search

microsoftgraph / msgraph-bicep-types

Repo contains Microsoft Graph resource types to integrate with bicep templates.
MIT License
30 stars 3 forks source link

Deployment fails when property membershipRule is added #117

Open slavizh opened 2 months ago

slavizh commented 2 months ago

Bicep version Bicep CLI version 0.27.1 (4b41cb6d4b)

Resource and API version Which Microsoft.Graph resource and API version has the issue? Microsoft.Graph/groups@v1.0

Auth flow automated

Deployment details Deployment starts and fails with:

| {"error":{"code":"BadRequest","target":"/resources/entraGroupRes","message":"AppOnly OBO tokens not supported by target service. Graph client request id: 624c90dc-600f-452a-a21a-4df1a7d2d672. Graph request timestamp: Thu, 23 May 2024 11:54:52 GMT."}} (Code:DeploymentOperationFailed)  Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed)  - {"error":{"code":"BadRequest","target":"/resources/entraGroupRes","message":"AppOnly OBO tokens not supported by target service. Graph client request id: 624c90dc-600f-452a-a21a-4df1a7d2d672. Graph request timestamp: Thu, 23 May 2024 11:54:52 GMT."}} (Code:)   Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed)  - {"error":{"code":"BadRequest","target":"/resources/entraGroupRes","message":"AppOnly OBO tokens not supported by target service. Graph client request id: 2067aa5d-d196-4bdb-9fc7-db7cdfb0e11a. Graph request timestamp: Thu, 23 May 2024 11:54:52 GMT."}} (Code:)   CorrelationId: 6688fdc1-313c-47ee-9582-f0f76ddd7a00

Describe the bug It seems certain properties cannot be set when you use automated (application) auth flow.

To Reproduce Just add membershipRule: null property to Microsoft.Graph/groups@v1.0 resource.

Additional context Add any other context about the problem here. For example, what permissions does the identity have if it's a permission issue?

dkershaw10 commented 2 months ago

I had to look at our internals to understand the root cause here. A little on how Graph works - Microsoft Graph is an API gateway/proxy, that forwards requests to a number of API services - somewhat similar to ARM and RPs. In some cases, an incoming request can be fanned-out to multiple API services.

In this case, the API gateway has been configured to perform an "approval/interrupt" to the normal flow, if the membershipRule property is present on any groups write operation, and farm the request out to a different micro-service (different from the core Entra ID directory API service) that does some initial processing, before the request goes to Entra ID directory services. Why does this matter (it's normally completely transparent)? Well the micro-service here, needs to be updated to support app-only on-behalf-of flows, to support automation.

For now, I'll add a Known Issues entry, but this is something that will need to be fixed, so that automated deployments of groups with membershipRules can work.

slavizh commented 1 month ago

thanks! Most likely applies to membershipRuleProcessingState as well as that is also for dynamic membership.