以编程方式授予或撤销 API 权限

项目
03/21/2024

向 Microsoft Entra ID 中的客户端应用授予 API 权限时，权限授予将记录为可以像数据一样访问、更新或删除的对象。使用 Microsoft Graph 直接创建权限授予是交互式许可的编程替代方法，可用于组织中的自动化方案、批量管理或其他自定义操作。

本指南介绍如何使用 Microsoft Graph 为应用授予和撤销应用角色。 应用角色（也称为 应用程序权限或 直接访问权限）允许应用使用自己的标识调用 API。

警告

注意！以编程方式授予的权限不受评审或确认的约束。它们立即生效。

先决条件

若要完成这些说明，需要以下资源和特权：

工作Microsoft Entra租户。
你将以用户身份运行本文中的请求。必须完成以下步骤：
- 以有权在租户中创建应用程序的用户身份登录到 API 客户端（例如 Graph 资源管理器）。
- 在已登录的应用中，代表已登录用户同意 Application.Read.All 和 AppRoleAssignment.ReadWrite.All 委托的权限。无需代表组织同意。
- 获取要向其授予应用角色的客户端服务主体的对象 ID。在本文中，客户端服务主体由 ID b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94标识。在Microsoft Entra 管理中心中，转到“标识>应用程序”“>企业应用程序>”“应用应用程序”以查找客户端服务主体。选择它，然后在 “概述 ”页上复制“对象 ID”值。

警告

已授予 AppRoleAssignment.ReadWrite.All 权限的应用只能由相应的用户访问。

步骤 1：获取资源服务主体的 appRoles

必须先确定要授予的应用角色以及公开应用角色的资源服务主体，然后才能授予应用角色。应用角色在服务主体的 appRoles 对象中定义。在本文中，你将使用租户中的 Microsoft Graph 服务主体作为资源服务主体。

请求

以下请求检索租户中 Microsoft Graph 服务主体定义的应用角色。

GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=displayName eq 'Microsoft Graph'&$select=id,displayName,appId,appRoles


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals.GetAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Filter = "displayName eq 'Microsoft Graph'";
	requestConfiguration.QueryParameters.Select = new string []{ "id","displayName","appId","appRoles" };
});


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc service-principals list --filter "displayName eq 'Microsoft Graph'" --select "id,displayName,appId,appRoles"



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphserviceprincipals "github.com/microsoftgraph/msgraph-sdk-go/serviceprincipals"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)



requestFilter := "displayName eq 'Microsoft Graph'"

requestParameters := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetQueryParameters{
	Filter: &requestFilter,
	Select: [] string {"id","displayName","appId","appRoles"},
}
configuration := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetRequestConfiguration{
	QueryParameters: requestParameters,
}

servicePrincipals, err := graphClient.ServicePrincipals().Get(context.Background(), configuration)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ServicePrincipalCollectionResponse result = graphClient.servicePrincipals().get(requestConfiguration -> {
	requestConfiguration.queryParameters.filter = "displayName eq 'Microsoft Graph'";
	requestConfiguration.queryParameters.select = new String []{"id", "displayName", "appId", "appRoles"};
});


const options = {
	authProvider,
};

const client = Client.init(options);

let servicePrincipals = await client.api('/servicePrincipals')
	.filter('displayName eq \'Microsoft Graph\'')
	.select('id,displayName,appId,appRoles')
	.get();


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\ServicePrincipals\ServicePrincipalsRequestBuilderGetRequestConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestConfiguration = new ServicePrincipalsRequestBuilderGetRequestConfiguration();
$queryParameters = ServicePrincipalsRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "displayName eq 'Microsoft Graph'";
$queryParameters->select = ["id","displayName","appId","appRoles"];
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->servicePrincipals()->get($requestConfiguration)->wait();


Import-Module Microsoft.Graph.Applications

Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" -Property "id,displayName,appId,appRoles"


from msgraph import GraphServiceClient
from msgraph.generated.service_principals.service_principals_request_builder import ServicePrincipalsRequestBuilder

graph_client = GraphServiceClient(credentials, scopes)

query_params = ServicePrincipalsRequestBuilder.ServicePrincipalsRequestBuilderGetQueryParameters(
		filter = "displayName eq 'Microsoft Graph'",
		select = ["id","displayName","appId","appRoles"],
)

request_configuration = ServicePrincipalsRequestBuilder.ServicePrincipalsRequestBuilderGetRequestConfiguration(
query_parameters = query_params,
)

result = await graph_client.service_principals.get(request_configuration = request_configuration)

