Azure Active Directory Application Permission Change Delay

问题

I am using Azure Active Directory to give my application access to the Microsoft Graph API.

When I make permission changes (e.g., read/write access for various types of data) I am noticing a delay from when the changes are saved and when I am able to access the new data through the API. I do notice, however, that after some time my API calls start to work. My questions are

1. Is this expected behavior?
2. Is there documentation somewhere that explains what permissions are needed for each Microsoft Graph API request?

Note that I am requesting a new token after making each permission change, before making the relevant API request.

回答1:

When you changed your scopes (if you use Azure to manage thoses Autorizations) you have to request new consent from your users. Be sure to be able to call "one time" the ADAL AcquireTocken method, with the PromptBehavior.Always parameter. I think it will be enough to refresh your consents and make your new scopes availables.

Here is a macro code I use :

        if (mustRefreshBecauseScopesHasChanged)
        {
            authResult = await authContext.AcquireTokenAsync(GraphResourceId, ClientId, AppRedirectURI, PromptBehavior.Always);
        }
        else
        {
            authResult = await authContext.AcquireTokenSilentAsync(GraphResourceId, ClientId);

            if (authResult.Status != AuthenticationStatus.Success && authResult.Error == "failed_to_acquire_token_silently")
                authResult = await authContext.AcquireTokenAsync(GraphResourceId, ClientId, AppRedirectURI, PromptBehavior.Auto);
        }


        if (authResult.Status != AuthenticationStatus.Success)
        {
            if (authResult.Error == "authentication_canceled")
            {
                // The user cancelled the sign-in, no need to display a message.
            }
            else
            {
                MessageDialog dialog = new MessageDialog(string.Format("If the error continues, please contact your administrator.\n\nError: {0}\n\n Error Description:\n\n{1}", authResult.Error, authResult.ErrorDescription), "Sorry, an error occurred while signing you in.");
                await dialog.ShowAsync();
            }
        }

For the scopes permissions détails, you will find them here :

http://graph.microsoft.io/en-us/docs/authorization/permission_scopes

来源：https://stackoverflow.com/questions/36320767/azure-active-directory-application-permission-change-delay