Graph service throws Request_ResourceNotFound exception

[samuelstadler]

Jenkins and plugins versions report

Environment

Jenkins: 2.332.3
OS: Linux - 5.11.0-43-generic
---
ace-editor:1.1
active-directory:2.25.1
analysis-model-api:10.10.1
ansicolor:1.0.1
ant:475.vf34069fef73c
antisamy-markup-formatter:2.7
apache-httpcomponents-client-4-api:4.5.13-1.0
artifactory:3.16.2
authentication-tokens:1.4
authorize-project:1.4.0
azure-ad:218.v90f6a_980b_a_61
azure-sdk:106.v552de1e64d56
basic-branch-build-strategies:1.3.2
bitbucket:223.vd12f2bca5430
blueocean:1.25.5
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.25.5
blueocean-commons:1.25.5
blueocean-config:1.25.5
blueocean-core-js:1.25.5
blueocean-dashboard:1.25.5
blueocean-display-url:2.4.1
blueocean-events:1.25.5
blueocean-git-pipeline:1.25.5
blueocean-github-pipeline:1.25.5
blueocean-i18n:1.25.5
blueocean-jwt:1.25.5
blueocean-personalization:1.25.5
blueocean-pipeline-api-impl:1.25.5
blueocean-pipeline-editor:1.25.5
blueocean-pipeline-scm-api:1.25.5
blueocean-rest:1.25.5
blueocean-rest-impl:1.25.5
blueocean-web:1.25.5
bootstrap5-api:5.1.3-7
bouncycastle-api:2.26
branch-api:2.1046.v0ca_37783ecc5
build-timestamp:1.0.3
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:1.7.4
cloudbees-bitbucket-branch-source:773.v4b_9b_005b_562b_
cloudbees-folder:6.729.v2b_9d1a_74d673
command-launcher:84.v4a_97f2027398
config-file-provider:3.10.0
configuration-as-code:1429.v09b_044a_c93de
credentials:1087.1089.v2f1b_9a_b_040e4
credentials-binding:523.vd859a_4b_122e6
data-tables-api:1.11.4-4
delivery-pipeline-plugin:1.4.2
deployit-plugin:22.0.2
display-url-api:2.3.6
docker-commons:1.19
docker-workflow:1.28
dtkit-api:3.0.1
durable-task:496.va67c6f9eefa7
echarts-api:5.3.2-3
email-ext:2.88
favorite:2.4.1
font-awesome-api:6.1.1-1
forensics-api:1.15.1
git:4.11.3
git-client:3.11.0
github:1.34.3
github-api:1.303-400.v35c2d8258028
github-branch-source:1637.vd833b_7ca_7654
gradle:1.39.1
greenballs:1.15.1
groovy:2.4
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
hashicorp-vault-plugin:336.v182c0fbaaeb7
htmlpublisher:1.30
http_request:1.15
ivy:2.2
jackson2-api:2.13.3-285.vc03c0256d517
javadoc:217.v905b_86277a_2a_
javax-activation-api:1.2.0-3
javax-mail-api:1.6.2-6
jaxb:2.3.6-1
jdk-tool:1.5
jenkins-design-language:1.25.5
jjwt-api:0.11.5-77.v646c772fddb_0
job-dsl:1.79
jquery:1.12.4-1
jquery3-api:3.6.0-4
jsch:0.1.55.2
junit:1119.va_a_5e9068da_d7
kubernetes:3636.v84b_a_1dea_6240
kubernetes-client-api:5.12.2-193.v26a_6078f65a_9
kubernetes-credentials:0.9.0
mailer:414.vcc4c33714601
matrix-auth:3.1.2
matrix-project:771.v574584b_39e60
maven-plugin:3.19
mercurial:2.16.2
metrics:4.1.6.2
momentjs:1.1.1
okhttp-api:4.9.3-105.vb96869f8ac3a
opentelemetry:0.21
parameterized-trigger:2.44
pipeline-build-step:2.18
pipeline-graph-analysis:195.v5812d95a_a_2f9
pipeline-groovy-lib:593.va_a_fc25d520e9
pipeline-input-step:448.v37cea_9a_10a_70
pipeline-milestone-step:101.vd572fef9d926
pipeline-model-api:2.2086.v12b_420f036e5
pipeline-model-definition:2.2086.v12b_420f036e5
pipeline-model-extensions:2.2086.v12b_420f036e5
pipeline-rest-api:2.24
pipeline-stage-step:293.v200037eefcd5
pipeline-stage-tags-metadata:2.2086.v12b_420f036e5
pipeline-stage-view:2.24
pipeline-utility-steps:2.12.2
plain-credentials:1.8
plugin-util-api:2.17.0
popper2-api:2.11.5-2
prism-api:1.28.0-2
pubsub-light:1.16
resource-disposer:0.19
schedule-build:301.vfdc555a_b_cf81
scm-api:608.vfa_f971c5a_a_e9
script-security:1175.v4b_d517d6db_f0
skip-notifications-trait:1.0.5
snakeyaml-api:1.30.1
sse-gateway:1.25
ssh-credentials:277.v95c2fec1c047
ssh-slaves:1.814.vc82988f54b_10
sshd:3.0.3
startup-trigger-plugin:2.9.3
statistics-gatherer:2.0.3
structs:318.va_f3ccb_729b_71
timestamper:1.17
token-macro:293.v283932a_0a_b_49
trilead-api:1.57.v6e90e07157e1
variant:1.4
warnings-ng:9.12.0
workflow-aggregator:581.v0c46fa_697ffd
workflow-api:1164.v760c223ddb_32
workflow-basic-steps:948.v2c72a_091b_b_68
workflow-cps:2725.v7b_c717eb_12ce
workflow-durable-task-step:1146.v1a_d2e603f929
workflow-job:1186.v8def1a_5f3944
workflow-multibranch:716.vc692a_e52371b_
workflow-scm-step:400.v6b_89a_1317c9a_
workflow-step-api:625.vd896b_f445a_f8
workflow-support:820.vd1a_6cc65ef33
ws-cleanup:0.42
xunit:3.0.8

