am creating a Springboot based REST API service, which needs to create users in Azure AD.
我已经在Azure Active Directory中注册了我的应用程序.我还具有Microsoft Graph API的"Directory.ReadWrite.All"权限.我想首先尝试从Microsoft Garph Explorer创建用户.在Graph Explorer中,我必须在Request标头中提供授权令牌.授权令牌,我已按照链接 https://中给出的说明进行操作docs.microsoft.com/en-us/graph/auth-v2-user .我已根据该指令创建了以下URL,以获取访问令牌.
I have registered my application in Azure Active Directory. I have also 'Directory.ReadWrite.All" permission for Microsoft Graph API. I wanted to first try to create the user from Microsoft Garph explorer. In the Graph Explorer, I have to give authorization token in the Request header. In order to create authorization token, I have followed the instruction given in the link https://docs.microsoft.com/en-us/graph/auth-v2-user. I have created the following URL based on the instruction, for obtaining Access token.
https://login.microsoftonline.com/{mytenantID}/oauth2/v2.0/authorize?client_id=validclientID&response_type=code&redirect_uri=https://localhost:4200&response_mode=query&scope=Directory.ReadWrite.All&state=12345
从网络浏览器访问上述URL时,我收到一条消息,提示需要管理员批准".我不是Azure AD的管理员,并且无法访问我的客户端的管理员,因此我真的很困惑.有人可以帮助我理解我每次需要通过MS Graph API访问Azure AD的创建用户"功能时是否都必须征得管理员同意吗? .我还需要在Springboot API中创建用户功能.在这种情况下,管理员同意书"将如何工作?无论如何,未经管理员同意,创建用户功能是否可以正常工作.
When the above URL is accessed from the web browser, I get a message which says "Need Admin Approval". I am not the admin of the Azure AD and I do not have access to the admin of my client, so I am really stuck. Can anybody help me understand whether I will have to get admin consent each time I need to access "create user" functionality of Azure AD through MS Graph API? . I would also also need the create user functionaltiy in the Springboot API. In this case, how would Admin Consent work?. Is there anyway that the create user functionality can work without Admin consent.
在发布此问题之前,我已经阅读了SO中的以下两个问题
I have read the following two questions in SO before posting this question
如果只想在租户中创建用户,则可以按照以下步骤操作:
if you just want to create a user in your tenant , you can follow the steps below :
-
在您的租户中创建一个新的Azure AD应用,请您的租户管理员向该应用授予"Directory.ReadWrite.All"权限:
Create a new Azure AD app in your tenant, ask your tenant admin to grant "Directory.ReadWrite.All" permission to this app :
为您的Azure AD应用程序创建应用程序密钥: 使用此机密和此Azure AD应用ID来获取access_token来调用Microsoft Graph API:
Create a app secret for your Azure AD app : Use this secret and this Azure AD app ID to get access_token to call Microsoft Graph API :
请求网址:
POST https://login.microsoftonline.com/<-您的租户名称->/oauth2/v2.0/token
POST https://login.microsoftonline.com/<-your tenant name->/oauth2/v2.0/token
请求标头:
Content-Type:应用程序/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
请求正文:
grant_type:client_credentials
grant_type:client_credentials
client_id:您的客户ID
client_id:your client Id
client_secret:您的应用程序密码
client_secret: Your application secret
scope = https://graph.microsoft.com/.default
您将从此API调用中获取一个access_token.
You will get an access_token from this API calling.
请参见下面的屏幕截图:
See the screen shot below:
3.使用我们刚刚创建的access_token调用Microsoft Graph API来创建用户:
3. Using the access_token we just created to call Microsoft Graph API to create a user :
如您所见,已经创建了一个用户:
As you can see , a user has been created :
如果您还有其他疑问,请随时告诉我:)
If you have any further concerns , pls feel free to let me know : )