azuregraphazure-active-directorymicrosoft-entra-id
"Insufficient privileges to complete the operation" on EmployeeExperience.LearningProviders.GetAsync()
I need to get (and eventually create) the LearningProvider(s) in a certain Azure Tenant. The creation is done by this call in C#:
var options = new OnBehalfOfCredentialOptions
{
AuthorityHost = AzureAuthorityHosts.AzurePublicCloud
};
var onBehalfOfCredential = new OnBehalfOfCredential(tid, AppClientId, AppClientSecret, jwt, options);
var client = new GraphServiceClient(onBehalfOfCredential, scopes);
var learningProviders = await client.EmployeeExperience.LearningProviders.GetAsync();
Where:
- tid: Logged user Tenant ID
- AppClientId/Secret: The registered App Id/Secret
- jwt: The logget user JWT token
The error which returns when I try to get the LearningProviders is:
Microsoft.Graph.Models.ODataErrors.MainError
Code: forbidden
Error: Insufficient privileges to complete the operation.
I have the following permissions in the register app:
Solution
The error "Forbidden" usually occurs if the signed-in user does not have required permissions or roles to perform the operation.
Initially, I too got same error when I ran your code in my environment with same permissions:
To work with learning providers, logged in user need either Global Admin or Knowledge Admin role, along with LearningProvider.ReadWrite permission of Delegated type.
In my case, I assigned Knowledge Administrator role to the logged in user like this:
When I ran the code again now after assigning above role, I got the response successfully with learning provider details like this:
using Azure.Identity;
using Microsoft.Graph;
using Microsoft.Graph.Models.ODataErrors;
var scopes = new[] { "https://graph.microsoft.com/.default" };
var tid = "xxxxxxx";
var AppClientId = "xxxxxxx";
var AppClientSecret = "xxxxxxx";
var options = new OnBehalfOfCredentialOptions
{
AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,
};
var jwt = "xxxxxxxxxxx";
var onBehalfOfCredential = new OnBehalfOfCredential(
tid, AppClientId, AppClientSecret, jwt, options);
var client = new GraphServiceClient(onBehalfOfCredential, scopes);
try
{
var learningProviders = await client.EmployeeExperience.LearningProviders.GetAsync();
foreach (var provider in learningProviders.Value)
{
Console.WriteLine($"Learning Provider ID: {provider.Id}");
Console.WriteLine($"Learning Provider Name: {provider.DisplayName}");
Console.WriteLine($"Login Web Url: {provider.LoginWebUrl}");
Console.WriteLine();
}
}
catch (ODataError odataError)
{
Console.WriteLine($"Code: {odataError.Error.Code}");
Console.WriteLine($"Error: {odataError.Error.Message}");
}
Response:
Reference: Permissions required to manage learningProvider - Microsoft Graph
- Creating multiple function apps with one Flex Consumption plan
- ASP.NET Core Authorization with Microsoft Entra ID
- How to get client IP address in Azure Functions C#?
- unable to StartCopyFromUriAsync a blob between 2 storage accounts
- MSgraph cannot find string in attachment value using Azure Automation
- Visual Studio 2022 caches old tenant id, can't get rid of it
- Msgraph-sdk-python get sharepoint site id from name
- using multiple storage accounts locally using azurite at the same time
- Adding Graph API application permission via Terraform shows corrupted IDs instead of scope names
- Azure DevOps Wiki page usage analytics
- How to fix worker runtime metadata for Azure .net8 isolated worker model functions?
- Download attachment content using Microsoft Graph API using Java
- Is it possible to assign a Power BI Pro License to an Azure Service Principal? Deploy .bim in PBI Service without Premium Workspace
- How to grant permissions to my application to use Microsoft Fabric services?
- Azure Devops Pipeline trigger from a different repo does not work
- Issue with adding delegated Graph API permission to Enterprise app with Terraform
- Azure VM metadata missing / emtpy publicIpAddress
- Python: List containers in the Azure Data Lake Storage
- azure blob storage account - log file is not generated as per setup
- SAS token mismatch on Azure DPS with Azure IoT Edge
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- How can I set the MQTT keepalive in the Azure IoTHub C SDK?
- AzureWebJobsStorage Managed Identity not working
- Resource move is not supported for resource types 'microsoft.visualstudio/account'
- Invalid configuration value detected for fs.azure.account.key with com.crealytics:spark-excel
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- terraform azure application gateway recreated when add new rule
- Can't add libraries to function_app.py in azure Function
- Azure AI Translation - No document found in source with the given path and filters
- How to make Visible the Keys/Passwords in CosmosDB connection string - Azure