Description Erik Damrose 2022-09-05 18:37:58 CEST

Apparently Azure can maintain groups automatically, for example "All users" for every user in the azure domain.

When deleting a user in UCS, the MS365 connector tries to remove the group membership of that user from Azure. But the Graph API forbids that, and the connector transaction fails with the following in the listener.log.

...
    new={}
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/listener/api_adapter.py", line 154, in _handler
    self._module_handler.remove(dn, old)
  File "/usr/lib/univention-directory-listener/system/office365-user.py", line 93, in remove
    self.connector.delete(udm_object=udm_user)
  File "/usr/lib/python2.7/dist-packages/univention/office365/connector/connector.py", line 538, in delete
    user_azure.deactivate(rename=True)
  File "/usr/lib/python2.7/dist-packages/univention/office365/microsoft/objects/azureobjects.py", line 414, in deactivate
    self._core.remove_group_member(group["id"], self.id)
  File "/usr/lib/python2.7/dist-packages/univention/office365/microsoft/core.py", line 561, in remove_group_member
    expected_status=[204]
  File "/usr/lib/python2.7/dist-packages/univention/office365/microsoft/exceptions/core_exceptions.py", line 272, in inner
    raise exception_class(e)
GraphPermissionError: Forbidden Error. Your application may not have the correct permissions for the Microsoft Graph API.

The connector already has code to catch errors at that point and ignore them, but it only catches MSGraphError and not GenericGraphError, which the permission error is a subclass of.

The user deletion is aborted at that point, is only half-done. For example, the user license is not removed from the Azure user object.