Inability to retrieve user accounts from EntraID through Webjob\FunctionApp -TrackingID#2406031420000580

[AGualandi]

Good morning,

this ticket has been opened to report an issue about the Graph API graphServiceClient.Users.Request: this method, used to get all the enabled users (filter "accountEnabled eq true") in EntraID of the tenant, reports zero users found (see "First call graph - users found: 0" in attached log screenshot, webjob_log) for most of the times.

The Graph API is in a function App metod called by a scheduled webjob. Sometimes the method seems to work correctly especially if it is executed manually.
In the attached screenshot Graph_Code it is reported the Graph API used call (Graph v4.54).
I have also attached the permission assigned to the logic App (screenshot Permission)

The same code is already used for a similar application for another tenant without the issue.

I have also executed the same Graph method in the tenant through Graph Explorer (https://graph.microsoft.com/v1.0/users?$count=true&$filter=(accountEnabled eq true) ) with no issue.

We have already opened a ticket to Azure ( TrackingID#2406031420000580) to analize this issue and it was requested to open also a parallel ticket on Github.

Could you verify why the Graph method graphServiceClient.Users.Request could return zero users found without generating a more specific exceptions?

Regards,
Andrea

Attachment:
-Permission:

-Graph_Code:

-webjob_log:

[andrueastman]

Thanks for raising this @AGualandi

Using graph explorer ends up using delegated permissions while the permissions listed look to be application permissions. This difference may be the cause of the difference.

Any chance you can try

• Sharing the request ids for the two requests with the support team to give information on why the results are different?
• Make a request with Postman using a token with application permissions to confirm if no results are actually returned?

[AGualandi]

Hello,

the requestid of the two request on different tenants are:

Error: users found: 0 - requestId: 0b74c39c-ac77-4ebd-84f2-7faea5b25088
Working: users found: 900 - requestId: 79edd21a-eef0-483f-905c-57abd178b760

The code used to execute Graph method is the same for both the two calls but the call is made to two different tenants.

We are working to test the requests with Postman using app registration token and we will update the ticket as soon as I have done the tests.

Users found screenshot:

No user found screenshot:

Regards,
Andrea

[AGualandi]

Hello,

I have tested with Postman using the app registration token and the first call we have received 0 results as the webjob method.

Response Body: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#users","@odata.nextLink":"https://graph.microsoft.com/v1.0/users?$count=true&$filter=(accountEnabled+eq+true)&$skiptoken=RFNwdAoAAQAAAAAAAAAAFAAAAFGX9rRPnPJJuXgMi20O9D8BAAAAAAAAAAAAAAAAAAAXMS4yLjg0MC4xMTM1NTYuMS40LjIzMzEGAAAAAAABR5BjgwLdcUOAIAIUCGJc6QEgAAAAAQEAAAA","value":[]}

Response header:
request-id: 03860d83-cc11-4e37-bfa9-52c379cb5a8a
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Italy North","Slice":"E","Ring":"3","ScaleUnit":"002","RoleInstance":"MI3PEPF000001C5"}}

The following executions of the same query (https://graph.microsoft.com/v1.0/users?$count=true&$filter=(accountEnabled eq true) ) reported the users correctly (requestId 0f2c74f5-0f82-46f8-8e9b-0c4bb3623b7d ).

I have also tried the @odata.nextLink reported in the empty response rabove and the users were found (requestId 2cb3a6d0-5f9c-4d50-a206-227805b35630 ).

it is correct to have @odata.nextLink field allways populated if no result is found in the query?
Why no users has been found in the first call but instead there are users found with nextLink URL?

It seems there is some issue only on the first call done on the graph method while, only after the first call, the results are found: could you check why?

Regards,
Andrea

[andrueastman]

Thanks for the extra information here @AGualandi

Just to confirm, have you passed over this info(request id and example responses) to the support ticket on Azure?

As this is clearly an issue/question with the API, we'd suggest ensuring this info is passed over to the support ticket to get clarifications on this. As this repo is mainly intended for SDK related issues, we are not in the best place to help out with questions on API behavior.

[AGualandi]

Hello,

I have reported the same information to the thread related to the ticket to Azure ( TrackingID#2406031420000580).

[AGualandi]

Hello,

I have made some other tests and I have found a strange behavior which seems related to the Top query command.
In one of our test in the log I have found:

[07/15/2024 19:46:24 > 77e36b: INFO] First call graph - users found: 900 - requestId: 143bbf52-9f87-48f1-886b-10caabaade8d - Next link found: false

So the users have been found but next link field was not populated (“Next link found: " + usersClient.NextPageRequest != null ? "true" : "false" ).

I have modified the code previously attached to remove the .Top(900) configuration and the tests done yesterday evening the webjobs have been executed correctly either by executing them manually or by scheduling.
The contraindication is that the nmber of Graph queries is nine time greater.

Could you check if Top command could be the cause of this ticket issue?

Regards,
Andrea

[andrueastman]

Could you check if Top command could be the cause of this ticket issue?

Following up on this, @AGualandi. Please make sure this info is added to the support ticket so that the API owners can confirm this for you.

[AGualandi]

Hello,
I have already reported the same information in the ticket TrackingID#2406031420000580 thread mail sent the 16/7. We are still waiting for a feedback regarding the requested information.