Symptoms
Attempt to change Microsoft role fails with the following error:
Resource *** does not exist or one of its queried reference-property objects are not present
The following error is shown in apilog :
2020-08-19 03:44:25,893 <4172> [ 16] DEBUG apilogger : Azure AD Graph API request GET url: 'https://graph.windows.net/cec52dd1-cfb8-4cfa-9971-4405adb0d2a0/users/2decd3f5-6e1b-4029-8391-1d542ed5fd74/memberOf?api-version=1.6'
Execution time: 156 ms
Request headers:
Accept:application/json
X-Endpoint-Request-ID:83e2c427-3c1c-4669-a6be-b203668ad7eb
Authorization:********
Host:graph.windows.net
Request body:
<<<EMPTY BODY>>>
Response status code: '200',
Response headers:
Pragma:no-cache
ocp-aad-diagnostics-server-name:2spmERui020U0wyPwT2WvmOHlKP53R5wAyXGA8Fut44=
request-id:9c3356b0-f19b-4067-b8df-89cc5b871da9
client-request-id:48ac6cbd-7124-4cf0-87fc-6ceb9a4add66
x-ms-dirapi-data-contract-version:1.6
ocp-aad-session-key:7yTYKSSU-dLwOFB8hdpVSIDRJlhDRHr4CKn_GKqh4m7wTSgL99ZtOVN52Q4yZIXl3bp7xHphj9qnMcuKRWjn84uAVawLAxDRiIngNDauzK5xYYRPGK1EaJ4TUuZHVZTWevqPErmoOxnM1oTbMCw238fljsDfwdz0cO_9FkdHHcY.q8GcG4VAQB0xyBj6zg6ufn_XDeRQe_TdFUl_l-welj8
x-ms-resource-unit:2
DataServiceVersion:3.0;
Strict-Transport-Security:max-age=31536000; includeSubDomains
Access-Control-Allow-Origin:*
Duration:1538697
Content-Length:755
Cache-Control:no-cache
Content-Type:application/json; odata=minimalmetadata; streaming=true; charset=utf-8
Date:Wed, 19 Aug 2020 03:44:26 GMT
Expires:-1
X-AspNet-Version:4.0.30319
X-Powered-By:ASP.NET
Response body:
{
"value": [
{
"description": "This is the default group for everyone in the network",
"displayName": "All Company",
"objectId": "5616753f-eef6-477d-9834-f0fa7d4a3c72",
"objectType": "Group"
}
],
"odata.metadata": "https://graph.windows.net/cec52dd1-cfb8-4cfa-9971-4405adb0d2a0/$metadata#directoryObjects"
}
2020-08-19 03:44:25,956 <4172> [ 16] DEBUG apilogger : Azure AD Graph API request DELETE url: 'https://graph.windows.net/cec52dd1-cfb8-4cfa-9971-4405adb0d2a0/directoryRoles/5616753f-eef6-477d-9834-f0fa7d4a3c72/$links/members/2decd3f5-6e1b-4029-8391-1d542ed5fd74?api-version=1.6'
Execution time: 63 ms
Request headers:
Accept:application/json
X-Endpoint-Request-ID:47cb535a-6619-47a9-9d96-1141e2956137
Authorization:********
Host:graph.windows.net
Content-Length:0
Request body:
<<<EMPTY BODY>>>
Response status code: '404',
Response headers:
Pragma:no-cache
ocp-aad-diagnostics-server-name:tWDIIdSCGARBB5OYDfQKsqACCwNKfN2rxs61RHwiK+E=
request-id:6e44f67d-5112-45bc-a2e7-70230e1d81bb
client-request-id:54e834c3-d969-458f-b999-554c5eaa6eda
x-ms-dirapi-data-contract-version:1.6
ocp-aad-session-key:6kEDX14hbnw6DgfRRZJt5es_As9rqJ5aaQ5QiYBykax0A3zK7zoa1vGuH_MWx5jnFscSAVlRA1Tk4R_AzvCHLc0KKjH6WyCY1DA1G34WpMCJqRr4pe9TLzo_PrICIb4ErCxpCAwqBYuaK82TvMkGAblsqsmZY_6_43Dir14iB0Y.CZDMIhH0XacCSCjfWy9LwaxM2AXNVvrLcxEe3e2Md1o
x-ms-resource-unit:1
DataServiceVersion:3.0;
Strict-Transport-Security:max-age=31536000; includeSubDomains
Access-Control-Allow-Origin:*
Duration:493823
Content-Length:294
Cache-Control:no-cache
Content-Type:application/json; odata=minimalmetadata; streaming=true; charset=utf-8
Date:Wed, 19 Aug 2020 03:44:27 GMT
Expires:-1
X-AspNet-Version:4.0.30319
X-Powered-By:ASP.NET
Response body:
{
"odata.error": {
"date": "2020-08-19T03:44:27",
"requestId": "6e44f67d-5112-45bc-a2e7-70230e1d81bb",
"code": "Request_ResourceNotFound",
"message": {
"lang": "en",
"value": "Resource '5616753f-eef6-477d-9834-f0fa7d4a3c72' does not exist or one of its queried reference-property objects are not present."
}
}
}Cause
Due to changes in Azure AD Graph API provided by Microsoft, attempt to assign role fails on Microsoft 365 application level in case if user is added to some group on Microsoft side.
Resolution
The issue will be addressed in scope of request #APSA-22801. As a workaround for the current version, assign role to the user manually through Microsoft Admin Center.