Office Connector: Does not always create or delete users, never syncs groups

UCS 5.0-2, UCS Office 5.3. We create new user accounts with the UMC, but syncing them to MS365 only works in rare cases, groups are never synced. Lately even the deletion of a test account did fail on the MS365 side.

Although UCS Office 365 now has all the API permissions for Microsoft Graph as shown in MS365 Connector: Listener Error: Authorization Error. Your application may not have the correct permissions for the Microsoft Graph API, we still see “Authorization_RequestDenied”, “Insufficient privileges to complete the operation.” response bodys in the listernerr.log, see below for an example output.

What to do to fix this permissions problem and to reliable sync users and groups to MS365?
Help would very much be appreciated, Gregor

History:

Since months, Office Connector does not sync groups (see Office 365 Connector does not sync group membership any more).

Since we upgraded from UCS 4.4-9 to 5.0-2 on 2022-09-15 Office connector fails in most cases to sync users also. We upgraded to UCS Office 365 v5.3 today, but this did not help.

We then registered the listener.log since the upgrade to UCS 5.0-2 contains “Authorization_RequestDenied”, “Insufficient privileges to complete the operation.” in response bodys and "Your application may not have the correct
permissions for the Microsoft Graph API.
Please check https://help.univention.com/t/18453."

So we did. While service univention-directory-listener restart did not produce a failure notice in the log, the UCS Office 365 | API permissions in Azure AD Admin Center only showed one line, namely User.Read" from the screenshot in the help page mentioned above.

We set the API permissions according to the screenshot at the help page, including granting Admin consent for all permissions. We still get these error messages in response bodys. For instance when trying to delete test user account “aat” on the MS365 side (uncheck “Enable user for Microsoft 365” on “Microsoft 365” Tab of user account) the user is not deleted / moved to ZZZ… in MS365 and the listener.log shows (slightly redacted):

