Share via

Issue with Microsoft Graph API resetRedemption Endpoint Returning BadRequest Errors

Swadesh Kumar Sahoo 0 Reputation points
2024-10-15T10:14:14.35+00:00

We are working on a tenant migration for one of our external partners, where their domain will be moved to a new tenant. As part of this process, we need to reset the redemption status for several guest b2b users(2000+) in our tenant.

While manual redemption resets for guest users work without issue via the Azure portal, attempting to automate the process via the Microsoft Graph API using the resetRedemption endpoint consistently returns a BadRequest error, regardless of the user's state (e.g., Accepted or PendingAcceptance). This behavior occurs across multiple tenants and for different sets of guest users.

Details:

  • API Endpoint Used: https://graph.microsoft.com/v1.0/users/{userId}/resetRedemption
  • Permissions Granted:
    • User.ReadWrite.All
      • User.Invite.All
        • Directory.Read.All
        • Errors Encountered:
          • Status Code: BadRequest (400)
            • Error Message: "Response status code does not indicate success: BadRequest"

We have attempted the process with both delegated and application permissions, and the necessary Graph API scopes are assigned. However, the reset fails each time. The users in question have their ExternalUserState set to both Accepted and PendingAcceptance, but this does not seem to impact the error.

Reproduction Steps:

  1. Connect to Microsoft Graph using PowerShell with the required scopes (User.ReadWrite.All, User.Invite.All, etc.).
  2. Attempt to invoke the resetRedemption API for a guest user, such as:
bash
Copy code
POST https://graph.microsoft.com/v1.0/users/{userId}/resetRedemption
  1. The API call returns a BadRequest error, even though a manual reset for the same user works through the Azure portal.

Example Guest User:

  • UserPrincipalName: ******@domain.com
  • Tenant ID: 12345678-abcd-efgh-ijkl-3445567

We have tested this across two different tenants and encountered the same issue each time. We would appreciate any guidance on whether this is a limitation with the API, a tenant-specific configuration requirement, or an issue with the resetRedemption functionality.

Request: Could you help us identify the cause of this issue or provide any additional configuration steps necessary to make the resetRedemption API work? We would also like to confirm whether this functionality is fully supported for programmatic use in Microsoft Graph.

Microsoft Security | Microsoft Graph
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2024-10-15T10:14:14.36+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    It seems you are encountering a BadRequest error when trying to use the resetRedemption endpoint of the Microsoft Graph API for guest users. This issue can arise from several factors:

    1. User State: The resetRedemption functionality is intended for users whose ExternalUserState is Accepted or PendingAcceptance. However, if there are any roles assigned to the user account, the redemption status cannot be reset, which may lead to a BadRequest error.
    2. API Permissions: Ensure that the permissions granted to your application are correctly set. You mentioned using User.ReadWrite.All, User.Invite.All, and Directory.Read.All, which should generally be sufficient. However, double-check that these permissions are granted and consented properly.
    3. Tenant Configuration: There might be specific configurations or restrictions in the tenant that could affect the API's functionality. It’s worth reviewing any tenant-specific settings that might impact guest user management.
    4. API Limitations: The Microsoft Graph API may have limitations or specific requirements that are not well-documented. If manual resets work through the Azure portal, this could indicate a potential issue with the API's handling of certain user states or configurations.
    5. Testing with Different Users: Since you have tested across multiple tenants and users, it might be helpful to isolate one user with a known state and attempt the reset again, ensuring that no roles are assigned to that user.

    If the issue persists, consider reaching out to Microsoft support for further assistance, as they may provide insights specific to your tenant or the API's current functionality.

    References:

  2. Anonymous
    2024-10-16T03:04:21.2866667+00:00

    Hello Swadesh Kumar Sahoo,

    Thank you for reaching out to Microsoft Support!

    For redemption for bulk resets of external b2b users, you can use batch processing to combine multiple Reset redemption requests.

    See the documentation for details:

    https://learn.microsoft.com/en-us/graph/json-batching

    https://learn.microsoft.com/en-us/entra/external-id/reset-redemption-status#use-powershell-or-microsoft-graph-api-to-reset-redemption-status

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    0 comments
  3. Swadesh Kumar Sahoo 0 Reputation points
    2024-10-16T17:12:04.3133333+00:00

    Created the PowerShell script for the bulk reset redemption for guest users in Azure tenant.

