msgraph-sdk-dotnet icon indicating copy to clipboard operation
msgraph-sdk-dotnet copied to clipboard
verified publisher icon microsoftgraph

Assign app role to newly created/invited user results in 400 BadRequest

Open ErikAndreas opened this issue 1 year ago • 7 comments

Describe the bug

I am successfully creating an invite to a b2b guest user using Invitations.PostAsync, I'm then trying to set an app role using AppRoleAssignedTo.PostAsync on that user but it fails with statusCode 400, errorCode 'Request_BadRequest' and errorMessage 'Not a valid reference update'.

I'm even able to query the newly created user with Users[userObjectId].GetAsync prior to trying to set role.

Trying to set the role on that user a few minutes later works.

Expected behavior

Being able to set user app role on the newly created invited user? Or get a more explaning message (retry-after or similiar)? Something more actionable, there's nothing wrong with the request (it's not a bad request).

How to reproduce

// request bodies removed for brevity 
var userObjectId= await _client.Invitations.PostAsync(requestBody);
var result = await _client.Users[userObjectId].GetAsync();
var roleAssignment = await _client.ServicePrincipals[Environment.GetEnvironmentVariable("EntraEAObjectId")].AppRoleAssignedTo.PostAsync(roleRequestBody);

SDK Version

5.53

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

Click to expand log ``` 
</details>


### Configuration

_No response_

### Other information

_No response_

ErikAndreas avatar May 22 '24 08:05 ErikAndreas

Thanks for raising this @ErikAndreas

Any chance you can share a sample of how the roleRequestBody property is created?

Are you able to share the serialized payload before its sent out using fiddler or with something like this?

var jsonString = KiotaJsonSerializer.SerializeAsString(roleRequestBody);

andrueastman avatar May 23 '24 07:05 andrueastman 

 var roleRequestBody = new AppRoleAssignment
 {
     PrincipalId = userObjectId, // user object id 
     ResourceId = Guid.Parse(Environment.GetEnvironmentVariable("EntraEAObjectId")), // enterprise app object id 
     AppRoleId = Guid.Parse(roleObjectid) // client app role object id
 };

as previously stated, it does work after a few minutes (after createInvite)

ErikAndreas avatar May 23 '24 07:05 ErikAndreas

Somewhat related is the fact that if user already has role assigned you also get a Requst_BadRequest answer and the only way to separate a failed (this issue) call from one that is ok (role already assigned) is to check the error message (human readable string), here it would be preferable to be able to separate the cases by a code/enum or such, not a message/string

ErikAndreas avatar May 23 '24 07:05 ErikAndreas

Hi, any progress on this issue? @andrueastman

ErikAndreas avatar Jun 04 '24 06:06 ErikAndreas

Any updates? @andrueastman

ErikAndreas avatar Jul 16 '24 10:07 ErikAndreas

Any news here @andrueastman?

ErikAndreas avatar Sep 05 '24 06:09 ErikAndreas

@andrueastman having the exact same behaviour that @ErikAndreas is decribing.

In my scenario, I create/send the guest invitation and then try to update the same user record's properties immediately afterwards.

It simply does not work, and the only way to get it to work is to wait (in my case I have a scheduled service bus message that performs the update 5 minutes after each user is invited).

It should be very straightfoward to reproduce this in code. Pseudo-code:

  1. Create invitation
  2. Update any guest users property immediately after creation.

Seany84 avatar Feb 04 '25 13:02 Seany84