Open slavizh opened 2 months ago
I had to look at our internals to understand the root cause here. A little on how Graph works - Microsoft Graph is an API gateway/proxy, that forwards requests to a number of API services - somewhat similar to ARM and RPs. In some cases, an incoming request can be fanned-out to multiple API services.
In this case, the API gateway has been configured to perform an "approval/interrupt" to the normal flow, if the membershipRule
property is present on any groups write operation, and farm the request out to a different micro-service (different from the core Entra ID directory API service) that does some initial processing, before the request goes to Entra ID directory services. Why does this matter (it's normally completely transparent)? Well the micro-service here, needs to be updated to support app-only on-behalf-of flows, to support automation.
For now, I'll add a Known Issues entry, but this is something that will need to be fixed, so that automated deployments of groups with membershipRules can work.
thanks! Most likely applies to membershipRuleProcessingState as well as that is also for dynamic membership.
Bicep version Bicep CLI version 0.27.1 (4b41cb6d4b)
Resource and API version Which Microsoft.Graph resource and API version has the issue? Microsoft.Graph/groups@v1.0
Auth flow automated
Deployment details Deployment starts and fails with:
Describe the bug It seems certain properties cannot be set when you use automated (application) auth flow.
To Reproduce Just add membershipRule: null property to Microsoft.Graph/groups@v1.0 resource.
Additional context Add any other context about the problem here. For example, what permissions does the identity have if it's a permission issue?