Here is the scenario to reproduce the error:
Take a Microsoft Education Tenant (Demo Tenant is sufficient)
Create a fresh user with valid office 365 license and usage location
Disable the account (set block sign-in) to true in Azure Portal
Create a group and add this user as member
That's the minimum scenario we need. It is also possible to have other (enabled) users within the group, but that doesn't change the behaviour. Now let's follow the documentation to create a class notebook:
POST https://www.onenote.com/api/v1.0/myOrganization/groups/{groupId}/notes/classNotebooks/?omkt=de-de
{
"name": "Class notebook of my group",
"teachers": [],
"students": [],
"studentSections": [],
"hasTeacherOnlySectionGroup": true
}
So, the unified group has just one member with an disabled account, but this specific user is NOT added into the teachers or students section of the create request. Nevertheless the following error message occurs:
System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (NotFound).
{
"error": {
"code": "30109",
"message": "The following users are invalid: Message: Der angegebene Benutzer disabled.user#mydomain.com wurde nicht gefunden., ServerErrorCode: -2146232832, ServerErrorTypeName: Microsoft.SharePoint.SPException",
"#api.url": "https://aka.ms/onenote-errors#C30109"
}
}
After getting the clarification from Marc our current procedure is as follows:
Get a list of all disabled users.
Enable all of them.
Wait one minute (cause Graph needs some time to propagate this).
Create the course notebook through OneNote API.
Disable all users from the initial list again.
With this everything works as expected.
The error message isn't clear but Teachers maps Owners and Students maps to Members. So even though you didn't specify this user in the students collection, they are a member of the Group and therefore they're considered part of the students collection.
When an 30109 error like this is encountered, the only workaround is either iterate through the Owners and Members and remove any disabled accounts, or parse the message property for the UPN (disabled.user#mydomain.com). It is less than ideal I know.
Related
Requirements: We would like to create a Variable Group (along with some variables) in a given Project.
Option1: We are able to create a new Variable Group successfully
when we create a request via PostMan using PAT Token which has FULL access.
Option2: Our end goal is to invoke the ADO Rest API in the Web App which uses
OAuth. When the end user logs in and make a call (pls see the input
details below) we are getting '401 Un Authorized - The user is not authorized to access this resource.' error. The Web App's application has the Variable Groups manage scope as shown below.
TroubleShooting: As part of troubleshooting, for Option1 which uses PAT (with full access) in Postman, we have updated the permissions of the PAT to just have Create, Read and Manage Var Groups as shown below.
Now, even the Option1 is not working after making the PAT to have Custom Defined access.
Are we missing something?
Postman Details:
URL: https://dev.azure.com/myorgname/_apis/distributedtask/variablegroups?api-version=6.0-preview.2
Verb: Post
Headers: Authorization: Basic
Body:
{
"name": "This is ignored",
"description": "This is ignored",
"type": "Vsts",
"variables": {
"BuildConfiguration": {
"value": "Release"
}
},
"variableGroupProjectReferences": [
{
"name": "VarGroup",
"description": "The variable group to store the information about the variables using in the Pipeline",
"projectReference": {
"id": "#ProjectId#",
"name": "#ProjectName#"
}
}
]
}
I can also reproduce your issue with option 1, not only Read, create, & manage for Variable Groups, even I select all the scopes via Custom defined, it still does not work.
According to this doc - https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/manage-pats-with-policies-for-administrators?view=azure-devops#restrict-creation-of-full-scoped-pats
Some of our public APIs are currently unassociated with a PAT scope, and can therefore only be used with “full-scoped” PATs. Because of this, restricting the creation of full-scoped PATs might block some workflows. We're working to identify and document the affected APIs and eventually associate them with the appropriate scope. For now, these workflows can be unblocked by using the allow list.
I believe this should be the reason for this issue, there may be some additional permissions to create variable groups. For option 2, there may be a similar cause.
So in this case, you may need to use the Full access PAT temporarily, as mentioned in the doc We're working to identify and document the affected APIs and eventually associate them with the appropriate scope.
I am trying to use graph.microsft.com apis for user invinting to the AD account.
I was able to invite but when try to get the token using
https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/token i am getting the above error.
I am using this key along with other required keys in the header.
[{"key":"resource","value":"https://graph.microsoft.com","description":""}]
Can you please let me know what is the issue?
Complete log.
{
"error": "invalid_grant",
"error_description": "AADSTS50034: The user account Microsoft.AzureAD.Telemetry.Diagnostics.PII does not exist in the xxxxx.onmicrosoft.com directory. To sign into this application, the account must be added to the directory.\r\nTrace ID: 5537uiy4b-4473-4cfb-b45c-1281f61e2100\r\nCorrelation ID: 8121era7-8df4-47d5-8cc5-3d2f8371029b0\r\nTimestamp: 2019-02-26 11:04:46Z",
"error_codes": [
50034
],
"timestamp": "2019-02-26 11:04:46Z",
"trace_id": "5537db4b-4473-4cfb-b45c-1281f61e2100",
"correlation_id": "812138a7-8df4-47d5-8cc5-3d2f8a1029b0"
}
On my side, I ever encountered this error. For this error, you need to check the user account that you used, the user type must be member in your Azure AD tenant, cannot be guest.
We are using Snaplogic to load records into workday. Currently, extracting customer records from the source and trying to load them into workday using the object Put_Customer of web service Revenue_Management.