响应

以下对象是响应的示例。

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals(id,displayName,appId,appRoles)",
    "value": [
        {
            "id": "7ea9e944-71ce-443d-811c-71e8047b557a",
            "displayName": "Microsoft Graph",
            "appId": "00000003-0000-0000-c000-000000000000",
            "appRoles": [
                {
                    "allowedMemberTypes": [
                        "Application"
                    ],
                    "description": "Allows the app to read user profiles without a signed in user.",
                    "displayName": "Read all users' full profiles",
                    "id": "df021288-bdef-4463-88db-98f22de89214",
                    "isEnabled": true,
                    "origin": "Application",
                    "value": "User.Read.All"
                }
            ]
        }
    ]
}

步骤 2：向客户端服务主体授予应用角色

在此步骤中，你将向应用授予 Microsoft Graph 公开的应用角色，从而创建 应用角色分配。在步骤 1 中，Microsoft Graph 的对象 ID 为 7ea9e944-71ce-443d-811c-71e8047b557a ，应用角色 User.Read.All 由 ID df021288-bdef-4463-88db-98f22de89214标识。

请求

以下请求授予客户端应用 (ID b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94 的主体) ID df021288-bdef-4463-88db-98f22de89214 的应用角色，该角色由 ID 7ea9e944-71ce-443d-811c-71e8047b557a的资源服务主体公开。

注意

如果使用 Python SDK，请导入以下库：

from msgraph.generated.models.app_role_assignment import AppRoleAssignment
from msgraph.generated.models.service_principal import ServicePrincipal

POST https://graph.microsoft.com/v1.0/servicePrincipals/7ea9e944-71ce-443d-811c-71e8047b557a/appRoleAssignedTo
Content-Type: application/json

{
    "principalId": "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",
    "resourceId": "7ea9e944-71ce-443d-811c-71e8047b557a",
    "appRoleId": "df021288-bdef-4463-88db-98f22de89214"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new AppRoleAssignment
{
	PrincipalId = Guid.Parse("b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94"),
	ResourceId = Guid.Parse("7ea9e944-71ce-443d-811c-71e8047b557a"),
	AppRoleId = Guid.Parse("df021288-bdef-4463-88db-98f22de89214"),
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].AppRoleAssignedTo.PostAsync(requestBody);


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc service-principals app-role-assigned-to create --service-principal-id {servicePrincipal-id} --body '{\
    "principalId": "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",\
    "resourceId": "7ea9e944-71ce-443d-811c-71e8047b557a",\
    "appRoleId": "df021288-bdef-4463-88db-98f22de89214"\
}\
'



import (
	  "context"
	  "github.com/google/uuid"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestBody := graphmodels.NewAppRoleAssignment()
principalId := uuid.MustParse("b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94")
requestBody.SetPrincipalId(&principalId) 
resourceId := uuid.MustParse("7ea9e944-71ce-443d-811c-71e8047b557a")
requestBody.SetResourceId(&resourceId) 
appRoleId := uuid.MustParse("df021288-bdef-4463-88db-98f22de89214")
requestBody.SetAppRoleId(&appRoleId) 

appRoleAssignedTo, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").AppRoleAssignedTo().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

AppRoleAssignment appRoleAssignment = new AppRoleAssignment();
appRoleAssignment.setPrincipalId(UUID.fromString("b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94"));
appRoleAssignment.setResourceId(UUID.fromString("7ea9e944-71ce-443d-811c-71e8047b557a"));
appRoleAssignment.setAppRoleId(UUID.fromString("df021288-bdef-4463-88db-98f22de89214"));
AppRoleAssignment result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").appRoleAssignedTo().post(appRoleAssignment);


const options = {
	authProvider,
};

const client = Client.init(options);

const appRoleAssignment = {
    principalId: 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94',
    resourceId: '7ea9e944-71ce-443d-811c-71e8047b557a',
    appRoleId: 'df021288-bdef-4463-88db-98f22de89214'
};

await client.api('/servicePrincipals/7ea9e944-71ce-443d-811c-71e8047b557a/appRoleAssignedTo')
	.post(appRoleAssignment);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AppRoleAssignment;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new AppRoleAssignment();
$requestBody->setPrincipalId('b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94');
$requestBody->setResourceId('7ea9e944-71ce-443d-811c-71e8047b557a');
$requestBody->setAppRoleId('df021288-bdef-4463-88db-98f22de89214');

