Graph service throws Request_ResourceNotFound exception

[samuelstadler]

Jenkins and plugins versions report

Environment

```text Jenkins: 2.332.3 OS: Linux - 5.11.0-43-generic --- ace-editor:1.1 active-directory:2.25.1 analysis-model-api:10.10.1 ansicolor:1.0.1 ant:475.vf34069fef73c antisamy-markup-formatter:2.7 apache-httpcomponents-client-4-api:4.5.13-1.0 artifactory:3.16.2 authentication-tokens:1.4 authorize-project:1.4.0 azure-ad:218.v90f6a_980b_a_61 azure-sdk:106.v552de1e64d56 basic-branch-build-strategies:1.3.2 bitbucket:223.vd12f2bca5430 blueocean:1.25.5 blueocean-autofavorite:1.2.5 blueocean-bitbucket-pipeline:1.25.5 blueocean-commons:1.25.5 blueocean-config:1.25.5 blueocean-core-js:1.25.5 blueocean-dashboard:1.25.5 blueocean-display-url:2.4.1 blueocean-events:1.25.5 blueocean-git-pipeline:1.25.5 blueocean-github-pipeline:1.25.5 blueocean-i18n:1.25.5 blueocean-jwt:1.25.5 blueocean-personalization:1.25.5 blueocean-pipeline-api-impl:1.25.5 blueocean-pipeline-editor:1.25.5 blueocean-pipeline-scm-api:1.25.5 blueocean-rest:1.25.5 blueocean-rest-impl:1.25.5 blueocean-web:1.25.5 bootstrap5-api:5.1.3-7 bouncycastle-api:2.26 branch-api:2.1046.v0ca_37783ecc5 build-timestamp:1.0.3 caffeine-api:2.9.3-65.v6a_47d0f4d1fe checks-api:1.7.4 cloudbees-bitbucket-branch-source:773.v4b_9b_005b_562b_ cloudbees-folder:6.729.v2b_9d1a_74d673 command-launcher:84.v4a_97f2027398 config-file-provider:3.10.0 configuration-as-code:1429.v09b_044a_c93de credentials:1087.1089.v2f1b_9a_b_040e4 credentials-binding:523.vd859a_4b_122e6 data-tables-api:1.11.4-4 delivery-pipeline-plugin:1.4.2 deployit-plugin:22.0.2 display-url-api:2.3.6 docker-commons:1.19 docker-workflow:1.28 dtkit-api:3.0.1 durable-task:496.va67c6f9eefa7 echarts-api:5.3.2-3 email-ext:2.88 favorite:2.4.1 font-awesome-api:6.1.1-1 forensics-api:1.15.1 git:4.11.3 git-client:3.11.0 github:1.34.3 github-api:1.303-400.v35c2d8258028 github-branch-source:1637.vd833b_7ca_7654 gradle:1.39.1 greenballs:1.15.1 groovy:2.4 handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 hashicorp-vault-plugin:336.v182c0fbaaeb7 htmlpublisher:1.30 http_request:1.15 ivy:2.2 jackson2-api:2.13.3-285.vc03c0256d517 javadoc:217.v905b_86277a_2a_ javax-activation-api:1.2.0-3 javax-mail-api:1.6.2-6 jaxb:2.3.6-1 jdk-tool:1.5 jenkins-design-language:1.25.5 jjwt-api:0.11.5-77.v646c772fddb_0 job-dsl:1.79 jquery:1.12.4-1 jquery3-api:3.6.0-4 jsch:0.1.55.2 junit:1119.va_a_5e9068da_d7 kubernetes:3636.v84b_a_1dea_6240 kubernetes-client-api:5.12.2-193.v26a_6078f65a_9 kubernetes-credentials:0.9.0 mailer:414.vcc4c33714601 matrix-auth:3.1.2 matrix-project:771.v574584b_39e60 maven-plugin:3.19 mercurial:2.16.2 metrics:4.1.6.2 momentjs:1.1.1 okhttp-api:4.9.3-105.vb96869f8ac3a opentelemetry:0.21 parameterized-trigger:2.44 pipeline-build-step:2.18 pipeline-graph-analysis:195.v5812d95a_a_2f9 pipeline-groovy-lib:593.va_a_fc25d520e9 pipeline-input-step:448.v37cea_9a_10a_70 pipeline-milestone-step:101.vd572fef9d926 pipeline-model-api:2.2086.v12b_420f036e5 pipeline-model-definition:2.2086.v12b_420f036e5 pipeline-model-extensions:2.2086.v12b_420f036e5 pipeline-rest-api:2.24 pipeline-stage-step:293.v200037eefcd5 pipeline-stage-tags-metadata:2.2086.v12b_420f036e5 pipeline-stage-view:2.24 pipeline-utility-steps:2.12.2 plain-credentials:1.8 plugin-util-api:2.17.0 popper2-api:2.11.5-2 prism-api:1.28.0-2 pubsub-light:1.16 resource-disposer:0.19 schedule-build:301.vfdc555a_b_cf81 scm-api:608.vfa_f971c5a_a_e9 script-security:1175.v4b_d517d6db_f0 skip-notifications-trait:1.0.5 snakeyaml-api:1.30.1 sse-gateway:1.25 ssh-credentials:277.v95c2fec1c047 ssh-slaves:1.814.vc82988f54b_10 sshd:3.0.3 startup-trigger-plugin:2.9.3 statistics-gatherer:2.0.3 structs:318.va_f3ccb_729b_71 timestamper:1.17 token-macro:293.v283932a_0a_b_49 trilead-api:1.57.v6e90e07157e1 variant:1.4 warnings-ng:9.12.0 workflow-aggregator:581.v0c46fa_697ffd workflow-api:1164.v760c223ddb_32 workflow-basic-steps:948.v2c72a_091b_b_68 workflow-cps:2725.v7b_c717eb_12ce workflow-durable-task-step:1146.v1a_d2e603f929 workflow-job:1186.v8def1a_5f3944 workflow-multibranch:716.vc692a_e52371b_ workflow-scm-step:400.v6b_89a_1317c9a_ workflow-step-api:625.vd896b_f445a_f8 workflow-support:820.vd1a_6cc65ef33 ws-cleanup:0.42 xunit:3.0.8 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Docker image jenkins/jenkins:lts - Linux amd64 5.11.0-43-generic

Reproduction steps

1. Install Azure AD Plugin
2. Configured Azure Active Directory
3. Setup Azure AD permissions
