EntitlementGrant being updated or deleted is not found

[jeromekol]

We have an AAD Application with several app roles and we assign those roles to users. A couple days ago, we started to receive errors on the Graph API when we try to delete certain assignments. The error looks like this:

"error": {
"code": "Request_BadRequest",
"message": "EntitlementGrant being updated or deleted is not found.",
"innerError": {
  "date": "2021-04-16T11:33:23",
  "request-id": "someguid",
  "client-request-id": "someguid"
}

} This error only happens on certain assignments and not for all. Also, we are able to delete them through the AAD UI. We are using the REST endpoint to delete the app role assignments and not the SDK.

What we have done so far:

Changed from deprecated Azure AD Graph API to Microsoft Graph API

Changed from endpoint users/{id}/appRoleAssignments/{id} to servicePrincipals/{id}/appRoleAssignedTo/{id}

Issue is reproducible on 2 different Tenants / AADs (free tier)

Tested also with SDK, same issue

Running the code locally works, but deployed on Azure throws the above mentioned exception. Using the same Service Principal locally and on Cloud to do the removal.

Using AzureAd.Standard.Preview Powershell module also works (with another Service Principal) AB#9044

[jeromekol]

in case its important for tracing, we have opened an official support request with MSFT to get this investigated.

[patrick-ptml]

Also getting this error via PowerShell. Happy to provide Reqest ID's if required

[Starfox64]

Can confirm, this also affects the AAD Enterprise Applications Dashboard.

[jeromekol]

Can confirm, this also affects the AAD Enterprise Applications Dashboard.

tried the same and we got the exception there as well

[cmjoneslutron]

We're also seeing the same issue.

[cmjoneslutron]

Also for what it's worth, I can't make the chance using the Azure portal either.

Edit: We've separately reported the issue to Azure support

[knlambert]

Same issue on my side since yesterday using the Graph API :(

[ilirianluta]

I can also confirm that I'm getting the same error in at least three different approaches:

1. Removing a user from the Enterprise Application assignment
2. Accessing the application assignment from the user's AzureAD profile
3. Powershell via Remove-AzureADUserAppRoleAssignment -ObjectId $objectID -AppRoleAssignmentId $assignmentID

Error in PowerShell:

Remove-AzureADUserAppRoleAssignment : Error occurred while executing RemoveUserAppRoleAssignment
Code: Request_BadRequest
Message: EntitlementGrant being updated or deleted is not found.
RequestId: {GUID-HIDDEN}
DateTimeStamp: Tue, 20 Apr 2021 17:10:47 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:1
+ Remove-AzureADUserAppRoleAssignment -ObjectId $objectID -AppRoleAssig ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Remove-AzureADUserAppRoleAssignment], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.RemoveU
   serAppRoleAssignment

JSON from GUI:

{
    "errorCode": "Request_BadRequest",
    "localizedErrorDetails": {
        "errorDetail": "EntitlementGrant being updated or deleted is not found."
    },
    "operationResults": null,
    "timeStampUtc": "2021-04-20T17:12:24.8768199Z",
    "clientRequestId": "{GUID-HIDDEN}",
    "internalTransactionId": "{GUID-HIDDEN}",
    "tenantId": "{GUID-HIDDEN}",
    "userObjectId": "{GUID-HIDDEN}",
    "exceptionType": "AADGraphException"
}

[jibinpb]

Microsoft support team confirmed it as a backend issue and their product team is fixing it.

[Eric2XU]

Having same issue, cant remove those accounts in the Azure Portal UI ether.

[gmantri]

I am having the same issue. Posted a question on Stack Overflow for the same - https://stackoverflow.com/questions/67182043/unable-to-remove-app-role-assignments-using-graph-api-getting-entitlementgrant.

Based on the answer provided, I deleted the enterprise application and recreated it yesterday. I added app role assignment and was able to delete them successfully.

However this morning when I tried to delete the app role assignment, I got the same error. Only thing I could think of is that I got an access token (still valid) for the user against my application. I will try it again after an hour when my access token expires to see if that makes any difference.

[jeroenwo]

I tried it 10 minutes ago and it worked (for me). Seems the issue is fixed.

Remove-AzureADUserAppRoleAssignment -ObjectId "[guid]" -AppRoleAssignmentId "[string]"

[jeromekol]

@jeroenwo was that an assignment that did not work previously? I still have the same issue on my testing tenant

[gmantri]

@jeromekol ... same here. I created an app role assignment yesterday. Just tried to delete it through Azure Portal. Same error. I am wondering if anybody from the product team is on this thread. It would be nice if they can provide a status update.

[jeroenwo]

@jeromekol Yes, yesterday the provided PowerShell command failed with the same message as the issue title. This morning it worked. Also checked the app role assignments using Get-AzureADUserAppRoleAssignment -ObjectId "[guid]" and confirmed that they were deleted.

[ilirianluta]

@jeromekol Yes, yesterday the provided PowerShell command failed with the same message as the issue title. This morning it worked. Also checked the app role assignments using Get-AzureADUserAppRoleAssignment -ObjectId "[guid]" and confirmed that they were deleted.

It worked for me on GUI. They probably managed to fix this even for SDKs.

[jeromekol]

okay, works on my end as well. Still get some intermittent errors when I try to remove in a quick manner but retrying does the job.

[gmantri]

okay, works on my end as well. Still get some intermittent errors when I try to remove in a quick manner but retrying does the job.

Still no luck for me unfortunately. I will keep on trying.

[Starfox64]

It is working for me through the AAD Admin Portal now.

[jibinpb]

Yes issue is resolved, delete operation started working from both portal & graph api.

[gmantri]

Working for me as well. Just tried deleting an app role assignment from portal and it worked.

[AndrewStrickland]

This is not working for me yet. My tenant is in the AzureUSGov environment, for what its worth.

[petrhollayms]

Thank you for reporting this issue. This appears to be an issue or limitation with the service APIs. Unfortunately, as the Microsoft Graph SDK team, we do not have ownership of the APIs that are causing you issues. We invite you to create a question about the service API to Microsoft Q&A and tagged with one of the [microsoft-graph-*] tags, that way it will get routed to the appropriate team for them to triage:

https://aka.ms/msgraphsupport or directly https://aka.ms/askgraph

For now, we will close the issue on our side but feel free to open it in the relevant repository if you think the issue is specific to SDK. Please let us know if this helps!

Note: We will close this repository on April 19, 2024.