$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->appRoleAssignedTo()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	principalId = "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94"
	resourceId = "7ea9e944-71ce-443d-811c-71e8047b557a"
	appRoleId = "df021288-bdef-4463-88db-98f22de89214"
}

New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $servicePrincipalId -BodyParameter $params


from msgraph import GraphServiceClient
from msgraph.generated.models.app_role_assignment import AppRoleAssignment

graph_client = GraphServiceClient(credentials, scopes)

request_body = AppRoleAssignment(
	principal_id = UUID("b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94"),
	resource_id = UUID("7ea9e944-71ce-443d-811c-71e8047b557a"),
	app_role_id = UUID("df021288-bdef-4463-88db-98f22de89214"),
)

result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').app_role_assigned_to.post(request_body)

响应

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('7ea9e944-71ce-443d-811c-71e8047b557a')/appRoleAssignedTo/$entity",
    "id": "47nZsM8O_UuNq5Jz3QValCxBBiqJea9Drc9CMK4Ru_M",
    "deletedDateTime": null,
    "appRoleId": "df021288-bdef-4463-88db-98f22de89214",
    "createdDateTime": "2022-05-18T15:37:21.8215423Z",
    "principalDisplayName": "My application",
    "principalId": "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",
    "principalType": "ServicePrincipal",
    "resourceDisplayName": "Microsoft Graph",
    "resourceId": "7ea9e944-71ce-443d-811c-71e8047b557a"
}

确认应用角色分配

若要确认向资源服务主体分配角色的所有主体，请运行以下请求。

请求

GET https://graph.microsoft.com/v1.0/servicePrincipals/7ea9e944-71ce-443d-811c-71e8047b557a/appRoleAssignedTo


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].AppRoleAssignedTo.GetAsync();


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc service-principals app-role-assigned-to list --service-principal-id {servicePrincipal-id}



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)



appRoleAssignedTo, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").AppRoleAssignedTo().Get(context.Background(), nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

AppRoleAssignmentCollectionResponse result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").appRoleAssignedTo().get();


const options = {
	authProvider,
};

const client = Client.init(options);

let appRoleAssignedTo = await client.api('/servicePrincipals/7ea9e944-71ce-443d-811c-71e8047b557a/appRoleAssignedTo')
	.get();


<?php
use Microsoft\Graph\GraphServiceClient;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);


$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->appRoleAssignedTo()->get()->wait();


Import-Module Microsoft.Graph.Applications

Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $servicePrincipalId


from msgraph import GraphServiceClient

graph_client = GraphServiceClient(credentials, scopes)


result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').app_role_assigned_to.get()

响应

响应对象包括资源服务主体的应用角色分配集合，以及使用 POST 请求创建的应用角色分配。

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('7ea9e944-71ce-443d-811c-71e8047b557a')/appRoleAssignedTo",
    "value": [
        {
            "id": "47nZsM8O_UuNq5Jz3QValCxBBiqJea9Drc9CMK4Ru_M",
            "deletedDateTime": null,
            "appRoleId": "df021288-bdef-4463-88db-98f22de89214",
            "createdDateTime": "2022-05-18T15:37:21.8997216Z",
            "principalDisplayName": "My application",
            "principalId": "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",
            "principalType": "ServicePrincipal",
            "resourceDisplayName": "Microsoft Graph",
            "resourceId": "7ea9e944-71ce-443d-811c-71e8047b557a"
        }
    ]
}

步骤 3：从客户端服务主体撤消应用角色分配

请求

DELETE https://graph.microsoft.com/v1.0/servicePrincipals/7ea9e944-71ce-443d-811c-71e8047b557a/appRoleAssignedTo/47nZsM8O_UuNq5Jz3QValCxBBiqJea9Drc9CMK4Ru_M


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.ServicePrincipals["{servicePrincipal-id}"].AppRoleAssignedTo["{appRoleAssignment-id}"].DeleteAsync();


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc service-principals app-role-assigned-to delete --service-principal-id {servicePrincipal-id} --app-role-assignment-id {appRoleAssignment-id}



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)



graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").AppRoleAssignedTo().ByAppRoleAssignmentId("appRoleAssignment-id").Delete(context.Background(), nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").appRoleAssignedTo().byAppRoleAssignmentId("{appRoleAssignment-id}").delete();


const options = {
	authProvider,
};

const client = Client.init(options);

await client.api('/servicePrincipals/7ea9e944-71ce-443d-811c-71e8047b557a/appRoleAssignedTo/47nZsM8O_UuNq5Jz3QValCxBBiqJea9Drc9CMK4Ru_M')
	.delete();


