azure - Getting users from MS Graph API with a $filter causes 403 for some users
问题描述
We have a single-page Javascript app that makes calls to Microsoft Graph API using delegated permissions. One of the things it does is get a list of users via the /users endpoint.
Now when the request URL was https://graph.microsoft.com/v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName
,
everything worked fine.
But then we changed it to include a filter.
Specifically we only want Guest users.
So we changed the request URL to https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest'&$select=id,displayName,givenName,surname,mail,userPrincipalName,userType
.
Now some of the users get a 403 Forbidden when we try to make the query. What is puzzling is that they can get the full list of users, but are unable to get a subset of the users.
This user is themselves a Guest user, and has the Guest Inviter directory role. This gives them the ability to read all users. I have a Global Admin account which is able to use the second request as well (it would be pretty stunning if it could not).
The app itself has the necessary scopes since it is able to read the users, it just depends on the user and their permissions in AAD.
My theory is that the user does not have permission to access the userType
property, and this causes the 403.
It is probably part of the "full profile".
Philippe confirmed this by stating you cannot access this property through the User.ReadBasic.All scope.
If we look at the Guest Inviter role's permissions: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#guest-inviter.
We can see that they have microsoft.aad.directory/users/basic/read
, a Global admin on the other hand has microsoft.aad.directory/users/allProperties/allTasks
.
My question is, what do I need to do to enable this query for the user? I would like to avoid giving them Global Admin in this case.
The application's token has the following scopes:
- Directory.AccessAsUser.All
- User.Read
We used a less privileged scope before, but we needed to add features that required higher privileges. The scope we have is the "most privileged" scope for listing users: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list.
The application is also registered as a Native app, if that makes a difference.
Signing out and signing back in (to refresh the token) also does not help. This problem occurs with a fresh sign-in with the same scopes in the token. The only difference is the role of the user in AAD.
Request id: 6079bcb2-6f90-44cc-8a57-83a8e1676333, timestamp Thu, 15 Nov 2018 06:49:59 GMT.
解决方案
Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.
推荐阅读
- html - 无法获取第一个嵌套订单列表 html
- swift - Swift AVQueuePlayer 完成播放视频
- node.js - 禁用或删除 npm 包中的某些功能
- shake-build-system - 如何在 Shake 中获取控制台输入?
- python - 气流:无法使用 Bigquery 挂钩创建视图
- sql-server - SSRS 2008 查询:来自所选参数的表名
- go - 是否可以使用 Bazel 构建 Go 库而不是二进制文件?
- javascript - 裁剪图像时出错
- asp.net - 从 Ajax 响应中的 WebSerice 返回 json 对象
- python - 获取表示 Python 中特定时间最近出现的日期时间对象