如何解决使用OAuth客户端凭据流创建共享邮箱时访问被拒绝
简短版本:
如何正确设置应用程序权限和/或角色分配和/或我缺少的其他内容,以便可以使用应用程序ID /秘密(OAuth客户端凭据)创建共享邮箱?
到目前为止,我已经尝试了几种权限/角色的组合,例如Exchange.ManageAsApp和用户管理员(fe930be7-5e62-47db-91af-98c3a49a38b1),Exchange管理员(29232cdf-9323-42fd-ade2-1d097af3e4de)以及其他用户。
详细信息:
我有一堆Powershell脚本,用于自动执行Exchange Online上的各种任务。到目前为止,我一直在使用基本身份验证,可以将其成功转换为OAuth密码流。
但是要完全摆脱对服务帐户的依赖,我更喜欢使用凭证流。在后台,我正在尝试执行以下操作:
var authenticationContext = new AuthenticationContext($"https://login.microsoftonline.com/{TenantId}",false,_tokenCache);
var clientCredential = new ClientCredential(ClientId,ClientSecret);
var authenticationResult = await authenticationContext.AcquiretokenAsync(Resource,clientCredential);
var username = "OAuthUser@" + TenantId;
var password = authenticationResult.CreateAuthorizationHeader();
var executor = new ExolExecutor(username,password);
await executor.Execute(Script,cancellationToken);
执行者执行常规操作的地方:
- 创建PSSession到
https://outlook.office365.com/powershell-liveid?BasicAuthToOAuthConversion=true - 使用以下命令执行Powershell脚本
using PowerShell powershell = PowerShell.Create(); powershell.Runspace = runspace; powershell.AddScript(script); ... await Task.Factory.FromAsync(powershell.BeginInvoke(input,output),powershell.EndInvoke); - 删除PSSession
到目前为止一切顺利。与Get-MailBox -ResultSize 1完美配合。
但是,当尝试创建新的共享邮箱New-MailBox -Name "pko222" -displayName "pko222" -Alias "pko222" -Shared时,我得到了
CategoryInfo.Activity: New-MailBox
CategoryInfo.Category: 1001
CategoryInfo.Reason: ADOperationException
CategoryInfo.TargetName:
CategoryInfo.targettype:
ErrorDetails.Message:
ErrorDetails.RecommendedAction:
Exception.Message: Active Directory operation Failed on DB7PR01A03DC005.EURPR01A003.prod.outlook.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152612,problem 4003 (INSUFF_ACCESS_RIGHTS),data 0
FullyQualifiedErrorId: [Server=BEXP281MB0087,RequestId=88419a8e-78a4-4967-9bca-71d40feb5150,TimeStamp=10/6/2020 11:57:38 AM] [FailureCategory=Cmdlet-ADOperationException] 2C0312E5,Microsoft.Exchange.Management.RecipientTasks.NewMailBox
JWT令牌看起来像这样:
{
"aud": "https://outlook.office365.com","iss": "https://sts.windows.net/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/","iat": 1601985127,"nbf": 1601985127,"exp": 1601989027,"aio": "E2RgYFCOsw1iZj34elV49CH5zyd5AQ==","app_displayname": "XXXXXXXXXXX","appid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","appidacr": "1","idp": "https://sts.windows.net/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/","oid": "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz","rh": "0.AAAAv9y4fwZQ_0G6_d1kLKJ_SaraXb_REQFHhc2EM1FNn9tIAAA.","roles": ["User.Read.All","full_access_as_app","Mail.ReadWrite","MailBoxSettings.ReadWrite","User.ReadBasic.All","MailBox.Migration","Mail.Read","Mail.Send","MailBoxSettings.Read","Exchange.ManageAsApp"],"sid": "qqqqqqqq-qqqq-qqqq-qqqq-qqqqqqqqqqqq","sub": "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz","tid": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy","uti": "CRytfXbD80y3ATmQvd-VAQ","ver": "1.0","wids": ["29232cdf-9323-42fd-ade2-1d097af3e4de","88d8e3e3-8f55-4a1e-953a-9b9898b8876b","fe930be7-5e62-47db-91af-98c3a49a38b1","9360feb5-f418-4baa-8175-e2a00bac4301","62e90394-69f5-4237-9190-012177145e10","0997a1d0-0d1d-4acb-b408-d5ca73121e90"]
}
解决方法
仅供参考,我设法让它在我这边工作。 您只需要在连接 uri 中添加以下参数
&email=SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@yourtenantname.onmicrosoft.com
所以连接uri看起来像:
https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true&email=SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@yourtenantname.onmicrosoft.com
只需将“yourtenantname”的后缀更改为...您的租户姓名!不要把租户指南!
https://docs.microsoft.com/en-us/answers/questions/451006/pssession-and-modern-auth.html
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