    The guest users list for the domain is fetched and saved into a CSV file (BeforeReset).

    The script asks how many users you want to process in the first subset and proceeds only with that subset.

    After processing the subset, it prompts you to confirm if you want to proceed with the remaining users.

    Logs for success and errors are maintained for both subsets.

    The -SendInvitationMessage parameter has been removed to prevent sending the invitation emails.

    ================================================================

    Import required module and authenticate

    #Install-Module Microsoft.Graph -Force

    Connect to Microsoft Graph

    Connect-MgGraph -TenantId "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" -Scopes "User.ReadWrite.All"

    Export user list before reset

    $guestUsers = Get-MgUser -Filter "userType eq 'Guest' and endsWith(mail, '@contoso.com')" -ConsistencyLevel eventual -CountVariable RecordCount -All

    Exporting the list of guest users to a CSV file

    $exportPath = "C:\temp\GuestUsersBeforeReset.csv"

    $guestUsers | Select-Object DisplayName, Mail, UserPrincipalName, Id | Export-Csv -Path $exportPath -NoTypeInformation

    Write-Host "Exported guest user list to $exportPath. Total records: $RecordCount"

    Ask how many users to process in the first subset

    $subsetCount = int

    $subsetUsers = $guestUsers | Select-Object -First $subsetCount

    Confirm before processing the subset

    $proceedSubset = Read-Host "Do you want to proceed with resetting redemption for the first $subsetCount users? (yes/no)"

    if ($proceedSubset -ne "yes") {

    Write-Host "Operation cancelled by user."

exit

    }

    Logs for success and errors

    $successLog = "C:\temp\ResetRedemptionSuccess.csv"

    $errorLog = "C:\temp\ResetRedemptionErrors.csv"

    Reset redemption for the subset of users

    foreach ($user in $subsetUsers) {

    try {

    New-MgInvitation `

        -InvitedUserEmailAddress $user.Mail `

        -InviteRedirectUrl "https://myapps.microsoft.com" `

        -ResetRedemption `

        -InvitedUser $user



    # Log success

    Add-Content -Path $successLog -Value "$($user.DisplayName),$($user.Mail),Success"

    Write-Host "Redemption reset successfully for: $($user.Mail)" -ForegroundColor Green

} catch {

    # Log errors

    Add-Content -Path $errorLog -Value "$($user.DisplayName),$($user.Mail),Error: $_"

    Write-Host "Error resetting redemption for: $($user.Mail)" -ForegroundColor Red

}

    }

    Ask if user wants to proceed with the remaining users

    $remainingUsers = $guestUsers | Select-Object -Skip $subsetCount

    $remainingCount = $remainingUsers.Count

    $proceedAll = Read-Host "Do you want to proceed with resetting redemption for the remaining $remainingCount users? (yes/no)"

    if ($proceedAll -ne "yes") {

    Write-Host "Operation for remaining users cancelled by user."

exit

    }

    Reset redemption for remaining users

    foreach ($user in $remainingUsers) {

    try {

    New-MgInvitation `

        -InvitedUserEmailAddress $user.Mail `

        -InviteRedirectUrl "https://myapps.microsoft.com" `

        -ResetRedemption `

        -InvitedUser $user



    # Log success

    Add-Content -Path $successLog -Value "$($user.DisplayName),$($user.Mail),Success"

    Write-Host "Redemption reset successfully for: $($user.Mail)" -ForegroundColor Green

} catch {

    # Log errors

    Add-Content -Path $errorLog -Value "$($user.DisplayName),$($user.Mail),Error: $_"

    Write-Host "Error resetting redemption for: $($user.Mail)" -ForegroundColor Red

}

    }

    Write-Host "Redemption reset process completed. Success log: $successLog, Error log: $errorLog"

    Export user list after the reset

    $guestUsersAfterReset = Get-MgUser -Filter "userType eq 'Guest' and endsWith(mail, '@contoso.com')" -ConsistencyLevel eventual -CountVariable RecordCountAfter -All

    $exportAfterPath = "C:\temp\GuestUsersAfterReset.csv"

    $guestUsersAfterReset | Select-Object DisplayName, Mail, UserPrincipalName, Id | Export-Csv -Path $exportAfterPath -NoTypeInformation

    Write-Host "Exported guest user list after reset to $exportAfterPath. Total records: $RecordCountAfter"

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.