msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
microsoftgraph
Remove-MgBetaEntitlementManagementAccessPackageAssignment results in 404 error
Describe the bug
When attempting to use the Remove-MgBetaEntitlementManagementAccessPackageAssignment cmdlet with a valid AccessPackageAssignmentId, the azurewebsites API endpoint results in a 404 error.
To Reproduce Steps to reproduce the behavior:
Remove-MgBetaEntitlementManagementAccessPackageAssignment -AccessPackageAssignmentId 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx'
Debug Output
============================ HTTP REQUEST ============================
HTTP Method:
DELETE
Absolute Uri:
https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
Headers:
Body:
============================ HTTP RESPONSE ============================
Status Code:
NotFound
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
client-request-id : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Germany West Central","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"FR3PEPF0000016D"}}
Date : Thu, 14 Dec 2023 12:57:12 GMT
Body:
{
"error": {
"code": "",
"message": "No HTTP resource was found that matches the request URI
'https://igaelm-asev3-ecapi-neu.igaelm-asev3-environment-neu.p.azurewebsites.net/api/v1/accessPackageAssignments('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx')'.",
"innerError": {
"date": "2023-12-14T12:57:12",
"request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
"client-request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"
}
}
}
Module Version Microsoft.Graph.Beta.Identity.Governance version 2.11.1
Hi @quentinmarois from the debug information this seems like a service issue. You can also confirm that this issue is not only specific to the Microsoft PowerShell SDK by making use of this tool https://developer.microsoft.com/en-us/graph/graph-explorer. by picking the request uri from the debug information and running it on the tool. For API related issues/questions we are not best placed to give an answer. Kindly raise an issue here https://developer.microsoft.com/en-us/graph/support so that the API owner can respond to it.
So I did a bit more research on the issue, but I'm getting more confused. The API actually seems to behave as expected: In this page and this page of the documentation, it is mentioned that to delete an access package assignment, we need to create a new request with the corresponding type of the initial assignment request.
So for example, if the original assignment request was of requestType AdminAdd, we create a new request of type AdminRemove
So, it would make sense that the API return an error, because the DELETE method doesn't exist (although the error status code is a bit misleading as the endpoint does exist, but not the method. A 405 error would make more sense).
The thing that I'm having difficulty understanding now is that, if this is the intended process, wouldn't this mean that the Remove-MgBetaEntitlementManagementAccessPackageAssignement command should not exist in the first place ?
Thanks for the info @quentinmarois.
I got removal working with New-MgEntitlementManagementAssignmentRequest.
What's also not.. legit.. with Graph is that I successfully could create the remove request without any write permissions in the scope when I authenticated. I authenticated with:
do {$Disconnected = [bool](-not$(Try{$null = Disconnect-MgGraph 2>$null; $?}Catch{$false}))} until ($Disconnected)
Connect-MgGraph -UseDeviceCode -Scopes ('AuditLog.Read.All','EntitlementManagement.Read.All','User.Read.All') -NoWelcome -ContextScope 'Process'
And the delete request went through, no questions asked.
- Edit: This is by design apperently: https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/587
After that it takes some minutes before the request is "delivered", as in assignment is actually deleted. Then the assignment status is "expired".