What Operating System are you using (both controller, and any agents involved in the problem)?

Docker image jenkins/jenkins:lts - Linux amd64 5.11.0-43-generic

Reproduction steps

1. Install Azure AD Plugin
2. Configured Azure Active Directory
3. Setup Azure AD permissions
   
4. Add group to the Azure Active Directory Matrix-based security

Expected Results

No error logging.

Actual Results

The authorization works but it creates error logs:

Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409Graph service exception Error code: Request_ResourceNotFound
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409Error message: Resource 'Firstname Lastname' does not exist or one of its queried reference-property objects are not present.
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409GET https://graph.microsoft.com/v1.0/users/Firstname%20Lastname
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409SdkVersion : graph-java/v5.24.0
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409404 : Not Found
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409[...]
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
CoreHttpProvider[sendRequestInternal] - 409[Some information was truncated for brevity, enable debug logging for more details]
Jun 14, 2022 10:08:07 AM SEVERE com.microsoft.graph.logger.DefaultLogger logError
Throwable detail: com.microsoft.graph.http.GraphServiceException: Error code: Request_ResourceNotFound
Error message: Resource 'Firstname Lastname' does not exist or one of its queried reference-property objects are not present.

GET https://graph.microsoft.com/v1.0/users/Firstname%20Lastname
SdkVersion : graph-java/v5.24.0


404 : Not Found
[...]

Anything else?

No response

[thopiekar]

I didn't take a look at the logs, but I've got the issue that I can't list the users and groups assigned to the app in Azure.
The only thing I noticed during my investigations is that a tutorial (January this year) recommends to assign the same API permissions on "Azure Active Directory Graph" and "Microsoft Graph".
However, "Azure Active Directory Graph" is deprecated and it is unclear for me whether the current version of the Azure AD addon is still depending on it.

PS: The article I found: https://cloudinfrastructureservices.co.uk/jenkins-sso-azure-ad/

[thopiekar]

I'm getting the following error here. Not sure whether this is related to our problem here, too.

2022-06-14 12:28:33.396+0000 [id=3125]	SEVERE	c.m.graph.logger.DefaultLogger#logError: Throwable detail: com.microsoft.graph.http.GraphServiceException: Error code: Request_ResourceNotFound
Error message: Resource 'images' does not exist or one of its queried reference-property objects are not present.

GET https://graph.microsoft.com/v1.0/users/images
SdkVersion : graph-java/v5.24.0


404 : Not Found
[...]

[Some information was truncated for brevity, enable debug logging for more details]

[timja]

Do not use Azure Active Directory Graph it was deprecated years ago and not needed

[timja]

There's a few related issues I think:
https://github.com/jenkinsci/azure-ad-plugin/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+resourcenotfound

Is this actually causing an issue or just logging?

Could possibly try override the logging level and have it off by default

[samuelstadler]

Thanks for response, I have already checked the existing issues but they have problems with guest user and we have no guest users.

No it's not causing any issue it just spams our logs. Would be create if the is a way to disable this kind of logging. I found this issue. I don't know if their API is still the same but maybe it is possible to add a logger which can be configured via flags.

[timja]

Yeah that issue is the cause of this. A PR would definitely be welcomed but should be a way to enable them for debugging.

[thopiekar]

@timja : Ok, thank you for the clarification! The problem here is that I can't setup my permission matrix. Whatever, I click on the text field the "please wait" message is either stuck or when typing something in, it says instantly "Nothing found".
It's the first time I set Jenkins up to use AAD and never worked closely together with AAD, therefore, no idea where to look for problems.

So what what I read above, my problem is not related to @x0randgat3 's one?

[timja]

That means that the initial call to /me on page load failed and yes it's a different issue.

[thopiekar]

Ok, my problem has been solved after re-enabling CSR(F!). I had to remove it in the past since QA had issues opening HTML reports. However, the problem seems too be gone and the addon works 👍

[timja]

CSRF I guess? you shouldn't even be able to disable it on recent Jenkins but maybe there's still a system property

[thopiekar]

Yes. It was CSRF. Well, I did it via CLI options so it was enforced during the startup of the Jenkins instance.