Objects owned by user sometimes includes an erroneous object of type #microsoft.graph.tokenLifetimePolicy on MS Graph API

Alexander Körschgen 1 Reputation point
2022-02-25T08:14:20.803+00:00

For some users, the query

GET /users/{userPrincipalName}/ownedObjects

on the v1.0 API includes an object that looks like the following in the value property of the response:

 {
            "@odata.type": "#microsoft.graph.tokenLifetimePolicy",
            "id": "56d03fe2-b909-470b-b262-ff88d9227d66",
            "deletedDateTime": null,
            "definition": [
                "{\"AuthenticationPolicies\":{\"Version\":\"2014-05-15\",\"PoliciesEnabled\":false,\"ManagedApps\":[],\"AuthenticationMethodPolicy\":{\"Mode\":\"disabled\",\"RequiredUserAuthenticationMethod\":\"mfa\",\"IncludeConditions\":[{\"Groups\":[\"all_users\"]}]},\"DeviceStatePolicies\":[]},\"MdmPolicy\":[],\"SyncPolicy\":[],\"ClaimIssuancePolicy\":{\"Version\":1,\"DefaultTokenType\":\"SAML\",\"AllowPassThruUsers\":\"true\",\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\",\"SamlNameIdFormat\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"userprincipalname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"givenname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"surname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"mail\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"userprincipalname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null}],\"ClaimsTransformations\":[],\"GroupFilter\":null,\"IssuerWithApplicationId\":false,\"AudienceOverride\":null}}"
            ],
            "displayName": "ClaimIssuancePolicy",
            "isOrganizationDefault": false
}

This does not occur for the affected users when using

  • the beta API or
  • the user endpoint with an expand on ownedObjects (in beta or v1.0)

The /policies/tokenLifetimePolicies/{id} endpoint does not know of a tokenLifetimePolicy with the appropriate id (56d...). However, there is a directoryObject with this id of type #microsoft.graph.tokenIssuancePolicy (as per the directoryObjects endpoint). Both policy types do not appear to have owners at all though.

For these reasons, I believe that the owned objects should not include the mentioned tokenLifetimePolicy object, i.e., this is erroneous behavior of /users/{userPrincipalName}/ownedObjects for v1.0.

Note: This was originally submitted as https://github.com/microsoftgraph/microsoft-graph-docs/issues/15977

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,577 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Alexander Körschgen 1 Reputation point
    2022-02-28T09:32:39.38+00:00

    Hello @Zehui Yao_MSFT , thank you for your response.

    I do not see any mention of an application id in the data, so I do not know which one to use for the first request you have mentioned.

    Concerning the second request, GET /policies/tokenLifetimePolicies/{id}/appliesTo gives a 404, and the same is true when just querying GET /policies/tokenLifetimePolicies/{id}.

    Further investigation gave me this

       GET /directoryObjects/56d03fe2-b909-470b-b262-ff88d9227d66  
         
       {  
           "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects/$entity",  
           "@odata.type": "#microsoft.graph.tokenIssuancePolicy",  
           "id": "56d03fe2-b909-470b-b262-ff88d9227d66",  
           "deletedDateTime": null,  
           "definition": [  
               "{\"AuthenticationPolicies\":{\"Version\":\"2014-05-15\",\"PoliciesEnabled\":false,\"ManagedApps\":[],\"AuthenticationMethodPolicy\":{\"Mode\":\"disabled\",\"RequiredUserAuthenticationMethod\":\"mfa\",\"IncludeConditions\":[{\"Groups\":[\"all_users\"]}]},\"DeviceStatePolicies\":[]},\"MdmPolicy\":[],\"SyncPolicy\":[],\"ClaimIssuancePolicy\":{\"Version\":1,\"DefaultTokenType\":\"SAML\",\"AllowPassThruUsers\":\"true\",\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\",\"SamlNameIdFormat\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"userprincipalname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"givenname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"surname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"mail\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null},{\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\",\"Source\":\"User\",\"ExtensionID\":null,\"ID\":\"userprincipalname\",\"Value\":null,\"TransformationId\":null,\"AppliesToUserType\":null,\"MemberOf\":null}],\"ClaimsTransformations\":[],\"GroupFilter\":null,\"IssuerWithApplicationId\":false,\"AudienceOverride\":null}}"  
           ],  
           "displayName": "ClaimIssuancePolicy",  
           "isOrganizationDefault": false  
       }  
    

    so I also tried
    GET /policies/tokenIssuancePolicies/56d03fe2-b909-470b-b262-ff88d9227d66 and GET /policies/tokenIssuancePolicies/56d03fe2-b909-470b-b262-ff88d9227d66/appliesTo. Curiously, both gave me a 404 as well.


  2. Zehui Yao_MSFT 5,871 Reputation points
    2022-03-03T10:16:17.793+00:00

    Hello @Alexander Körschgen , Based on the results we discussed, we recommend opening a support ticket for more help.

    179653-image.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.