<?php
use Microsoft\Graph\GraphServiceClient;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);


$graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->appRoleAssignedTo()->byAppRoleAssignmentId('appRoleAssignment-id')->delete()->wait();


Import-Module Microsoft.Graph.Applications

Remove-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $servicePrincipalId -AppRoleAssignmentId $appRoleAssignmentId


from msgraph import GraphServiceClient

graph_client = GraphServiceClient(credentials, scopes)


await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').app_role_assigned_to.by_app_role_assignment_id('appRoleAssignment-id').delete()

响应

HTTP/1.1 204 No Content

总结

你已了解如何管理服务主体的应用角色授予。这种使用 Microsoft Graph 授予权限的方法是一种替代的交互式同意方法，应谨慎使用。

本指南介绍如何使用 Microsoft Graph 授予和撤销应用的委托权限。 委托的权限（也称为范围或 OAuth2 权限）允许应用代表已登录用户调用 API。

警告

注意！以编程方式授予的权限不受评审或确认的约束。它们立即生效。

先决条件

若要完成这些说明，需要以下资源和特权：

工作Microsoft Entra租户。
你将以用户身份运行本文中的请求。必须完成以下步骤：
- 以有权在租户中创建应用程序的用户身份登录到 API 客户端（例如 Graph 资源管理器）。
- 在已登录的应用中，代表已登录用户同意 Application.Read.All、 DelegatedPermissionGrant.ReadWrite.All 委派权限。无需代表组织同意。
- 获取将代表用户向其授予委派权限的客户端服务主体的对象 ID。在本文中，客户端服务主体由 ID b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94标识。

警告

已授予 DelegatedPermissionGrant.ReadWrite.All 权限的应用只能由相应的用户访问。

步骤 1：获取资源服务主体的委托权限

必须先确定要授予的委托权限以及公开委派权限的资源服务主体，然后才能授予委派权限。委托的权限在服务主体的 oauth2PermissionScopes 对象中定义。在本文中，你将使用租户中的 Microsoft Graph 服务主体作为资源服务主体。

请求

以下请求检索租户中 Microsoft Graph 服务主体定义的委托权限。

GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=displayName eq 'Microsoft Graph'&$select=id,displayName,appId,oauth2PermissionScopes


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals.GetAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Filter = "displayName eq 'Microsoft Graph'";
	requestConfiguration.QueryParameters.Select = new string []{ "id","displayName","appId","oauth2PermissionScopes" };
});


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc service-principals list --filter "displayName eq 'Microsoft Graph'" --select "id,displayName,appId,oauth2PermissionScopes"



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphserviceprincipals "github.com/microsoftgraph/msgraph-sdk-go/serviceprincipals"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)



requestFilter := "displayName eq 'Microsoft Graph'"

requestParameters := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetQueryParameters{
	Filter: &requestFilter,
	Select: [] string {"id","displayName","appId","oauth2PermissionScopes"},
}
configuration := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetRequestConfiguration{
	QueryParameters: requestParameters,
}

servicePrincipals, err := graphClient.ServicePrincipals().Get(context.Background(), configuration)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ServicePrincipalCollectionResponse result = graphClient.servicePrincipals().get(requestConfiguration -> {
	requestConfiguration.queryParameters.filter = "displayName eq 'Microsoft Graph'";
	requestConfiguration.queryParameters.select = new String []{"id", "displayName", "appId", "oauth2PermissionScopes"};
});


const options = {
	authProvider,
};

const client = Client.init(options);

let servicePrincipals = await client.api('/servicePrincipals')
	.filter('displayName eq \'Microsoft Graph\'')
	.select('id,displayName,appId,oauth2PermissionScopes')
	.get();


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\ServicePrincipals\ServicePrincipalsRequestBuilderGetRequestConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestConfiguration = new ServicePrincipalsRequestBuilderGetRequestConfiguration();
$queryParameters = ServicePrincipalsRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "displayName eq 'Microsoft Graph'";
$queryParameters->select = ["id","displayName","appId","oauth2PermissionScopes"];
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->servicePrincipals()->get($requestConfiguration)->wait();


Import-Module Microsoft.Graph.Applications

Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" -Property "id,displayName,appId,oauth2PermissionScopes"


from msgraph import GraphServiceClient
from msgraph.generated.service_principals.service_principals_request_builder import ServicePrincipalsRequestBuilder

graph_client = GraphServiceClient(credentials, scopes)

query_params = ServicePrincipalsRequestBuilder.ServicePrincipalsRequestBuilderGetQueryParameters(
		filter = "displayName eq 'Microsoft Graph'",
		select = ["id","displayName","appId","oauth2PermissionScopes"],
)

request_configuration = ServicePrincipalsRequestBuilder.ServicePrincipalsRequestBuilderGetRequestConfiguration(
query_parameters = query_params,
)

result = await graph_client.service_principals.get(request_configuration = request_configuration)

