microsoftgraph
`InvalidModel` when updating Access Package Assignment Policy
Describe the bug
I want to update an access package assignment policy, but whenever the policy includes the requirement for approval (i.e. is_approval_required_for_add=True), this fails with an InvalidModel error.
Example: If I set the property for "requires approval" to false, I am able to retrieve an existing access package policy by ID and update a certain property (e.g. the duration) successfully:
# Retrieve the pre-existing access package assignment policy:
ap_assignment_policy_obj = await graph_client.identity_governance.entitlement_management.assignment_policies.by_access_package_assignment_policy_id(<ap_pol_id>).get()
# Set the required duration in ISO 8601 duration format:
ap_assignment_policy_obj.expiration.duration = "PT4H"
# Update the access package assignment policy:
result = await graph_client.identity_governance.entitlement_management.assignment_policies.by_access_package_assignment_policy_id(<ap_pol_id>).put(ap_assignment_policy_obj)
However as soon as "requires approval" is set to true (and the associated approval groups etc. are set), I am no longer able to update an existing access package assignment policy. Instead, the following error is encountered:
msgraph.generated.models.o_data_errors.o_data_error.ODataError:
APIError
Code: 400
message: None
error: MainError(additional_data={}, code='InvalidModel', details=[], inner_error=InnerError(additional_data={}, client_request_id='', date=datetime.datetime(2025, 6, 12, 12, 57, 48), odata_type=None, request_id=''), message='The model is invalid.', target=None)
Expected behavior
Regardless of whether or not approval is required (as dictated by the property is_approval_required_for_add), the access package policy update should work.
How to reproduce
- Create an access package assignment policy
- Set "requires approval" to true, and fill in the required properties
- Try to update the access package assignment policy
SDK Version
1.33.0
Latest version known to work for scenario above?
No response
Known Workarounds
No response
Debug output
Click to expand log
msgraph.generated.models.o_data_errors.o_data_error.ODataError:
APIError
Code: 400
message: None
error: MainError(additional_data={}, code='InvalidModel', details=[], inner_error=InnerError(additional_data={}, client_request_id='', date=datetime.datetime(2025, 6, 12, 12, 57, 48), odata_type=None, request_id=''), message='The model is invalid.', target=None)
Configuration
No response
Other information
An example of the approval settings that can be used to generate this error is shown below:
from msgraph.generated.models.access_package_assignment_approval_settings import AccessPackageAssignmentApprovalSettings
from msgraph.generated.models.access_package_approval_stage import AccessPackageApprovalStage
ap_assignment_policy_obj. request_approval_settings = AccessPackageAssignmentApprovalSettings(
is_approval_required_for_add = True,
is_approval_required_for_update = False,
is_requestor_justification_required = True,
stages = [
AccessPackageApprovalStage(
duration_before_automatic_denial = datetime.timedelta(days=14),
is_escalation_enabled = False,
is_approver_justification_required = True,
duration_before_escalation = datetime.timedelta(0),
primary_approvers = [
GroupMembers(
odata_type = "#microsoft.graph.groupMembers",
description = "approver_group"
)
],
fallback_primary_approvers = [],
escalation_approvers = [],
fallback_escalation_approvers = []
)
]
)
We are unable to add custom workflow extensions to an existing Access Package Assignment Policy. The update operation fails with error code 400 "InvalidModel" when attempting to add customExtensionStageSettings.
Steps to Reproduce
- Create or identify an Access Package with a policy
- Create a custom workflow extension in the catalog
- Attempt to update the policy with custom extension stage settings
Code Example
# Using Microsoft Graph SDK
from msgraph import GraphServiceClient
from msgraph.generated.models.access_package_assignment_policy import AccessPackageAssignmentPolicy
from msgraph.generated.models.custom_extension_stage_setting import CustomExtensionStageSetting
from msgraph.generated.models.access_package_custom_extension_stage import AccessPackageCustomExtensionStage
from msgraph.generated.models.access_package_assignment_request_workflow_extension import AccessPackageAssignmentRequestWorkflowExtension
# Fetch current policy
current_policy = await client.identity_governance.entitlement_management.assignment_policies.by_access_package_assignment_policy_id(policy_id).get()
# Create update with custom extensions
update_policy = AccessPackageAssignmentPolicy()
update_policy.display_name = current_policy.display_name
update_policy.description = current_policy.description
# ... preserve other required fields ...
# Add custom extension stage settings
stage_setting = CustomExtensionStageSetting()
stage_setting.stage = AccessPackageCustomExtensionStage.AssignmentRequestApproved
workflow_extension = AccessPackageAssignmentRequestWorkflowExtension()
workflow_extension.id = extension_id
workflow_extension.odata_type = "#microsoft.graph.accessPackageAssignmentRequestWorkflowExtension"
stage_setting.custom_extension = workflow_extension
update_policy.custom_extension_stage_settings = [stage_setting]
# This fails with InvalidModel error
await client.identity_governance.entitlement_management.assignment_policies.by_access_package_assignment_policy_id(policy_id).put(update_policy)
Expected Behavior
According to the documentation, the policy should be updated successfully with the custom extension stage settings.
Actual Behavior
The API returns:
{
"error": {
"code": "InvalidModel",
"message": "The model is invalid.",
"innerError": {
"date": "2025-07-12T15:17:51",
"request-id": "a4ccff9c-2237-4b16-8216-7281d924a5ae",
"client-request-id": "1a4d2acc-efd1-4945-aa4d-2e1e61d2fa36"
}
}
}
