Login/Register
Microsoft Graph API: EntitlementGrant being updated or deleted is not found [closed]
Asked Answered
azure-active-directorymicrosoft-graph-apiazure-ad-graph-api
B

0

7

We have an AAD Application with several app roles and we assign those roles to users. A couple days ago, we started to receive errors on the Graph API when we try to delete certain assignments. The error looks like this:

    "error": {
    "code": "Request_BadRequest",
    "message": "EntitlementGrant being updated or deleted is not found.",
    "innerError": {
      "date": "2021-04-16T11:33:23",
      "request-id": "someguid",
      "client-request-id": "someguid"
    }
  }

This error only happens on certain assignments and not for all. Also, we are able to delete them through the AAD UI. We are using the REST endpoint to delete the app role assignments and not the SDK.

What we have done so far:

  • Changed from deprecated Azure AD Graph API to Microsoft Graph API
  • Changed from endpoint users/{id}/appRoleAssignments/{id} to servicePrincipals/{id}/appRoleAssignedTo/{id}
  • Issue is reproducible on 2 different Tenants / AADs
  • Tested also with SDK, same issue
  • Running the code locally works, but deployed on Azure throws the above mentioned exception. Using the same Service Principal locally and on Cloud to do the removal.
  • Using AzureAd.Standard.Preview Powershell module also works (with another Service Principal)

Any help is appreciated

Blocky answered 16/4, 2021 at 11:59 Comment(13)
I'm using the SDK. I had an app go through testing without issue and now in UAT it's acting crazy. Pointing my local at two different service principals under the same tenant and they both fail. I did confirm though it's not all users; I was able to find one that worked but who knows if it's a user issue or the API/SDK?Canzonet
Based on your description, it seems to be an issue related to certain environment and service status. I suggest that you provide the real request-id and client-request-id so that any MS engineers who has access to the backend data can look into the request to see what happened.Zettazeugma
thanks for the feedback. I have opened today a support request at MSFT, will keep you posted.Blocky
@Blocky - I am also running into the same issue. Posted a new question regarding the same: #67182543. Did you hear anything back from Microsoft support?Rep
Raised an issue on Github as well: github.com/microsoftgraph/microsoft-graph-docs/issues/12385.Rep
@GauravMantri unfortunately we did not hear anything from MSFT support yet. The request has been opened but no progress so far. We are about to escalate it today, so there is some progress on that site.Blocky
@GauravMantri for us, existing app role assignments cannot be deleted anymore. Assigning an app role and immediately removing it again, works without issues. So my suspicion is that there was some kind of migration, that might cause a conflict.Blocky
@Blocky - Please see this: github.com/microsoftgraph/msgraph-sdk-serviceissues/issues/60. I think there's an issue with the service itself.Rep
@GauravMantri yes, I've actually created that issue :)Blocky
@Blocky - LOL :). BTW, I solved this problem by deleting the enterprise application (and not app registration) and recreating it again. Not sure if this is a valid option for you.Rep
@Blocky I don't think this is related specifically to the REST Api: I'm using the Azure Portal and I'm getting exactly the same error when I try to remove an assigned role to the user of an Application! Works on some user, fails on some other...Manhandle
@GauravMantri thanks for the hint, but we have over a thousand assignment on that application, so not really applicable for us. Also seen your latest comment, so its probably is not worth trying :).Blocky
@StephaneEhret yes, you are right. We are also experiencing the same from the Azure AD UI. It seems to be a Service issue. See related github issue: github.com/microsoftgraph/msgraph-sdk-serviceissues/issues/60Blocky

© 2022 - 2024 — McMap. All rights reserved.