响应

以下对象是响应的示例。

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals(id,displayName,appId,oauth2PermissionScopes)",
    "value": [
        {
            "id": "7ea9e944-71ce-443d-811c-71e8047b557a",
            "displayName": "Microsoft Graph",
            "appId": "00000003-0000-0000-c000-000000000000",
            "oauth2PermissionScopes": [
                {
                    "adminConsentDescription": "Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.",
                    "adminConsentDisplayName": "Read all users' full profiles",
                    "id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
                    "isEnabled": true,
                    "type": "Admin",
                    "userConsentDescription": "Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on your behalf.",
                    "userConsentDisplayName": "Read all users' full profiles",
                    "value": "User.Read.All"
                },
                {
                    "adminConsentDescription": "Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user.  Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. ",
                    "adminConsentDisplayName": "Read all groups",
                    "id": "5f8c59db-677d-491f-a6b8-5f174b11ec1d",
                    "isEnabled": true,
                    "type": "Admin",
                    "userConsentDescription": "Allows the app to list groups, and to read their properties and all group memberships on your behalf.  Also allows the app to read calendar, conversations, files, and other group content for all groups you can access.  ",
                    "userConsentDisplayName": "Read all groups",
                    "value": "Group.Read.All"
                }                
            ]
        }
    ]
}

步骤 2：代表用户向客户端服务主体授予委托权限

请求

在此步骤中，你将代表用户向应用授予 Microsoft Graph 公开的委托权限，从而创建 委派权限授予。

在步骤 1 中，租户中 Microsoft Graph 的对象 ID 为 7ea9e944-71ce-443d-811c-71e8047b557a
委托的权限 User.Read.All 和 Group.Read.All 分别由全局唯一 ID a154be20-db9c-4678-8ab7-66f6cc099a59 和 5f8c59db-677d-491f-a6b8-5f174b11ec1d 标识。
主体是由 ID 3fbd929d-8c56-4462-851e-0eb9a7b3a2a5标识的用户。
客户端服务主体由 ID b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94标识。这是服务主体的对象 ID ， 而不是 其 appId。

POST https://graph.microsoft.com/v1.0/oauth2PermissionGrants
Content-Type: application/json

{
    "clientId": "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",
    "consentType": "Principal",
    "resourceId": "7ea9e944-71ce-443d-811c-71e8047b557a",
    "principalId": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5",
    "scope": "User.Read.All Group.Read.All"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new OAuth2PermissionGrant
{
	ClientId = "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",
	ConsentType = "Principal",
	ResourceId = "7ea9e944-71ce-443d-811c-71e8047b557a",
	PrincipalId = "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5",
	Scope = "User.Read.All Group.Read.All",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Oauth2PermissionGrants.PostAsync(requestBody);


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc oauth2-permission-grants create --body '{\
    "clientId": "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",\
    "consentType": "Principal",\
    "resourceId": "7ea9e944-71ce-443d-811c-71e8047b557a",\
    "principalId": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5",\
    "scope": "User.Read.All Group.Read.All"\
}\
'



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestBody := graphmodels.NewOAuth2PermissionGrant()
clientId := "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94"
requestBody.SetClientId(&clientId) 
consentType := "Principal"
requestBody.SetConsentType(&consentType) 
resourceId := "7ea9e944-71ce-443d-811c-71e8047b557a"
requestBody.SetResourceId(&resourceId) 
principalId := "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
requestBody.SetPrincipalId(&principalId) 
scope := "User.Read.All Group.Read.All"
requestBody.SetScope(&scope) 

oauth2PermissionGrants, err := graphClient.Oauth2PermissionGrants().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