4. Add group to the Azure Active Directory Matrix-based security

Expected Results

No error logging.

Actual Results

The authorization works but it creates error logs:

Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409Graph service exception Error code: Request_ResourceNotFound
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409Error message: Resource 'Firstname Lastname' does not exist or one of its queried reference-property objects are not present.
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409GET https://graph.microsoft.com/v1.0/users/Firstname%20Lastname
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409SdkVersion : graph-java/v5.24.0
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409404 : Not Found
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409[...]
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409[Some information was truncated for brevity, enable debug logging for more details]
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
Throwable detail: com.microsoft.graph.http.GraphServiceException: Error code: Request_ResourceNotFound
Error message: Resource 'Firstname Lastname' does not exist or one of its queried reference-property objects are not present.

GET https://graph.microsoft.com/v1.0/users/Firstname%20Lastname
SdkVersion : graph-java/v5.24.0

404 : Not Found
[...]

Anything else?

No response

[thopiekar]

I didn't take a look at the logs, but I've got the issue that I can't list the users and groups assigned to the app in Azure. The only thing I noticed during my investigations is that a tutorial (January this year) recommends to assign the same API permissions on "Azure Active Directory Graph" and "Microsoft Graph". However, "Azure Active Directory Graph" is deprecated and it is unclear for me whether the current version of the Azure AD addon is still depending on it.

PS: The article I found: https://cloudinfrastructureservices.co.uk/jenkins-sso-azure-ad/

[thopiekar]

I'm getting the following error here. Not sure whether this is related to our problem here, too.

2022-06-14 12:28:33.396+0000 [id=3125]  SEVERE  c.m.graph.logger.DefaultLogger#logError: Throwable detail: com.microsoft.graph.http.GraphServiceException: Error code: Request_ResourceNotFound
Error message: Resource 'images' does not exist or one of its queried reference-property objects are not present.

GET https://graph.microsoft.com/v1.0/users/images
SdkVersion : graph-java/v5.24.0

404 : Not Found
[...]

[Some information was truncated for brevity, enable debug logging for more details]

[timja]

Do not use Azure Active Directory Graph it was deprecated years ago and not needed

[timja]

There's a few related issues I think: https://github.com/jenkinsci/azure-ad-plugin/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+resourcenotfound

Is this actually causing an issue or just logging?

Could possibly try override the logging level and have it off by default

[samuelstadler]

Thanks for response, I have already checked the existing issues but they have problems with guest user and we have no guest users.

No it's not causing any issue it just spams our logs. Would be create if the is a way to disable this kind of logging. I found this issue. I don't know if their API is still the same but maybe it is possible to add a logger which can be configured via flags.

[timja]

Yeah that issue is the cause of this. A PR would definitely be welcomed but should be a way to enable them for debugging.

[thopiekar]

@timja : Ok, thank you for the clarification! The problem here is that I can't setup my permission matrix. Whatever, I click on the text field the "please wait" message is either stuck or when typing something in, it says instantly "Nothing found". It's the first time I set Jenkins up to use AAD and never worked closely together with AAD, therefore, no idea where to look for problems.

So what what I read above, my problem is not related to @x0randgat3 's one?

[timja]

That means that the initial call to /me on page load failed and yes it's a different issue.

[thopiekar]

Ok, my problem has been solved after re-enabling CSR(F!). I had to remove it in the past since QA had issues opening HTML reports. However, the problem seems too be gone and the addon works :+1:

[timja]

CSRF I guess? you shouldn't even be able to disable it on recent Jenkins but maybe there's still a system property

[thopiekar]

Yes. It was CSRF. Well, I did it via CLI options so it was enforced during the startup of the Jenkins instance.