I was getting the following error:
But I'm not getting any category information from the source. So, I tried putting the value for Customer_Category_Reference as 1. But I ended up getting the following error.
The documentation for workday is not helpful and this has been a blocker for me for some time now.
Any help will be appreciated.
Update:
Trying to get customer categories using the Get_Customer_Categories object of Revenue_Management web service using Snaplogic. But getting the following error:
Failure: Soap fault, Reason: Processing error occurred. The task submitted is not authorized., Resolution: Address SOAP fault message and retry
Unfortunately I don't have access to a tenant at this time to validate . However it is likely to work based in prior experience . Perhaps you could create a customer in Workday, through the GUI. Then do get customer API call. Note the category reference . Then, use that in your put customer call
If you look at the API documentation, you will find that Put_Customer accepts a WID in the Customer_WWS_Data object. If you search for "Customer Categories" in Workday, you will likely find the report of the same name. Just select the category that you want your newly loaded customers to default to (click on the magnifying class, then on the ellipsis, Integration Ids, View Ids). The Workday ID will appear at the top.
I have not used the Revenue Management API, but my code for creating a position reference in the Compensation API is probably very similar to what you need to do for the Customer Category reference:
public static Position_ElementObjectType getPositionReference(string WID) {
return new Position_ElementObjectType {
ID = new Position_ElementObjectIDType[] {
new Position_ElementObjectIDType {
type = "WID",
Value = WID
}
}
};
}
For creating a group, a user and assigning the user to that group, I referred this link Add permission profile through API.
Using REST APIs I am able to do that but permission for user is not getting set.
When I check in DocuSign, group is having correct permission set but same is not set for a user. Please let me know if I am missing anything.
Additional Information: This is the request I am sending
{
"newUsers":[{
"email":"'.$email.'",
"userName":"'.$userName.'",
"password":"'.$password.'",
"groupList": [{
"groupId": "'.$groupId.'",
"groupName": "'.$groupName.'",
"permissionProfileId": "'.$permissionId.'"
}]
}]
}
Also, when a user is added to a group, permissions set at group level will be applied to the users. Is there something missing?
When you create a permission profile you use this endpoint:
POST {vx}/accounts/{accountid}/permission_profiles
the response body for that endpoint should contain this info ( I omitted some details from the response)
{
"permissionProfileId": "sample string 1",
"permissionProfileName": "sample string 2",
...
}
Once you have the permissionProfileId and permissionProfileName you should be able to assign that permission profile to a user using this endpoint:
PUT {vx}/accounts/{accountid}/users/{userid}
and using the permissionProfileId and permissionProfileName in your request (I used dummy values here):
{
"permissionProfileId": "12345",
"permissionProfileName": "SomeName"
}
I hope that helps!
-Yadriel
I am attempting to dynamically create a group category with in a course using the following service:
[/d2l/api/lp/(version)/(orgUnitId)/groupcategories/ \[POST\]][1]
The following is the GroupData (Group.GroupData in Create form) JSON block that I am sending to this service:
{
"Name": "New Group Category",
"Description": {
"Content": "",
"Type": "HTML"
},
"EnrollmentStyle": 0,
"EnrollmentQuantity": null,
"AutoEnroll": false,
"RandomizeEnrollments": false,
"NumberOfGroups": 5,
"MaxUsersPerGroup": null
}
I am making the call with the user context of a administrative "Utility" account. I have 2 test courses, both of which I have confirmed I am able create the category through the web interface using this utility account.
My problem is I am having mixed results depending on the course that I try to create the category in. In one course the course returns 200-OK, in the other it returns 403-Forbidden.
Here are the (simplified) requests :
Call 1
/d2l/api/lp/1.4/350110/groupcategories/
Result: 403-Forbidden
Call 2
/d2l/api/lp/1.4/19988/groupcategories/
Result: 200-OK
The only difference is the OrgUnitID. Version, JSON, and user context are all the same, yet I'm getting 2 different results. I have tried with several other courses and again, I have success in some but not all; always receiving a 403 as the error.
After some investigation, I believe I have found 2 distinct differences between courses that are successful and those that return 403.
Courses created just before April 2012 are successful, anything afterwards fail
Courses with a 5 digit Org Unit ID are successful, anything with 6 digits seems to fail.
So my thoughts are we either applied a patch late march / early April of 2012 which somehow changed how courses are flagged on creation, OR somehow only 5 digits (or less?) Org IDs are being accepted by the service.
I'm hoping someone could provide some insight or verify they have no issue with 6+ digit OUIDs and group category creation.
Further reviewing the documentation on API Responses - Disposition and error handling I realized that there are 3 possible cases for a 403 response:
Response body contains Timestamp out of range
Response body contains Invalid Token
application or calling user context does not have the permissions required for the attempted action
Given this, I took a closer look at the response header and realized the issue was actually #2 "Invalid Token", not #3 as I was assuming.
Investigating my code further it seems the user defined SHA256 function I was using was producing an incorrect HASH/Signature when the data being hashed was exactly 55 characters long (yes I realize how crazy this sounds). The temporary work around is to pad my OrgIDs with leading zeros, so my request would actually look something similar too:
/d2l/api/lp/1.4/00350110/groupcategories/
Thankfully, this seems to work, and is acceptable for the immediate future. Long term solution will be to replace my SHA256 function with something more reliable.
I am using Colfusion 7MX for my development, which does not have a native SHA256 Hash function, hence the use of the user defined function.