OAuth2PermissionGrant oAuth2PermissionGrant = new OAuth2PermissionGrant();
oAuth2PermissionGrant.setClientId("b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94");
oAuth2PermissionGrant.setConsentType("Principal");
oAuth2PermissionGrant.setResourceId("7ea9e944-71ce-443d-811c-71e8047b557a");
oAuth2PermissionGrant.setPrincipalId("3fbd929d-8c56-4462-851e-0eb9a7b3a2a5");
oAuth2PermissionGrant.setScope("User.Read.All Group.Read.All");
OAuth2PermissionGrant result = graphClient.oauth2PermissionGrants().post(oAuth2PermissionGrant);


const options = {
	authProvider,
};

const client = Client.init(options);

const oAuth2PermissionGrant = {
    clientId: 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94',
    consentType: 'Principal',
    resourceId: '7ea9e944-71ce-443d-811c-71e8047b557a',
    principalId: '3fbd929d-8c56-4462-851e-0eb9a7b3a2a5',
    scope: 'User.Read.All Group.Read.All'
};

await client.api('/oauth2PermissionGrants')
	.post(oAuth2PermissionGrant);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\OAuth2PermissionGrant;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new OAuth2PermissionGrant();
$requestBody->setClientId('b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94');
$requestBody->setConsentType('Principal');
$requestBody->setResourceId('7ea9e944-71ce-443d-811c-71e8047b557a');
$requestBody->setPrincipalId('3fbd929d-8c56-4462-851e-0eb9a7b3a2a5');
$requestBody->setScope('User.Read.All Group.Read.All');

$result = $graphServiceClient->oauth2PermissionGrants()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	clientId = "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94"
	consentType = "Principal"
	resourceId = "7ea9e944-71ce-443d-811c-71e8047b557a"
	principalId = "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
	scope = "User.Read.All Group.Read.All"
}

New-MgOauth2PermissionGrant -BodyParameter $params


from msgraph import GraphServiceClient
from msgraph.generated.models.o_auth2_permission_grant import OAuth2PermissionGrant

graph_client = GraphServiceClient(credentials, scopes)

request_body = OAuth2PermissionGrant(
	client_id = "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",
	consent_type = "Principal",
	resource_id = "7ea9e944-71ce-443d-811c-71e8047b557a",
	principal_id = "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5",
	scope = "User.Read.All Group.Read.All",
)

result = await graph_client.oauth2_permission_grants.post(request_body)

虽然前面的请求代表单个用户授予同意，但你可以选择代表租户中的所有用户授予同意。请求正文类似于上一个请求正文，但有以下更改：

consentType 为 AllPrincipals，表示你代表租户中的所有用户同意。
principalId 属性未提供，也可以是 null。

代表所有用户授予同意的示例请求正文如下所示：

POST https://graph.microsoft.com/v1.0/oauth2PermissionGrants
Content-Type: application/json

{
    "clientId": "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",
    "consentType": "AllPrincipals",
    "resourceId": "7ea9e944-71ce-443d-811c-71e8047b557a",
    "scope": "User.Read.All Group.Read.All"
}

响应

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#oauth2PermissionGrants/$entity",
    "clientId": "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",
    "consentType": "Principal",
    "id": "47nZsM8O_UuNq5Jz3QValETpqX7OcT1EgRxx6AR7VXqdkr0_VoxiRIUeDrmns6Kl",
    "principalId": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5",
    "resourceId": "7ea9e944-71ce-443d-811c-71e8047b557a",
    "scope": "User.Read.All Group.Read.All"
}

如果向租户中的所有用户授予同意，则响应对象中的 consentType 将是 AllPrincipals， principalId 将为 null。

确认权限授予

若要确认代表用户分配给服务主体的委托权限，请运行以下请求。

请求

GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$filter=clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and principalId eq '3fbd929d-8c56-4462-851e-0eb9a7b3a2a5' and consentType eq 'Principal'


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Oauth2PermissionGrants.GetAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Filter = "clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and principalId eq '3fbd929d-8c56-4462-851e-0eb9a7b3a2a5' and consentType eq 'Principal'";
});


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc oauth2-permission-grants list --filter "clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and principalId eq '3fbd929d-8c56-4462-851e-0eb9a7b3a2a5' and consentType eq 'Principal'"



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphoauth2permissiongrants "github.com/microsoftgraph/msgraph-sdk-go/oauth2permissiongrants"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)



requestFilter := "clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and principalId eq '3fbd929d-8c56-4462-851e-0eb9a7b3a2a5' and consentType eq 'Principal'"

requestParameters := &graphoauth2permissiongrants.Oauth2PermissionGrantsRequestBuilderGetQueryParameters{
	Filter: &requestFilter,
}
configuration := &graphoauth2permissiongrants.Oauth2PermissionGrantsRequestBuilderGetRequestConfiguration{
	QueryParameters: requestParameters,
}

oauth2PermissionGrants, err := graphClient.Oauth2PermissionGrants().Get(context.Background(), configuration)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

