msgraph-beta-sdk-python icon indicating copy to clipboard operation
msgraph-beta-sdk-python copied to clipboard
verified publisher icon microsoftgraph

Graph API response field format mismatch with SDK object field format

Open r0ot opened this issue 2 months ago • 0 comments

Describe the bug

The field in question is for Conditional Access Policies (https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies): conditions.authenticationFlows.transferMethods. When specified in a policy, the graph API returns this field as a comma-separated string, e.g. "transferMethods": "deviceCodeFlow,authenticationTransfer". When parsed by this SDK in this format, ConditionalAccessPolicy.conditions.authentication_flows.transfer_methods get's incorrectly set to an empty array ([]).

The SDK expects the value of this field to be an array, rather than a comma-separated string. The following code demonstrates the incorrect and desired behaviors:

from kiota_serialization_json.json_parse_node import JsonParseNode
from msgraph_beta.generated.models.conditional_access_policy import ConditionalAccessPolicy

json_data = {
  "displayName": "Test Device Code & Authentication Transfers",
  "state": "enabled",
  "conditions": {
    ...
    "authenticationFlows": {
      "transferMethods": "deviceCodeFlow,authenticationTransfer"
    }
  },
  ...
}

msgraph_sdk_obj = JsonParseNode(json_data).get_object_value(ConditionalAccessPolicy())
# msgraph_sdk_obj.conditions.authentication_flows.transfer_methods == []

fixed_json_data = {
  ...
  "conditions": {
    ...
    "authenticationFlows": {
      "transferMethods": ["deviceCodeFlow", "authenticationTransfer"]
    }
  },
  ...
}

fixed_msgraph_sdk_obj = JsonParseNode(fixed_json_data).get_object_value(ConditionalAccessPolicy())
# fixed_msgraph_sdk_obj.conditions.authentication_flows.transfer_methods == [
#   <ConditionalAccessTransferMethods.DeviceCodeFlow: 'deviceCodeFlow'>,
#   <ConditionalAccessTransferMethods.AuthenticationTransfer: 'authenticationTransfer'>
# ]

The following screenshot shows that the API returns it in the comma-separated string format:

Image

So the issue still exists when using the msgraph-sdk API request instead of the JSON parser. e.g.

from msgraph_beta.graph_service_client import GraphServiceClient

GraphServiceClient(...).identity.conditional_access.policies.by_conditional_access_policy_id('conditionalAccessPolicy-id').get()

And in the Entra UI it looks like the following:

Image

I don't know whether this bug should be fixed in this SDK or in the Graph API itself.

Expected behavior

msgraph_sdk_cap_obj: ConditionalAccessPolicy

msgraph_sdk_cap_obj.conditions.authentication_flows.transfer_methods ==
[
  <ConditionalAccessTransferMethods.DeviceCodeFlow: 'deviceCodeFlow'>,
  <ConditionalAccessTransferMethods.AuthenticationTransfer: 'authenticationTransfer'>
]
# not []

How to reproduce

The code above can be used to reproduce.

SDK Version

1.31.0

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

Click to expand for a full example JSON of a policy 
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies/$entity",
  "@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET identity/conditionalAccess/policies('<guid>')?$select=conditions,createdDateTime",
  "templateId": null,
  "displayName": "Test Device Code & Authentication Transfers",
  "state": "enabledForReportingButNotEnforced",
  "sessionControls": null,
  "conditions": {
    "userRiskLevels": [],
    "signInRiskLevels": [],
    "clientAppTypes": ["all"],
    "servicePrincipalRiskLevels": [],
    "insiderRiskLevels": null,
    "platforms": null,
    "locations": null,
    "devices": null,
    "clientApplications": null,
    "applications": {
      "includeApplications": ["None"],
      "excludeApplications": [],
      "includeUserActions": [],
      "includeAuthenticationContextClassReferences": [],
      "applicationFilter": null
    },
    "users": {
      "includeUsers": ["All"],
      "excludeUsers": [],
      "includeGroups": [],
      "excludeGroups": [],
      "includeRoles": [],
      "excludeRoles": [],
      "includeGuestsOrExternalUsers": null,
      "excludeGuestsOrExternalUsers": null
    },
    "authenticationFlows": {
      "transferMethods": "deviceCodeFlow,authenticationTransfer"
    }
  },
  "grantControls": {
    "operator": "OR",
    "builtInControls": ["block"],
    "customAuthenticationFactors": [],
    "termsOfUse": [],
    "[email protected]": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies('e7a127d6-b745-47da-814e-f909748cff0d')/grantControls/authenticationStrength/$entity",
    "authenticationStrength": null
  }
}

Configuration

macOS, python 3.12

Other information

No response

r0ot avatar Oct 03 '25 19:10 r0ot