Objects owned by user sometimes includes an erroneous object of type #microsoft.graph.tokenLifetimePolicy on MS Graph API

Alexander Körschgen 1 Reputation point
2022-02-25T08:14:20.803+00:00

For some users, the query

GET /users/{userPrincipalName}/ownedObjects

on the v1.0 API includes an object that looks like the following in the value property of the response:

 {
            "@odata.type": "#microsoft.graph.tokenLifetimePolicy",
            "id": "56d03fe2-b909-470b-b262-ff88d9227d66",
            "deletedDateTime": null,
            "definition": [
                "{\"AuthenticationPolicies\":{\"Version\":\"2014-05-15\",\"PoliciesEnabled\":false,\"ManagedApps\":[],\"AuthenticationMethodPolicy\":{\"Mode\":\"disabled\",\"RequiredUserAuthenticationMethod\":\"mfa\",\"IncludeConditions\":[{\"Groups\":[\"all_users\"]}]},\"DeviceStatePolicies\":[]},\"MdmPolicy\":[],\"SyncPolicy\":[],\"ClaimIssuancePolicy\":{\"Version\":1,\"DefaultTokenType\":\"SAML\",\"AllowPassThruUsers\":\"true\",\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\",\"SamlNameIdFormat\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"userprincipalname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"givenname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"surname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"mail\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"userprincipalname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null}],\"ClaimsTransformations\":[],\"GroupFilter\":null,\"IssuerWithApplicationId\":false,\"AudienceOverride\":null}}"
            ],
            "displayName": "ClaimIssuancePolicy",
            "isOrganizationDefault": false
}

This does not occur for the affected users when using

  • the beta API or
  • the user endpoint with an expand on ownedObjects (in beta or v1.0)

The /policies/tokenLifetimePolicies/{id} endpoint does not know of a tokenLifetimePolicy with the appropriate id (56d...). However, there is a directoryObject with this id of type #microsoft.graph.tokenIssuancePolicy (as per the directoryObjects endpoint). Both policy types do not appear to have owners at all though.

For these reasons, I believe that the owned objects should not include the mentioned tokenLifetimePolicy object, i.e., this is erroneous behavior of /users/{userPrincipalName}/ownedObjects for v1.0.

Note: This was originally submitted as https://github.com/microsoftgraph/microsoft-graph-docs/issues/15977

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,844 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Alexander Körschgen 1 Reputation point
    2022-02-28T09:32:39.38+00:00

    Hello @Zehui Yao_MSFT , thank you for your response.

    I do not see any mention of an application id in the data, so I do not know which one to use for the first request you have mentioned.

    Concerning the second request, GET /policies/tokenLifetimePolicies/{id}/appliesTo gives a 404, and the same is true when just querying GET /policies/tokenLifetimePolicies/{id}.

    Further investigation gave me this

       GET /directoryObjects/56d03fe2-b909-470b-b262-ff88d9227d66  
         
       {  
           "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects/$entity",  
           "@odata.type": "#microsoft.graph.tokenIssuancePolicy",  
           "id": "56d03fe2-b909-470b-b262-ff88d9227d66",  
           "deletedDateTime": null,  
           "definition": [  
               "{\"AuthenticationPolicies\":{\"Version\":\"2014-05-15\",\"PoliciesEnabled\":false,\"ManagedApps\":[],\"AuthenticationMethodPolicy\":{\"Mode\":\"disabled\",\"RequiredUserAuthenticationMethod\":\"mfa\",\"IncludeConditions\":[{\"Groups\":[\"all_users\"]}]},\"DeviceStatePolicies\":[]},\"MdmPolicy\":[],\"SyncPolicy\":[],\"ClaimIssuancePolicy\":{\"Version\":1,\"DefaultTokenType\":\"SAML\",\"AllowPassThruUsers\":\"true\",\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\",\"SamlNameIdFormat\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"userprincipalname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"givenname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"surname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"mail\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"userprincipalname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null}],\"ClaimsTransformations\":[],\"GroupFilter\":null,\"IssuerWithApplicationId\":false,\"AudienceOverride\":null}}"  
           ],  
           "displayName": "ClaimIssuancePolicy",  
           "isOrganizationDefault": false  
       }  
    

    so I also tried
    GET /policies/tokenIssuancePolicies/56d03fe2-b909-470b-b262-ff88d9227d66 and GET /policies/tokenIssuancePolicies/56d03fe2-b909-470b-b262-ff88d9227d66/appliesTo. Curiously, both gave me a 404 as well.


  2. Zehui Yao_MSFT 5,831 Reputation points
    2022-03-03T10:16:17.793+00:00

    Hello @Alexander Körschgen , Based on the results we discussed, we recommend opening a support ticket for more help.

    179653-image.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.