Symptoms
Attempt to change Microsoft role fails with the following error:
Resource *** does not exist or one of its queried reference-property objects are not present
The following error is shown in apilog :
2020-08-19 03:44:25,893 <4172> [ 16] DEBUG apilogger : Azure AD Graph API request GET url: 'https://graph.windows.net/cec52dd1-cfb8-4cfa-9971-4405adb0d2a0/users/2decd3f5-6e1b-4029-8391-1d542ed5fd74/memberOf?api-version=1.6' Execution time: 156 ms Request headers: Accept:application/json X-Endpoint-Request-ID:83e2c427-3c1c-4669-a6be-b203668ad7eb Authorization:******** Host:graph.windows.net Request body: <<<EMPTY BODY>>> Response status code: '200', Response headers: Pragma:no-cache ocp-aad-diagnostics-server-name:2spmERui020U0wyPwT2WvmOHlKP53R5wAyXGA8Fut44= request-id:9c3356b0-f19b-4067-b8df-89cc5b871da9 client-request-id:48ac6cbd-7124-4cf0-87fc-6ceb9a4add66 x-ms-dirapi-data-contract-version:1.6 ocp-aad-session-key:7yTYKSSU-dLwOFB8hdpVSIDRJlhDRHr4CKn_GKqh4m7wTSgL99ZtOVN52Q4yZIXl3bp7xHphj9qnMcuKRWjn84uAVawLAxDRiIngNDauzK5xYYRPGK1EaJ4TUuZHVZTWevqPErmoOxnM1oTbMCw238fljsDfwdz0cO_9FkdHHcY.q8GcG4VAQB0xyBj6zg6ufn_XDeRQe_TdFUl_l-welj8 x-ms-resource-unit:2 DataServiceVersion:3.0; Strict-Transport-Security:max-age=31536000; includeSubDomains Access-Control-Allow-Origin:* Duration:1538697 Content-Length:755 Cache-Control:no-cache Content-Type:application/json; odata=minimalmetadata; streaming=true; charset=utf-8 Date:Wed, 19 Aug 2020 03:44:26 GMT Expires:-1 X-AspNet-Version:4.0.30319 X-Powered-By:ASP.NET Response body: { "value": [ { "description": "This is the default group for everyone in the network", "displayName": "All Company", "objectId": "5616753f-eef6-477d-9834-f0fa7d4a3c72", "objectType": "Group" } ], "odata.metadata": "https://graph.windows.net/cec52dd1-cfb8-4cfa-9971-4405adb0d2a0/$metadata#directoryObjects" } 2020-08-19 03:44:25,956 <4172> [ 16] DEBUG apilogger : Azure AD Graph API request DELETE url: 'https://graph.windows.net/cec52dd1-cfb8-4cfa-9971-4405adb0d2a0/directoryRoles/5616753f-eef6-477d-9834-f0fa7d4a3c72/$links/members/2decd3f5-6e1b-4029-8391-1d542ed5fd74?api-version=1.6' Execution time: 63 ms Request headers: Accept:application/json X-Endpoint-Request-ID:47cb535a-6619-47a9-9d96-1141e2956137 Authorization:******** Host:graph.windows.net Content-Length:0 Request body: <<<EMPTY BODY>>> Response status code: '404', Response headers: Pragma:no-cache ocp-aad-diagnostics-server-name:tWDIIdSCGARBB5OYDfQKsqACCwNKfN2rxs61RHwiK+E= request-id:6e44f67d-5112-45bc-a2e7-70230e1d81bb client-request-id:54e834c3-d969-458f-b999-554c5eaa6eda x-ms-dirapi-data-contract-version:1.6 ocp-aad-session-key:6kEDX14hbnw6DgfRRZJt5es_As9rqJ5aaQ5QiYBykax0A3zK7zoa1vGuH_MWx5jnFscSAVlRA1Tk4R_AzvCHLc0KKjH6WyCY1DA1G34WpMCJqRr4pe9TLzo_PrICIb4ErCxpCAwqBYuaK82TvMkGAblsqsmZY_6_43Dir14iB0Y.CZDMIhH0XacCSCjfWy9LwaxM2AXNVvrLcxEe3e2Md1o x-ms-resource-unit:1 DataServiceVersion:3.0; Strict-Transport-Security:max-age=31536000; includeSubDomains Access-Control-Allow-Origin:* Duration:493823 Content-Length:294 Cache-Control:no-cache Content-Type:application/json; odata=minimalmetadata; streaming=true; charset=utf-8 Date:Wed, 19 Aug 2020 03:44:27 GMT Expires:-1 X-AspNet-Version:4.0.30319 X-Powered-By:ASP.NET Response body: { "odata.error": { "date": "2020-08-19T03:44:27", "requestId": "6e44f67d-5112-45bc-a2e7-70230e1d81bb", "code": "Request_ResourceNotFound", "message": { "lang": "en", "value": "Resource '5616753f-eef6-477d-9834-f0fa7d4a3c72' does not exist or one of its queried reference-property objects are not present." } } }
Cause
Due to changes in Azure AD Graph API provided by Microsoft, attempt to assign role fails on Microsoft 365 application level in case if user is added to some group on Microsoft side.
Resolution
The issue will be addressed in scope of request #APSA-22801. As a workaround for the current version, assign role to the user manually through Microsoft Admin Center.