我们正在调用需要启用计量 API 的 MS Graph API 端点(例如 assignSensitivityLabel)。我们的应用程序的Microsoft.GraphServices/accounts资源已根据文档创建。当我们使用客户端凭据流程时,调用工作正常,但如果我们使用代表流程,它会返回
402 Payment Required
错误。
在这两个流程中,我们将应用程序 ID 传递为
client_id
并将范围设置为 https://graph.microsoft.com/.default
。
应用程序令牌具有以下声明:
{
"aud": "https://graph.microsoft.com/.default",
"iss": "https://sts.windows.net/{tenantId}/",
"idp": "https://sts.windows.net/{tenantId}/",
"appid": "{applicationId}",
"idtyp": "app",
"roles": [
"Sites.Selected",
"Sites.ReadWrite.All",
"Mail.Send"
],
"tid": "{tenandId}"
}
用户令牌:
{
"aud": "https://graph.microsoft.com/.default",
"iss": "https://sts.windows.net/{tenantId}/",
"idp": "https://sts.windows.net/{tenantId}/",
"appid": "{applicationId}",
"idtyp": "user",
"scp": "Group.Read.All Sites.ReadWrite.All Sites.Selected User.Read User.Read.All profile openid email",
"tid": "{tenandId}"
}
使用用户 JWT 调用时,
assignSensitivityLabel
端点返回的错误是:
{
"error": {
"code": "paymentRequired",
"message": "Payment Required. Ensure that your application is able to call this premium API.For details see https://aka.ms/graph-metered-overview"
}
}
有趣的是,我们能够使用我们专门通过代表流程为 SharePoint API 获取的用户 JWT 调用
https://{tenantId}.sharepoint.com/_api/v2.1/drives/{driveId}/items/{itemId}/setSensitivityLabel
。该调用不会返回任何错误。
有什么想法如何让它与代表流程一起工作吗?
您必须使用公共客户端。根据 docs,这是一个计量 API,并引用 Metered API Graph APIs Graph 文档
以下限制适用于计量 API:
The target application must be a confidential client application (for example, web application, web API, or daemon/service). Public client applications (desktop and mobile applications) aren't supported.
我建议您在此链接
上创建一个功能请求