Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
292 views
in Technique[技术] by (71.8m points)

office365 - Can't update profilePhoto with Microsoft Graph API

I'm able to retrieve profile photos just fine, but run into ErrorAccessDenied when trying to update photos. According to this:

https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/profilephoto_update

The User.ReadWrite permission should be sufficient. I have assigned my application this privilege using manage.windowsazure.com (and also tried granting all kinds of other privileges), but still get the error. Here's the current set of privileges I've granted to the app:

Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All email Group.Read.All Group.ReadWrite.All MailboxSettings.ReadWrite offline_access profile User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All

I'm obtaining the Bearer token with the client_credentials flow as follows:

curl -d grant_type=client_credentials 
     -d client_id=CLIENT_ID 
     -d client_secret=CLIENT_SECRET
     -d resource=https://graph.microsoft.com 
     https://login.microsoftonline.com/DOMAINNAME/oauth2/token

I then try to update the profile photo like this:

curl -H "Authorization: Bearer BEARERTOKEN" 
     --request PATCH 
     -H "Content-Type: image/jpeg" 
     -d @photo.jpg
     https://graph.microsoft.com/v1.0/users/USERPRINCIPALNAME/photo/$value

And I get the following error:

{
  "error": {
    "code": "ErrorAccessDenied",
    "message": "Access is denied. Check credentials and try again.",
    "innerError": {
      "request-id": "REQUESTID",
      "date": "2016-05-23T16:42:21"
    }
  }
}
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

It looks like you listed delegated permissions configured for your app, but retrieved the token using the client credentials flow, which uses separate application permissions. As per the documentation page that you referenced the scope required to update user profile photo is User.ReadWrite. This can't be done with the app-only scopes, including User.ReadWrite.All. User photo can be updated using the Authorization Code Grant Flow (see https://graph.microsoft.io/en-us/docs/authorization/app_authorization)


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...