I have an Azure App that calls Yammer's Network Data Export API. The app users an OauthToken with Yammer's user_impersonation permission to call the API. However, for one specific client, the Export API has been returning a 401 unauthorized error with the message Requested export of model MessageVersion not allowed for user <userId>. There are also times when the API call succeeds with no issue at all.
I have confirmed with the client that the user who authorized the app is a Global administrator/Verified Admin. Nevertheless, I used the same token to fetch the authorizing user's details and found that whenever the export API returns 401 unauthorized, the verified admin was false (which makes sense given that we need a verified admin to export data).
Request
GET https://www.yammer.com/api/v1/users/<userId>.json
Authorization: Bearer <token>
Response
I'm having difficulty understanding how the user role undergoes changes(verifed admin=true to false) which cause the API to return a 401 unauthorized error. Could it be some custom Azure policy in the client's tenant? Not sure if something like that is even possible.
Upon decoding the Oauth token I found that there are a few more additional claims than what I have for my dev account. Do these claims indicate anything regarding such azure policies?
...
"amr": [
"pwd",
"rsa",
"mfa"
],
"scp": "user_impersonation",
"signin_state": [
"dvc_mngd",
"dvc_cmp"
],
...