Univention Bugzilla – Bug 55172
[MS365] On user deletion, Connector tries to remove users from automatically maintained azure groups
Last modified: 2022-09-06 09:07:44 CEST
Apparently Azure can maintain groups automatically, for example "All users" for every user in the azure domain. When deleting a user in UCS, the MS365 connector tries to remove the group membership of that user from Azure. But the Graph API forbids that, and the connector transaction fails with the following in the listener.log. ... new={} Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/listener/api_adapter.py", line 154, in _handler self._module_handler.remove(dn, old) File "/usr/lib/univention-directory-listener/system/office365-user.py", line 93, in remove self.connector.delete(udm_object=udm_user) File "/usr/lib/python2.7/dist-packages/univention/office365/connector/connector.py", line 538, in delete user_azure.deactivate(rename=True) File "/usr/lib/python2.7/dist-packages/univention/office365/microsoft/objects/azureobjects.py", line 414, in deactivate self._core.remove_group_member(group["id"], self.id) File "/usr/lib/python2.7/dist-packages/univention/office365/microsoft/core.py", line 561, in remove_group_member expected_status=[204] File "/usr/lib/python2.7/dist-packages/univention/office365/microsoft/exceptions/core_exceptions.py", line 272, in inner raise exception_class(e) GraphPermissionError: Forbidden Error. Your application may not have the correct permissions for the Microsoft Graph API. The connector already has code to catch errors at that point and ignore them, but it only catches MSGraphError and not GenericGraphError, which the permission error is a subclass of. The user deletion is aborted at that point, is only half-done. For example, the user license is not removed from the Azure user object.
As an alternative, the connector could only check the groups in UCS, and not check the users current azure groups.