Microsoft Security | Microsoft Graph
An API that connects multiple Microsoft services, enabling data access and automation across platforms
POST accessPackageAssignmentRequests fails using target.email when user's sign-in is blocked
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 61%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECG%3C/text%3E%3C/svg%3E)
Cory Grimster
11
Reputation points
Creating a new Access Package Assignment Request using target.email fails for Guests where Sign-in blocked = Yes.
Example 5: Admin requests a direct assignment for a user not yet in the directory shows us how to create an Access Package Assignment Request for a Guest that is not yet in our tenant:
POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests
Content-type: application/json
{
"requestType": "AdminAdd",
"accessPackageAssignment":{
"target": {
"email": "******@contoso.com"
},
"assignmentPolicyId":"2264bf65-76ba-417b-a27d-54d291f0cbc8",
"accessPackageId":"a914b616-e04e-476b-aa37-91038f0b165b"
}
}
This fails when user@Company portal .com is already in our tenant and their Sign-in is blocked:
BadRequest: "The invited user already exists in the directory as object ID: {GUID}, but the account is blocked from signing in. If the account is unblocked, they can use that account to sign in to shared apps and resources."
If their Sign-in is not blocked then it succeeds. Making the call with targetId ALSO succeeds:
POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests
Content-type: application/json
{
"requestType": "AdminAdd",
"accessPackageAssignment":{
"targetId":"46184453-e63b-4f20-86c2-c557ed5d5df9",
"assignmentPolicyId":"2264bf65-76ba-417b-a27d-54d291f0cbc8",
"accessPackageId":"a914b616-e04e-476b-aa37-91038f0b165b"
}
}
My organization allows B2B partners to onboard their staff to our applications using this API call. It's not reasonable for us to give them read access to our users just so they can check for this case (an existing Guest with Blocked Sign-in). We need them to be able to request assignments for their users by e-mail address regardless of whether or not the Guest already exists in our directory (that's how the API is currently implemented) and regardless of whether or not that existing Guest is blocked.
It looks like there's some extra validation on the call that is checking for blocked sign-ins when target.email is used to identity the Guest, but that validation is not present when targetId is used instead. We'd like these to work the same way (ignore blocked Sign-ins).
From a reasonableness perspective, failing when Sign-in is blocked doesn't make sense: it's not a blocker for entitlements (placing a user into a Group, etc.) and it can happen without warning to any Guest in any tenant based only on Risky Sign-in policies.
Microsoft Security | Microsoft Graph
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 96%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBL%3C/text%3E%3C/svg%3E)
Benoit Lambert 6 Reputation points2022-05-25T17:20:33.05+00:00 I work for one of Cory's B2B partners and we would appreciate if the "Sign-in blocked" check is removed.
As Cory stated, it doesn't make sense to block a new Access Package Assignment Request with the email as the target if it's not blocked when using the "targetId".
Sign in to comment
Sign in to answer