OAuth2PermissionGrantCollectionResponse result = graphClient.oauth2PermissionGrants().get(requestConfiguration -> {
	requestConfiguration.queryParameters.filter = "clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and principalId eq '3fbd929d-8c56-4462-851e-0eb9a7b3a2a5' and consentType eq 'Principal'";
});


const options = {
	authProvider,
};

const client = Client.init(options);

let oauth2PermissionGrants = await client.api('/oauth2PermissionGrants')
	.filter('clientId eq \'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94\' and principalId eq \'3fbd929d-8c56-4462-851e-0eb9a7b3a2a5\' and consentType eq \'Principal\'')
	.get();


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Oauth2PermissionGrants\Oauth2PermissionGrantsRequestBuilderGetRequestConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestConfiguration = new Oauth2PermissionGrantsRequestBuilderGetRequestConfiguration();
$queryParameters = Oauth2PermissionGrantsRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and principalId eq '3fbd929d-8c56-4462-851e-0eb9a7b3a2a5' and consentType eq 'Principal'";
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->oauth2PermissionGrants()->get($requestConfiguration)->wait();


Import-Module Microsoft.Graph.Identity.SignIns

Get-MgOauth2PermissionGrant -Filter "clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and principalId eq '3fbd929d-8c56-4462-851e-0eb9a7b3a2a5' and consentType eq 'Principal'"


from msgraph import GraphServiceClient
from msgraph.generated.oauth2_permission_grants.oauth2_permission_grants_request_builder import Oauth2PermissionGrantsRequestBuilder

graph_client = GraphServiceClient(credentials, scopes)

query_params = Oauth2PermissionGrantsRequestBuilder.Oauth2PermissionGrantsRequestBuilderGetQueryParameters(
		filter = "clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and principalId eq '3fbd929d-8c56-4462-851e-0eb9a7b3a2a5' and consentType eq 'Principal'",
)

request_configuration = Oauth2PermissionGrantsRequestBuilder.Oauth2PermissionGrantsRequestBuilderGetRequestConfiguration(
query_parameters = query_params,
)

result = await graph_client.oauth2_permission_grants.get(request_configuration = request_configuration)

响应

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#oauth2PermissionGrants",
    "value": [
        {
            "clientId": "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",
            "consentType": "Principal",
            "id": "47nZsM8O_UuNq5Jz3QValETpqX7OcT1EgRxx6AR7VXqdkr0_VoxiRIUeDrmns6Kl",
            "principalId": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5",
            "resourceId": "7ea9e944-71ce-443d-811c-71e8047b557a",
            "scope": "User.Read.All Group.Read.All"
        }
    ]
}

步骤 3：撤销代表用户授予服务主体的委托权限 [可选]

如果已代表用户向服务主体授予多个委派权限授予，则可以选择撤销特定授权或所有授权。使用此方法可删除和撤销已分配给 Graph 资源管理器的委托权限的许可。

若要撤销一个或多个授权，请对 oauth2PermissionGrant 对象运行 PATCH 请求，并仅指定要保留在 scope 参数中的委托权限。
若要撤销所有授权，请对 oauth2PermissionGrant 对象运行 DELETE 请求。

请求

以下请求撤销所有权限授予，并仅 User.Read.All 保留权限授予。将删除权限，并撤销以前授予的同意。

PATCH https://graph.microsoft.com/v1.0/oauth2PermissionGrants/47nZsM8O_UuNq5Jz3QValETpqX7OcT1EgRxx6AR7VXqdkr0_VoxiRIUeDrmns6Kl
Content-Type: application/json

{
    "scope": "User.Read.All"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new OAuth2PermissionGrant
{
	Scope = "User.Read.All",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Oauth2PermissionGrants["{oAuth2PermissionGrant-id}"].PatchAsync(requestBody);


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc oauth2-permission-grants patch --o-auth2-permission-grant-id {oAuth2PermissionGrant-id} --body '{\
    "scope": "User.Read.All"\
}\
'



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestBody := graphmodels.NewOAuth2PermissionGrant()
scope := "User.Read.All"
requestBody.SetScope(&scope) 

oauth2PermissionGrants, err := graphClient.Oauth2PermissionGrants().ByOAuth2PermissionGrantId("oAuth2PermissionGrant-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

