Reputation: 187
Microsoft Graph - 401, Unknown Error for /beta/education/classes/
I am trying to make a request to the Microsoft Graph beta education endpoint to get a list of assignments for a class.
The request being made is:
/beta/education/classes/{class-id}/assignments
I set up the permission in Azure AD for reading assignments and the roster, and granted them.
I get an access token using client credentials using ADAL.NET, and the token seems to have the correct application permissions to read assignments:
{
"aud": "https://graph.microsoft.com/",
"iss": "https://sts.windows.net/5cf890b2-6a94-452f-8c29-9f7365b68ba0/",
"iat": 1520000639,
"nbf": 1520000639,
"exp": 1520004539,
"aio": "...",
"app_displayname": "...",
"appid": "...",
"appidacr": "1",
"e_exp": 262800,
"idp": "https://sts.windows.net/5cf890b2-6a94-452f-8c29-9f7365b68ba0/",
"oid": "bd0154f3-2626-40c1-82a5-39bc8879729c",
"roles": [
"EduRoster.Read.All",
"EduAdministration.Read.All",
"EduRoster.ReadBasic.All",
"EduAssignments.Read.All"
],
"sub": "...",
"tid": "...",
"uti": "...",
"ver": "1.0"
}
However, looking in Fiddler, when I make a request with the token, it returns 401 unauthorized with the following body:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "bf6cd2e1-53a6-472a-b038-2b035eb8f7db",
"date": "2018-03-02T14:41:41"
}
}
}
It seems to only be that endpoint that I can't access, as /v1.0/education/users/{user-id}/classes works correctly and returns the right response.
Edit
It seems that endpoint doesn't allow Application permissions for some reason, despite the permissions seemingly being applicable. I assume that ability is coming in the future.
I have tried moving back to using delegated permissions. This time, the scp's look as follows:
"scp": "AllSites.Read Calendars.Read Contacts.Read Directory.Read.All EduAdministration.Read EduAssignments.ReadWrite EduRoster.Read EduRoster.ReadBasic email Files.Read full_access_as_user Group.Read.All Mail.Read MyFiles.Read Notes.Read Notes.Read.All Notes.ReadWrite.CreatedByApp profile Sites.Read.All Sites.Search.All Tasks.Read TermStore.Read.All User.Read User.Read.All User.ReadBasic.All"
The EduAssignments permissions are granted. The request now returns 403:
{
"error": {
"code": "",
"message": "Access denied.",
"innerError": {
"request-id": "02f6d0d4-8867-4e43-94a4-d29f3a1e03f7",
"date": "2018-03-02T20:47:06"
}
}
}
According to the docs, this seems to be by design. The permissions only allow users to access assignments from classes they are a member of. If I add myself to a class, then I can view its assignments.
However, what I want is the ability to view the assignments of any class, not just ones I am a member of. From the permissions reference, there are application permissions designed to do what I want:
EduAssignments.Read.All: Read class assignments with grades. Allows the app to read assignments and their grades for all users.
However, that endpoint simply doesn't support them.
Upvotes: 4
Views: 489
Answers (1)
Reputation: 58853
Based on the documentation, you can't call that endpoint with app permissions. It needs to be a delegated call under a user identity.
Application Not supported.
The reason you can call /v1.0/education/users/{user-id}/classes is because it allows Application-only calls with roles:
EduRoster.Read.All, EduRoster.ReadWrite.All
And you have one of those, so that succeeds.
Upvotes: 2
Related Questions
- Status Code: Forbidden; Reason: The request is not authorized for this user or application
- microsoft Graph API for creating online meeting giving error "UnknownError" response 404
- Error 7505 - Request Authorization Tenant Mismatch
- Microsoft Graph Explorer / Microsoft Teams - 404 respond
- Unknown error while using Microsoft Graph Communication API
- Microsoft Graph Education API Method not allowed
- Microsoft Graph API: (400) Bad Request
- Microsoft Graph API - 503 ErrorServiceUnavailable
- Graph API: PUT /beta/groups/<groupId>/team Authentication Error
- graph.microsoft.com Beta Fails but Production Works