问题
I'm using an application identity from Azure AD with both read write permission granted, I've also run the Grant-CsApplicationAccessPolicy so that the application identity has right to create online meeting on behalf of a real user identity from Azure AD
I know my setup works with get user from the graph api. However, I'm getting error after running the following:
var confidentialClient = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithAuthority($"https://login.microsoftonline.com/{tenantId}/v2.0")
.WithClientSecret(clientSecret)
.Build();
GraphServiceClient graphServiceClient =
new GraphServiceClient("https://graph.microsoft.com/beta", new DelegateAuthenticationProvider(async (requestMessage) =>
{
var authResult = await confidentialClient
.AcquireTokenForClient(scopes)
.ExecuteAsync();
requestMessage.Headers.Authorization =
new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
})
);
var onlineMeeting = new OnlineMeeting
{
StartDateTime = DateTimeOffset.Parse("2020-12-25T21:30:34.2444915+00:00"),
EndDateTime = DateTimeOffset.Parse("2020-12-25T22:00:34.2464912+00:00"),
Subject = "User Token Meeting 1"
};
var meetingInstance = await graphServiceClient.Me.OnlineMeetings
.Request()
.AddAsync(onlineMeeting);
The error message is as follow, why would it say User look up by user id failed in AAD?
Status: NotFound (404) OperationId: 8d06ff01-1dc3-49d1-9ced-9db6a919b162
ClientCorrelationId: 53b4478e-ba86-48ca-bb5b-25e5ef50c187
Server error: User lookup by user id failed in AAD.
Client exception: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details.
Inner error:
AdditionalData:
date: 2020-12-16T21:08:31
request-id: d60858cf-5ef5-4a0d-8d67-181f80ed6c35
client-request-id: d60858cf-5ef5-4a0d-8d67-181f80ed6c35
ClientRequestId: d60858cf-5ef5-4a0d-8d67-181f80ed6c35
at Microsoft.Graph.HttpProvider.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken) at Microsoft.Graph.BaseRequest.SendRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption) at Microsoft.Graph.BaseRequest.SendAsync[T](Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption) at MSTeam.Program.Main(String[] args) in D:\VSTS\msteam\MSTeam\MSTeam\Program.cs:line 62
回答1:
Dev is correct.
Based on this document:
Request when using an application token:
POST /users/{userId}/onlineMeetings.
So you should use graphServiceClient.Users["{userId}"].OnlineMeetings instead of graphServiceClient.Me.OnlineMeetings here.
userId is the object ID of a user. When you Configure application access policy, you need to grant the policy to the user:
Grant-CsApplicationAccessPolicy -PolicyName Test-policy -Identity "ddb80e06-92f3-4978-bc22-a0eee85e6a9e"
ddb80e06-92f3-4978-bc22-a0eee85e6a9e is exactly the userId.
My code for your reference:
// Configure the MSAL client as a confidential client
var confidentialClient = ConfidentialClientApplicationBuilder
.Create("{client_id}")
.WithTenantId("{tenant_id}")
.WithClientSecret("{client_secret}")
.Build();
ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClient);
GraphServiceClient graphServiceClient = new GraphServiceClient(authProvider);
var onlineMeeting = new OnlineMeeting
{
StartDateTime = DateTimeOffset.Parse("2021-01-12T21:30:34.2444915+00:00"),
EndDateTime = DateTimeOffset.Parse("2021-01-12T22:00:34.2464912+00:00"),
Subject = "User Token Meeting123"
};
var meeting = await graphServiceClient.Users["{userId}"].OnlineMeetings
.Request()
.AddAsync(onlineMeeting);
来源:https://stackoverflow.com/questions/65405991/fail-to-create-online-meeting-with-application-identity-with-graphserviceclient