msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
microsoftgraph
Update-MgEntitlementManagementAccessPackageAssignmentPolicy sends PATCH rather than PUT (Wrong URI in Update-MgEntitlementManagementAccessPackageAssignmentPolicy)
Update-MgEntitlementManagementAccessPackageAssignmentPolicy `
-AccessPackageAssignmentPolicyId $assignmentPolicyId `
-BodyParameter $bodyParameter
Error:
No HTTP resource was found that matches the request URI 'https://elm.iga.azure.com/api/v1/accessPackageAssignmentPolicies('8b5622cd-c7ea-4af0-a456-09a2ce808083')'
I assume the API URI is incorrect AB#10395
Powershell:
PSVersion - 7.1.3 Module version - 1.6.1
Thanks for surfacing this. The command is calling the correct URI but not the proper HTTP method. The HTTP method should be PUT instead of PATCH. See https://docs.microsoft.com/en-us/graph/api/accesspackageassignmentpolicy-update?view=graph-rest-beta&tabs=java#http-request.
As a workaround, you can use Invoke-MgGraphRequest till the workload resolves this:
$Uri = "https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/$assignmentPolicyId"
Invoke-MgGraphRequest -Uri $Uri -Method PUT -Body $BodyParameter
@peombwa thank you for the support! The Invoke-MgGraphRequest is very useful in such cases!
I'm writing a script using those new Entitlement Management cmdlets. I found plenty of similar 'bugs' in other cmdlets as well. Will it make sense to open issue for each of them in format like this one?
When is this expected to be corrected? More than a year past and it is still not working.
I upgraded to 1.12.3 but still have the problem:
call
Update-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $policy.Id `
-AccessPackageId $accessPackage.Id `
-RequestorSettings $requestorSettings
response
Line |
379 | … Update-MgEntitlementManagementAccessPackageAssignmentPoli …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| No HTTP resource was found that matches the request URI
| 'https://igaelm-asev3-ecapi-neu.igaelm-asev3-environment-neu.p.azurewebsites.net/api/v1/accessPackages('...')/accessPackageAssignmentPolicies('...')'.
Me as well. Spent the good part of my day banging my head against a wall over this. Glad I found this thread. Although @peombwa 's suggestion of using Invoke-MgGraphRequest -Uri $Uri -Method PUT -Body $BodyParameter doesn't work for me.
$BodyParameter = @{ displayName = "New Initial Policy" } $Uri = "https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/47909103-f5c4-4ca9-b537-d23ef4c3364e" Invoke-MgGraphRequest -Uri $Uri -Method PUT -Body $BodyParameter
Errors with:
Invoke-MgGraphRequest : PUT https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/47909103-f5c4-4ca9-b537-d23ef4c3364e HTTP/1.1 400 Bad Request [...]
GET works just fine
Invoke-MgGraphRequest -Uri $Uri -Method GET
Name Value
accessReviewSettings {isApprovalJustificationRequired, startDateTime, isAccessRecommendationEnabled, accessReviewTimeoutBehavior...}
canExtend False
displayName Initial Policy
description Initial Policy
[...]
@MistaGil
Had the same observation and already opened a case with MS support for this - sent Fiddler traces and all. Error is reproducible from PowerShell, Graph Explorer and even Azure Portal.
Per https://learn.microsoft.com/en-us/graph/api/accesspackageassignmentpolicy-update?view=graph-rest-1.0&tabs=powershell, I was able to get Set-MgEntitlementManagementAssignmentPolicy (which isn't a documented Microsoft Graph Identity Governance Mg cmdlet) to complete successfully, however it overwrites every non-defined property in -BodyParameter, despite the documentation saying non included properties won't be overwritten.
Also, Powershell returns an error that Update-MgEntitlementManagementAssignmentPolicy (which looks to be the MgProfile v1.0 equivalent of Update-MgEntitlementManagementAccessPackageAssignmentPolicy) is not valid cmdlet, despite documentation to the contrary.
All in all, its very clear that Graph Powershell's documentation is not only horridly lacking, its flat out incorrect, and for the consumers of it, its incredibly frustrating and time consuming.
Thanks for the hint @MistaGil with the Set-... cmdlet. Switched also my logic to it and hope that there will be no breaking change on that in the near future.
