解决 Microsoft Graph 授权错误Resolve Microsoft Graph authorization errors

授权错误可能是由多个不同的问题造成的,其中大多数问题会产生 403 错误(有几个例外)。Authorization errors can occur as a result of several different issues, most of which generate a 403 error (with a few exceptions). 例如,以下情况可能会导致授权错误:For example, the following can all lead to authorization errors:

解决常见错误的步骤Steps to resolve common errors

若要解决常见授权错误,请尝试针对与你遇到的错误最接近的错误描述的步骤。To resolve common authorization errors, try the steps described for the error that most closely match the error you're getting. 可能会出现多个错误。More than one error might apply. 你还可以查看 Stack Overflow 上已有的 401 错误403 错误相关的答案。You can also check the answers already available on Stack Overflow for 401 errors and 403 errors. 如果无法找到解决问题的方法,请在 Stack Overflow 上提问并标记为 microsoft-graphIf you can't find a solution to your problem, ask a new question on Stack Overflow and tag with microsoft-graph.

401 未授权错误:你的令牌是否有效?401 Unauthorized error: Is your token valid?

请确保你的应用程序在请求中向 Microsoft Graph 提供有效的访问令牌。Make sure that your application is presenting a valid access token to Microsoft Graph as part of the request. 此错误通常意味着 HTTP 身份验证请求标头中缺少访问令牌,或者令牌无效或已过期。This error often means that the access token may be missing in the HTTP authenticate request header or that the token is invalid or has expired. 强烈建议使用 Microsoft 身份验证库 (MSAL) 获取访问令牌。We strongly recommend that you use the Microsoft Authentication Library (MSAL) for access token acquisition. 此外,如果你尝试使用授予个人 Microsoft 帐户的委派访问令牌来访问仅支持工作或学校帐户(组织帐户)的 API,则可能会发生此错误。Additionally this error may occur, if you try to use a delegated access token granted to a personal Microsoft account, to access an API that only supports work or school accounts (organizational accounts).

403 禁止错误:你是否选择了正确的权限集?403 Forbidden error: Have you chosen the right set of permissions?

根据您的应用调用的 Microsoft Graph API,验证你是否请求了正确的权限集。Verify that you have requested the correct set of permissions based on the Microsoft Graph APIs your app calls. 所有 Microsoft Graph API 方法参考主题中都提供了我们建议的最低特权权限。The least privileged permissions that we recommend are provided in all the Microsoft Graph API method reference topics. 此外,这些权限必须由用户或管理员向应用程序授予。Additionally, those permissions must be granted to the application by a user or an administrator. 授予权限通常通过同意页进行,也可使用 Azure 门户应用程序注册边栏选项卡授予权限。Granting permissions normally happens through a consent page or by granting permissions using the Azure Portal application registration blade. 从应用程序的“设置”边栏选项卡,单击“所需权限”,然后单击“授予权限”。From the Settings blade for the application, click Required Permissions, and then click Grant Permissions.

403 禁止错误:你的应用是否获取了与所选权限匹配的令牌?403 Forbidden error: Did your app acquire a token to match chosen permissions?

确保请求或授予的权限类型与你的应用获取的访问令牌类型相匹配。Make sure that the type of permissions requested or granted matches the type of access token that your app acquires. 你可能正在请求和授予应用程序权限,但使用的是委派的交互式代码流令牌而不是客户端凭据流令牌,或者正在请求和授予委派权限,但使用的是客户端凭据流令牌而不是委派的代码流令牌。You might be requesting and granting application permissions but using delegated interactive code flow tokens instead of client credential flow tokens, or requesting and granting delegated permissions but using client credential flow tokens instead of delegated code flow tokens.

403 禁止访问错误:重置密码403 Forbidden error: Resetting password

目前,没有应用程序权限守护程序服务到服务权限允许重置用户密码。Currently, there are no application permission daemon service-to-service permissions that allow resetting user passwords. 这些 API 仅支持对登录的管理员使用交互式委派代码流。These APIs are only supported using the interactive delegated code flows with a signed-in administrator.

403 禁止:用户是否具有访问权限,是否获得许可?403 Forbidden: Does the user have access and are they licensed?

对于委派代码流,Microsoft Graph 将根据向应用授予的权限以及登录用户具有的权限来评估是否允许请求。For delegated code flows, Microsoft Graph evaluates whether the request is allowed based on the permissions granted to the app and the permissions that the signed-in user has. 通常,此错误表示用户没有足够的特权执行请求或者用户没有获得所访问数据的许可。Generally, this error indicates that the user is not privileged enough to perform the request or the user is not licensed for the data being accessed. 只有具有所需权限或许可证的用户才能成功发出请求。Only users with the required permissions or licenses can make the request successfully.

403 禁止:是否选择了正确的资源 API?403 Forbidden: Did you select the correct resource API?

API 服务(如 Microsoft Graph)检查接收的访问令牌中的 aud 声明 (audience) 是否与预期值匹配,如果不匹配,则会导致 403 Forbidden 错误。API services like Microsoft Graph check that the aud claim (audience) in the received access token matches the value it expects for itself, and if not, it results in a 403 Forbidden error. 导致此错误的常见错误是尝试使用为 Azure AD Graph API、Outlook API 或 SharePoint/OneDrive API 获取的令牌调用 Microsoft Graph(或反之)。A common mistake that causes in this error is trying to use a token acquired for Azure AD Graph APIs, Outlook APIs, or SharePoint/OneDrive APIs to call Microsoft Graph (or vice versa). 确保你的应用为其获取令牌的资源(或范围)与应用调用的 API 匹配。Ensure that the resource (or scope) your app is acquiring a token for matches the API that the app is calling.

400 错误请求或 403 禁止:用户是否符合其组织的条件访问 (CA) 策略?400 Bad Request or 403 Forbidden: Does the user comply with their organization's conditional access (CA) policies?

根据组织的 CA 策略,通过你的应用访问 Microsoft Graph 资源的用户可能会被要求提供附加信息,而这些信息在你的应用最初获取的访问令牌中并不存在。Based on an organization's CA policies, a user accessing Microsoft Graph resources via your app might be challenged for additional information that is not present in the access token your app originally acquired. 在这种情况下,你的应用在获取访问令牌期间会收到 400 以及 interaction_required 错误,或者在调用 Microsoft Graph 时收到 403 以及 insufficient_claims 错误。In this case, your app receives a 400 with an interaction_required error during access token acquisition or a 403 with insufficient_claims error when calling Microsoft Graph. 在这两种情况下,错误响应都包含可呈现给授权终结点的附加信息,以便向用户质询其他信息(如多重身份验证或设备注册)。In both cases, the error response contains additional information that can be presented to the authorize endpoint to challenge the user for additional information (like multi-factor authentication or device enrollment).