【Azure 环境】Update-MgEntitlementManagementAccessPackageAssignmentPolicy 命令执行时候遇见的 No HTTP Resource was found 问题分析

Microsoft Graph PowerShell SDK： acts as an API wrapper for the Microsoft Graph APIs, exposing the entire API set for use in PowerShell. It contains a set of cmdlets that helps you manage identities at scale from automating tasks to managing users in bulk using Azure Active Directory (Azure AD). It will help administer every Azure AD feature that has an API in Microsoft Graph.

The Microsoft Graph PowerShell SDK is the replacement for the Azure AD PowerShell module and is recommended for interacting with Azure AD.

Microsoft Graph PowerShell SDK：作为微软 Graph APIs 的SDK工具，通过PowerShell指令可以调用全部的Graph API。 它包含一组 cmdlets 指令集，可以非常好的使用自动任务来管理在AAD中的用户。 Microsoft Graph PowerShell SDK是以前Azure AD模块的替代产品，用于和Azure AD交互。

问题描述

由于 Microsoft Graph PowerShell 还处于 Beta版本，所以在使用中会遇见 Unknow Issue，比如在使用 Update-MgEntitlementManagementAccessPackageAssignmentPolicy 命令从 IdentityGovernance 中更新 accessPackageAssignmentPolicies时候，就遇见了如下错误：

Update-MgEntitlementManagementAccessPackageAssignmentPolicy_UpdateExpanded: C:\Users\setupGovernance-v2.ps1:15:33
Line |
15 |  …             Update-MgEntitlementManagementAccessPackageAssignmentPoli …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | No HTTP resource was found that matches the request URI
     | 'https://igaelm-ecapi-cne2.chinacloudsites.cn/api/v1/accessPackageAssignmentPolicies('ee52b1d4-95f6-4532-9682-b94dc24783e3')?slice=PROD'.

所执行的Power Shell 脚本为：

$updatePolicy = Get-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $p.id

if ($updatePolicy.requestorSettings.acceptRequests) {
    $requestorSettings = $updatePolicy.requestorSettings
    $requestorSettings.acceptRequests = $false
    Update-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $p.id `
        -RequestorSettings $requestorSettings
}

问题分析

在 Update-MgEntitlementManagementAccessPackageAssignmentPolicy 指令中使用 -debug 输出调试信息中，发现出错在执行 PATCH  https://microsoftgraph.chinacloudapi.cn/beta/xxx 时出现的404 Not Found错误。

DEBUG: PATCH https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
HTTP/1.1 404 Not Found
Date: Sat, 18 Sep 2021 07:38:34 GMT
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
client-request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"China East","Slice":"E","Ring":"6","ScaleUnit":"001","RoleInstance":"SH1NEPF0000034A"}}
Content-Type: application/json
Content-Encoding: gzip

{"error":{"code":"",

"message":"No HTTP resource was found that matches the request URI 'https://igaelm-ecapi-cne2.chinacloudsites.cn/api/v1/accessPackageAssignmentPolicies('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx')?slice=PROD'.",

"innerError":{"date":"2021-09-18T07:38:35","request-id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","client-request-id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}}}

DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: CmdletEndProcessing:

所以问题就定位在 PATCH 请求这里，通过对比REST API， 使用GET, PUT都是成功的。所以这里就是 SDK 中 Microsoft.Graph.Identity.Governance 部分的一个Bug。 使用错误的HTTP Method。但是在版本没有发布前，如何来解决这个问题呢？

1） 使用 REST API 来代替 PowerShell Command 发送 https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx请求

If send a put request https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxx  by the postman tool, It returned 200 Success.

If send a patch request https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxx and it returned a 404 error code.

Source : https://docs.microsoft.com/en-us/graph/api/accesspackageassignmentpolicy-update?view=graph-rest-beta&tabs=java

2） 使用 Invoke-MgGraphRequest 并指定 Method 为 PUT 来完成 https://microsoftgraph.chinacloudapi.cn/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 请求

详细代码为：

## 连接到 MgGraph

if ($AzureEnvironment -eq "Global") {

    Connect-MgGraph -TenantId $config.tenantId `

        -Scopes "EntitlementManagement.ReadWrite.All"

}

else {

    Connect-MgGraph -Environment "China" `

        -TenantId $config.tenantId  `

        -ClientId $config.spClientId `

        -Scopes "EntitlementManagement.ReadWrite.All" `

        -UseDeviceAuthentication

}

Select-MgProfile -Name "beta"

           

if ($AzureEnvironment -eq "Global") {

    $baseGraphUri = 'https://graph.microsoft.com'

}

else {

    $baseGraphUri = 'https://microsoftgraph.chinacloudapi.cn'

}

$apiVersion = "beta"

 

## 调用 Invoke-MgGraphRequest -Method PUT -Uri $policyUri -Body $updatedPolicy 更新Policy

$policyUri = (https://{0}/{1}/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/{2} -f $baseGraphUri, $apiVersion, $p.id)

$currentPolicy = Invoke-MgGraphRequest -Method GET -Uri $policyUri -OutputType Json | ConvertFrom-Json -Depth 10

if ($currentPolicy.RequestorSettings.acceptRequests) {

    Write-Host "disable assignment policy" $p.id "with active assignments for" $accessPackage.displayName

    $newPolicy = $currentPolicy

    $newPolicy.RequestorSettings.acceptRequests = $false

    $updatedPolicy = $newPolicy | ConvertTo-Json -Depth 10

    Invoke-MgGraphRequest -Method PUT -Uri $policyUri -Body $updatedPolicy

}

注意：如果在执行命令时候遇见了 “ generalException Message: Unexpected exception returned from MSAL.” 错误，则是认证问题，可以在调用 Invoke-MgGraphRequest 前，Connect-MgGraph  一次。

参考资料

Update-EMAccessPackagePolicy.ps1：  https://github.com/JefTek/AzureADSamples/blob/main/PowerShell/IdentityGovernance/Update-EMAccessPackagePolicy.ps1

Update accessPackageAssignmentPolicy：https://docs.microsoft.com/en-us/graph/api/accesspackageassignmentpolicy-update?view=graph-rest-beta&tabs=java

Overview of Microsoft Graph：https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-beta

Microsoft Graph PowerShell SDK: https://docs.microsoft.com/en-us/graph/powershell/installation?view=graph-rest-beta