OAuth2PermissionGrant oAuth2PermissionGrant = new OAuth2PermissionGrant();
oAuth2PermissionGrant.setScope("User.Read.All");
OAuth2PermissionGrant result = graphClient.oauth2PermissionGrants().byOAuth2PermissionGrantId("{oAuth2PermissionGrant-id}").patch(oAuth2PermissionGrant);


const options = {
	authProvider,
};

const client = Client.init(options);

const oAuth2PermissionGrant = {
    scope: 'User.Read.All'
};

await client.api('/oauth2PermissionGrants/47nZsM8O_UuNq5Jz3QValETpqX7OcT1EgRxx6AR7VXqdkr0_VoxiRIUeDrmns6Kl')
	.update(oAuth2PermissionGrant);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\OAuth2PermissionGrant;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new OAuth2PermissionGrant();
$requestBody->setScope('User.Read.All');

$result = $graphServiceClient->oauth2PermissionGrants()->byOAuth2PermissionGrantId('oAuth2PermissionGrant-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	scope = "User.Read.All"
}

Update-MgOauth2PermissionGrant -OAuth2PermissionGrantId $oAuth2PermissionGrantId -BodyParameter $params


from msgraph import GraphServiceClient
from msgraph.generated.models.o_auth2_permission_grant import OAuth2PermissionGrant

graph_client = GraphServiceClient(credentials, scopes)

request_body = OAuth2PermissionGrant(
	scope = "User.Read.All",
)

result = await graph_client.oauth2_permission_grants.by_o_auth2_permission_grant_id('oAuth2PermissionGrant-id').patch(request_body)

响应

HTTP/1.1 204 No Content

请求

以下请求将代表用户撤销对服务主体的所有权限授予。

DELETE https://graph.microsoft.com/v1.0/oauth2PermissionGrants/47nZsM8O_UuNq5Jz3QValETpqX7OcT1EgRxx6AR7VXqdkr0_VoxiRIUeDrmns6Kl


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Oauth2PermissionGrants["{oAuth2PermissionGrant-id}"].DeleteAsync();


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc oauth2-permission-grants delete --o-auth2-permission-grant-id {oAuth2PermissionGrant-id}



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)



graphClient.Oauth2PermissionGrants().ByOAuth2PermissionGrantId("oAuth2PermissionGrant-id").Delete(context.Background(), nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

graphClient.oauth2PermissionGrants().byOAuth2PermissionGrantId("{oAuth2PermissionGrant-id}").delete();


const options = {
	authProvider,
};

const client = Client.init(options);

await client.api('/oauth2PermissionGrants/47nZsM8O_UuNq5Jz3QValETpqX7OcT1EgRxx6AR7VXqdkr0_VoxiRIUeDrmns6Kl')
	.delete();


<?php
use Microsoft\Graph\GraphServiceClient;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);


$graphServiceClient->oauth2PermissionGrants()->byOAuth2PermissionGrantId('oAuth2PermissionGrant-id')->delete()->wait();


Import-Module Microsoft.Graph.Identity.SignIns

Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $oAuth2PermissionGrantId


from msgraph import GraphServiceClient

graph_client = GraphServiceClient(credentials, scopes)


await graph_client.oauth2_permission_grants.by_o_auth2_permission_grant_id('oAuth2PermissionGrant-id').delete()

响应

HTTP/1.1 204 No Content

总结

你已向服务主体授予 (或范围) 委派权限。这种使用 Microsoft Graph 授予权限的方法是交互式许可的替代方法，应谨慎使用。

以编程方式授予或撤销 API 权限

先决条件

步骤 1：获取资源服务主体的 appRoles

请求

响应

步骤 2：向客户端服务主体授予应用角色

请求

响应

确认应用角色分配

请求

响应

步骤 3：从客户端服务主体撤消应用角色分配

请求

响应

总结

先决条件

步骤 1：获取资源服务主体的委托权限

请求

响应

步骤 2：代表用户向客户端服务主体授予委托权限

请求

响应

确认权限授予

请求

响应

步骤 3：撤销代表用户授予服务主体的委托权限 [可选]

请求

响应

请求

响应

总结

反馈

反馈

其他资源

以编程方式授予或撤销 API 权限

先决条件

步骤 1：获取资源服务主体的 appRoles

请求

响应

步骤 2：向客户端服务主体授予应用角色

请求

响应

确认应用角色分配

请求

响应

步骤 3：从客户端服务主体撤消应用角色分配

请求

响应

总结

相关内容

先决条件

步骤 1：获取资源服务主体的委托权限

请求

响应

步骤 2：代表用户向客户端服务主体授予委托权限

请求

响应

确认权限授予

请求

响应

步骤 3：撤销代表用户授予服务主体的委托权限 [可选]

请求

响应

请求

响应

总结

相关内容

反馈

反馈

其他资源