Ekinlikler
17 Mar 21 - 21 Mar 10
Diğer geliştiriciler ve uzmanlarla gerçek dünyadaki kullanım örneklerini temel alan ölçeklenebilir yapay zeka çözümleri oluşturmak için toplantı serisine katılın.
Hemen kaydolunResolve Microsoft Graph authorization errors
Authorization errors can occur as a result of several different issues, most of which generate a 403 error (with a few exceptions). For example, the following can all lead to authorization errors:
- Incorrect access token acquisition flows
- Poorly configured permission scopes
- Lack of consent
- Lack of permissions
To resolve common authorization errors, try the steps described for the error that most closely match the error you're getting. More than one error might apply. You can also check the answers already available on Microsoft Q&A for 401 errors and 403 errors. If you can't find a solution to your problem, ask a new question on Microsoft Q&A and tag with microsoft-graph*.
Make sure that your application is presenting a valid access token to Microsoft Graph as part of the request. This error often means that the access token may be missing in the HTTP authenticate request header or that the token is invalid or is expired. We strongly recommend that you use the Microsoft Authentication Library (MSAL) for access token acquisition. Additionally this error may occur, if you try to use a delegated access token granted to a personal Microsoft account, to access an API that only supports work or school accounts (organizational accounts).
Verify that you have requested the correct set of permissions based on the Microsoft Graph APIs your app calls. The least privileged permissions that we recommend are provided in all the Microsoft Graph API method reference articles. Additionally, the application must be granted those permissions by a user or an administrator. Granting permissions normally happens through a consent page or by granting permissions using the Microsoft Entra admin center application registration blade.
Make sure that the type of permissions requested or granted matches the type of access token that your app acquires. You might be requesting and granting application permissions but using delegated interactive code flow tokens instead of client credential flow tokens, or requesting and granting delegated permissions but using client credential flow tokens instead of delegated code flow tokens.
- Get access on behalf of users and delegated permissions
- Azure AD v2.0 - OAuth 2.0 authorization code flow
- Get access without a user (daemon service) and application permissions
- Azure AD v2.0 - OAuth 2.0 client credentials flow
Currently, there is no application permission daemon service-to-service permissions that allow resetting user passwords. These APIs are only supported using the interactive delegated code flows with a signed-in administrator.
For delegated code flows, Microsoft Graph evaluates whether the request is allowed based on the permissions granted to the app and the permissions that the signed-in user has. Generally, this error indicates that the user is not privileged enough to perform the request or the user is not licensed for the data being accessed. Only users with the required permissions or licenses can make the request successfully.
API services like Microsoft Graph check that the aud claim (audience) in the received access token matches the value it expects for itself, and if not, it results in a 403 Forbidden error. A common mistake that causes in this error is trying to use a token acquired for Azure AD Graph APIs, Outlook APIs, or SharePoint/OneDrive APIs to call Microsoft Graph (or vice versa). Ensure that the resource (or scope) your app is acquiring a token for matches the API that the app is calling.
400 Bad Request or 403 Forbidden: Does the user comply with their organization's conditional access (CA) policies?
Based on an organization's CA policies, a user accessing Microsoft Graph resources via your app might be challenged for additional information that is not present in the access token your app originally acquired. In this case, your app receives a 400 with an interaction_required error during access token acquisition or a 403 with insufficient_claims error when calling Microsoft Graph. In both cases, the error response contains additional information that can be presented to the authorize endpoint to challenge the user for additional information (like multi-factor authentication or device enrollment).
- Handling conditional access challenges using MSAL
- Developer guidance for Microsoft Entra Conditional Access
Many Microsoft Graph APIs access Exchange Online. These APIs are subject to the EWS application policies of Exchange Online. Applications might receive 403 Forbidden errors with the following response body.
JSON
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access to OData is disabled."
}
}
This might be caused by your organization's EWS access policies. An Exchange administrator can check this using the Exchange Online PowerShell module.
To determine whether an organization-wide policy is applied:
PowerShell
Get-OrganizationConfig | fl EwsApplicationAccessPolicy,EWS*List
To determine whether a user-specific policy is applied:
PowerShell
Get-CASMailbox <user-principal-name> | fl EwsApplicationAccessPolicy,EWS*List
If EwsApplicationAccessPolicy is set, then a policy is applied.
- If
EwsApplicationAccessPolicyis set toEnforceAllowList, your application'sUser-Agentvalue must be added to the EwsAllowList value. - If
EwsApplicationAccessPolicyis set toEnforceBlockList, your application'sUser-Agentvalue must be removed from the EwsBlockList value.
Not
Changes to EWS application policies take time to take effect. Your application might continue to receive 403 Forbidden errors for some time after you make a change.
403 Forbidden error: Is your app attempting to access a group containing other groups with different permissions?
Review any groups owned by the group that the application can't access. If there are nested groups where the parent group, a group that possesses other groups as members, has sufficient permission that the application can access, but the child group, a group that is a member of another group, doesn't, it causes failure in accessing both the child and the parent groups.
In some cases, an app can fail to read groups or service principals due to insufficient permissions. This failure can happen even where the app was previously able to read these groups containing nested groups with insufficient permissions or service principals due to advances in security hardening taking place at Microsoft.
Ek kaynaklar
Eğitim
Öğrenme yolu
Microsoft Graph Fundamentals - Training
New to Microsoft Graph? Microsoft Graph Fundamentals is a multi-part series that teaches you basic concepts of Microsoft Graph. It will guide you with hands-on exercises on how to use Microsoft Graph API requests to start developing or enhancing your applications with Microsoft 365 data.
Sertifikasyon
Microsoft Sertifikalı: Kimlik ve Erişim Yöneticisi İş Ortağı - Certifications
Kimlik çözümlerini modernleştirmek, karma çözümleri uygulamak ve kimlik idaresini uygulamak için Microsoft Entra ID'nin özelliklerini gösterin.