@KaiWalter curious, when you run Set-... are you defining all of the assignment policy's properties in -BodyParameter or did you find a way to set only specific ones without overwriting the others?
@MistaGil did not get -BodyParameter working ... something with missing parameter source.
I reduced Set-... to the few sections / objects I still need in my scenario with is basically to disable the policy for new requests and just keep it present for the active assignments until those run out.
Makes sense?
@KaiWalter can you provide an example of what you did? I tried eliminating the -BodyParameter in Set-... as well, instead setting a specific property, eg
Set-MgEntitlementManagementAssignmentPolicy -AccessPackageAssignmentPolicyId <AccessPackageAssignmentPolicyId> -DisplayName "TEST"
But it returns the error
Set-MgEntitlementManagementAssignmentPolicy : Value cannot be null.
@MistaGil my code sections looks like this
# handle existing policies
# - disable when there are active assignments
# - delete when there are no assignments
$accessPackageAssignmentPolicies = Get-MgEntitlementManagementAccessPackageAssignmentPolicy -DisplayNameContains $accessPackageName | ? { $_.DisplayName -ne $assignmentPolicyName }
if ($accessPackageAssignmentPolicies) {
foreach ($p in $accessPackageAssignmentPolicies) {
$assignments = Get-MgEntitlementManagementAccessPackageAssignment -AccessPackageId $accessPackage.Id | ? { $_.AssignmentPolicyId -eq $p.id -and $_.AssignmentState -ne "Expired" }
if ($assignments.Count -eq 0) {
Write-Host "delete assignment policy" $p.id "with no active assignments for" $accessPackage.displayName
Remove-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $p.id
}
else {
$currentPolicy = Get-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $p.id
if ($currentPolicy.RequestorSettings.acceptRequests) {
Write-Host "disable assignment policy" $p.id "with active assignments for" $accessPackage.displayName
$newPolicy = $currentPolicy
$newPolicy.RequestorSettings.AcceptRequests = $false
$newPolicy.Description = $newPolicy.Description + " - DISABLED"
Set-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $p.Id `
-DisplayName $newPolicy.DisplayName `
-Description $newPolicy.Description `
-AccessPackageId $accessPackage.Id `
-RequestorSettings $newPolicy.RequestorSettings
}
}
}
}
Thank you @KaiWalter. Your code did help me get Set-... to run successfully (looks like the -AccessPackageID parameter is required).
However, I ran your code and its facing the same issue I described previously, which is that any property not defined in Set-... (for your code is the assignment policy's display name, description, and requestor settings), gets overwritten with default values. So in your case, every property that is not the assignment policy's display name, description, or requestor settings, will get overwritten back to default (eg if the assignment policy had Access Reviews set to Yes, it will get set back to default (No) since you didn't define it in your Set-... command). I guess you could pull all assignment policy properties and re-write them only changing the desired ones, but 1) that is risky and goes against best practices and 2) that behavior is contrary to its documentation which states
In the request body, supply only the values for properties that should be updated. Existing properties that are not included in the request body will maintain their previous values
@MistaGil I also have the behavior you describe - however for me this is fine / intentional at that point of lifecycle of the policy assignment
Just providing clarity of a few things:
-
in v1.0, the command to use is
Set-MgEntitlementManagementAssignmentPolicy. In beta, the command isSet-MgEntitlementManagementAccessPackageAssignmentPolicy. Please note that the command names and API endpoints are different in v1.0 (/identityGovernance/entitlementManagement/assignmentPolicies/{accessPackageAssignmentPolicy-Id}) and beta (/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/{accessPackageAssignmentPolicy-Id}). -
@MistaGil, the behavior you are experiencing is by design.
Set-*commands callHTTP PUTmethod. The API supports HTTP PUT in both v1.0 and beta. With HTTP PUT, when the target resource exists, an API overwrites that resource with a completely new body (strategy used to compute the new body may vary by workload). What you are looking for is HTTP PATCH, partial updates, which is not supported by the API. Please open a feature request/question at https://developer.microsoft.com/en-us/graph/support to surface this to the API owner. They will have more answers as to why their API behaves this way.
We will suppress the generation of Update-MgEntitlementManagementAccessPackageAssignmentPolicy in https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/1647 as the API does not support it. Use Set-MgEntitlementManagementAccessPackageAssignmentPolicy instead.
So how does it handle adding things instead of simply destroying everything in the resource?
