Remove-MgBetaEntitlementManagementAccessPackageAssignment results in 404 error

[quentinmarois]

Describe the bug When attempting to use the Remove-MgBetaEntitlementManagementAccessPackageAssignment cmdlet with a valid AccessPackageAssignmentId, the azurewebsites API endpoint results in a 404 error.

To Reproduce Steps to reproduce the behavior:

Remove-MgBetaEntitlementManagementAccessPackageAssignment -AccessPackageAssignmentId 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx'

Debug Output

============================ HTTP REQUEST ============================

HTTP Method:
DELETE

Absolute Uri:
https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx

Headers:

Body:

============================ HTTP RESPONSE ============================

Status Code:
NotFound

Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
client-request-id             : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Germany West Central","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"FR3PEPF0000016D"}}
Date                          : Thu, 14 Dec 2023 12:57:12 GMT

Body:
{
  "error": {
    "code": "",
    "message": "No HTTP resource was found that matches the request URI
'https://igaelm-asev3-ecapi-neu.igaelm-asev3-environment-neu.p.azurewebsites.net/api/v1/accessPackageAssignments('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx')'.",
    "innerError": {
      "date": "2023-12-14T12:57:12",
      "request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
      "client-request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"
    }
  }
}

Module Version Microsoft.Graph.Beta.Identity.Governance version 2.11.1

[timayabi2020]

Hi @quentinmarois from the debug information this seems like a service issue. You can also confirm that this issue is not only specific to the Microsoft PowerShell SDK by making use of this tool https://developer.microsoft.com/en-us/graph/graph-explorer. by picking the request uri from the debug information and running it on the tool. For API related issues/questions we are not best placed to give an answer. Kindly raise an issue here https://developer.microsoft.com/en-us/graph/support so that the API owner can respond to it.

[quentinmarois]

So I did a bit more research on the issue, but I'm getting more confused. The API actually seems to behave as expected: In this page and this page of the documentation, it is mentioned that to delete an access package assignment, we need to create a new request with the corresponding type of the initial assignment request.

So for example, if the original assignment request was of requestType AdminAdd, we create a new request of type AdminRemove

So, it would make sense that the API return an error, because the DELETE method doesn't exist (although the error status code is a bit misleading as the endpoint does exist, but not the method. A 405 error would make more sense).

The thing that I'm having difficulty understanding now is that, if this is the intended process, wouldn't this mean that the Remove-MgBetaEntitlementManagementAccessPackageAssignement command should not exist in the first place ?

[o-l-a-v]

Thanks for the info @quentinmarois.

I got removal working with New-MgEntitlementManagementAssignmentRequest.

What's also not.. legit.. with Graph is that I successfully could create the remove request without any write permissions in the scope when I authenticated. I authenticated with:

do {$Disconnected = [bool](-not$(Try{$null = Disconnect-MgGraph 2>$null; $?}Catch{$false}))} until ($Disconnected)
Connect-MgGraph -UseDeviceCode -Scopes ('AuditLog.Read.All','EntitlementManagement.Read.All','User.Read.All') -NoWelcome -ContextScope 'Process'

And the delete request went through, no questions asked.

• Edit: This is by design apperently: https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/587

After that it takes some minutes before the request is "delivered", as in assignment is actually deleted. Then the assignment status is "expired".

[timayabi2020]

This issue is being tracked here https://github.com/microsoftgraph/msgraph-metadata/issues/677