Exception when creating dynamic membership group

[jak-hammond]

Describe the bug

I am trying to create a dynamic group but when I send the request with the required properties, along with the membership rule and processing state I get an exception thrown with the inner error code of InvalidObjectTypeException. It's also worth noting that if I send the request without the MembershipRule being provided, then a 400 is returned which seems to suggest the validation the request is at least working but something beyond that isn't functioning as expected.

The full request body sent is below;

var group = new Group
{
        DisplayName ="Test Group",
        MailEnabled = true,
        MailNickname = "TestGroup",
        SecurityEnabled = false,
        GroupTypes = new List<string> { "Unified", "DynamicMembership" },
        Visibility = "Private",
        MembershipRule = "(accountEnabled -eq true) and (user.userType -eq \"Member\") and (user.mail -ne null) and (user.userPrincipalName -notContains \"#EXT#\")",
        MembershipRuleProcessingState = "On"
};

The full error reported is below;

Code: InvalidObjectTypeException
Message: No object type
Inner error:
	AdditionalData:
	date: 2024-07-29T10:31:42
	request-id: 0d8f11a0-a7a1-4e21-8e57-cabec05207ba
	client-request-id: 0d8f11a0-a7a1-4e21-8e57-cabec05207ba
ClientRequestId: 0d8f11a0-a7a1-4e21-8e57-cabec05207ba

Expected behavior

The group should be created with the appropriate properties applied to it.

How to reproduce

Take the request body above and make the request to the Groups endpoint and the error will be presented as a ServiceException with the inner error.

SDK Version

No response

Latest version known to work for scenario above?

No response

Known Workarounds

It looks like there is a way to work around it at the moment whereby a group is created with assigned membership and then send an update request to enable the dynamic membership.

Debug output

Click to expand log

```

</details>


### Configuration

_No response_

### Other information

_No response_

[andrueastman]

Thanks for raising this @jak-hammond,

Any chance you can confirm that you are able to make a successful request using the Graph Explorer? Do you get a different result if you change the contents of the MembershipRule to be a simpler rule?

[jak-hammond]

@andrueastman the Graph explorer returns the same error as the SDK it would seem and there is no difference from my testing based on the complexity of the MembershipRule. One thing I have found however is that by changing SecurityEnabled from false to true seems to allow the group to be created.

This should be an acceptable workaround for us for now and it would seem to suggest a problem with the Graph endpoint itself rather than the actual SDK?

[ia-josephp]

Receiving the same error.

Input:

{
"displayName": "GraphTest",
"description": "Something Something Something",
"groupTypes": [
"DynamicMembership"
],
"mailEnabled": false,
"mailNickname": "graphtest",
"securityEnabled": true,
"membershipRule": "mailNickname -eq "userMailNickname"",
"membershipRuleProcessingState": "On",
"owners@odata.bind": ["https://graph.microsoft.com/v1.0/users/userGUID"]
}

Response:

  "error": {
    "code": "InvalidObjectTypeException",
    "message": "No object type",
    "innerError": {
      "date": "2024-08-14T15:53:56",
      "request-id": "d726d972-c300-4634-ab8a-2d40a488cb16",
      "client-request-id": "d726d972-c300-4634-ab8a-2d40a488cb16"
    }
  }
}

I have tried this in various configurations and changes, such as wrapping the membershipRule in parenthesis, swapping to mailEnabled and also disabling securityEnabled. All roads lead to the above response so far.

This worked about 4 weeks ago.

[ia-josephp]

As a follow up, if I remove dynamic membership from the security group and apply it after, it works. Is that intended behavior?

[jak-hammond]

Yeah, it's worth noting that using this approach also allows you to apply the dynamic rule to the a Free Azure tenant whereas if you try to do it at point of creation you get an exception saying the tenant isn't licensed.

[andrueastman]

This should be an acceptable workaround for us for now and it would seem to suggest a problem with the Graph endpoint itself rather than the actual SDK?

As a follow up, if I remove dynamic membership from the security group and apply it after, it works. Is that intended behavior?

As this seems to suggest an issue with the API and this repo is mainly intended for SDK related issues, we may not be best placed to answer this, any chance you can share this at https://aka.ms/askGraph so as to get feedback from the API owners?

(It would be great to post a link back here as a comment so that anyone who comes across this may also find the information)

[microsoft-github-policy-service]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.