23.09.22 11:52:33.453 LDAP ( PROCESS ) : connecting to ldap://pdc.intern.izt.de:7389
23.09.22 11:52:33.459 LISTENER ( PROCESS ) : updating ‘uid=aat,cn=users,dc=intern,dc=izt,dc=de’ command m
23.09.22 11:52:33.461 LISTENER ( PROCESS ) : office365-user: modify dn: ‘uid=aat,cn=users,dc=intern,dc=izt,dc=de’
23.09.22 11:52:33.556 LISTENER ( ERROR ) : o365(D): GraphAPI: PATCH https://graph.microsoft.com/v1.0/users/85879e65-92cc-44cb-8d9d-efb4c4f34fa6 {‘accountEnabled’: False, ‘otherMails’: []}
23.09.22 11:52:33.556 LISTENER ( ERROR ) : o365(D): The access token for defaultADconnection looks similar to: eyJ0eXAiOi-trimmed-MZjYXf9IGA. It is valid until 2022-09-23 12:36:58
23.09.22 11:52:33.557 LISTENER ( ERROR ) : o365(D): proxy settings: {}
23.09.22 11:52:33.815 LISTENER ( ERROR ) : o365(D): status: 204 (OK) (PATCH https://graph.microsoft.com/v1.0/users/85879e65-92cc-44cb-8d9d-efb4c4f34fa6)
23.09.22 11:52:33.815 LISTENER ( ERROR ) : o365(D): GraphAPI: GET https://graph.microsoft.com/v1.0/directoryObjects/85879e65-92cc-44cb-8d9d-efb4c4f34fa6/memberOf None
23.09.22 11:52:33.815 LISTENER ( ERROR ) : o365(D): The access token for defaultADconnection looks similar to: eyJ0eXAiOi-trimmed-MZjYXf9IGA. It is valid until 2022-09-23 12:36:58
23.09.22 11:52:33.816 LISTENER ( ERROR ) : o365(D): proxy settings: {}
23.09.22 11:52:33.976 LISTENER ( ERROR ) : o365(D): status: 200 (OK) (GET https://graph.microsoft.com/v1.0/directoryObjects/85879e65-92cc-44cb-8d9d-efb4c4f34fa6/memberOf)
23.09.22 11:52:33.977 LISTENER ( ERROR ) : o365(D): GraphAPI: DELETE https://graph.microsoft.com/v1.0/groups/ba6c2465-2639-4933-a9f9-5461eaca7685/members/85879e65-92cc-44cb-8d9d-efb4c4f34fa6/$ref None
23.09.22 11:52:33.977 LISTENER ( ERROR ) : o365(D): The access token for defaultADconnection looks similar to: eyJ0eXAiOi-trimmed-MZjYXf9IGA. It is valid until 2022-09-23 12:36:58
23.09.22 11:52:33.977 LISTENER ( ERROR ) : o365(D): proxy settings: {}
23.09.22 11:52:34.202 LISTENER ( ERROR ) : o365(D): status: 204 (OK) (DELETE https://graph.microsoft.com/v1.0/groups/ba6c2465-2639-4933-a9f9-5461eaca7685/members/85879e65-92cc-44cb-8d9d-efb4c4f34fa6/$ref)
23.09.22 11:52:34.202 LISTENER ( ERROR ) : o365(D): GraphAPI: DELETE https://graph.microsoft.com/v1.0/groups/101ba90e-bc19-448d-9d18-a0b7ba5423b6/members/85879e65-92cc-44cb-8d9d-efb4c4f34fa6/$ref None
23.09.22 11:52:34.203 LISTENER ( ERROR ) : o365(D): The access token for defaultADconnection looks similar to: eyJ0eXAiOi-trimmed-MZjYXf9IGA. It is valid until 2022-09-23 12:36:58
23.09.22 11:52:34.203 LISTENER ( ERROR ) : o365(D): proxy settings: {}
23.09.22 11:52:34.521 LISTENER ( ERROR ) : o365(D): status: 403 (FAIL) (DELETE https://graph.microsoft.com/v1.0/groups/101ba90e-bc19-448d-9d18-a0b7ba5423b6/members/85879e65-92cc-44cb-8d9d-efb4c4f34fa6/$ref)
23.09.22 11:52:34.524 LISTENER ( ERROR ) : office365-user: dn=‘uid=aat,cn=users,dc=intern,dc=izt,dc=de’ command=‘m’
old={‘krb5MaxLife’: [b’86400’], ‘krb5MaxRenew’: [b’604800’], ‘uid’: [b’aat’], ‘uidNumber’: [b’1491’], ‘givenName’: [b’aat’], ‘sn’: [b’aat’], ‘gecos’: [b’aat aat’], ‘displayName’: [b’aat aat’], ‘o’: [b’IZT’], ‘street’: [b’XXXXXXXXXXXX’], ‘mail’: [b’a.aat@izt.de’], ‘postalCode’: [b’XXXXX’], ‘l’: [b’XXXXX’], ‘st’: [b’DE’], ‘telephoneNumber’: [b’+4930XXXXXXX’], ‘homeDirectory’: [b’/home/aat’], ‘loginShell’: [b’/bin/false’], ‘sambaHomePath’: [b’\\\\fs1\\home\\aat’], ‘sambaLogonScript’: [b’logon.bat’], ‘sambaProfilePath’: [b’\\\\fs1\\profiles\\aat’], ‘sambaHomeDrive’: [b’H:’], ‘mailPrimaryAddress’: [b’a.aat@izt.de’], ‘cn’: [b’aat aat’], ‘krb5PrincipalName’: [b’aat@INTERN.IZT.DE’], ‘krb5KDCFlags’: [b’126’], ‘userPassword’: [b’{crypt}$6$P2sGSPxPuhYCFjtM$4AyJnZ8ClryTuW7hyEWZ7TtD4THQc/jh6a04zDuBZ0UxaYoCAO01aRIiLFAJZ8zpl9uOJhzqA9XdSol0fcmnK0’], ‘krb5Key’: [b’0B\xa1#0!\xa0\x03\x02\x01\x10\xa1\x1a\x04\x18\x80\x10\xb9\x1cJR\xb5\x8c\x1c\xceb\xd6\x15\xb6F\xef\xb0\xd5\x8c\x13\x19\xaeL\xf8\xa2\x1b0\x19\xa0\x03\x02\x01\x03\xa1\x12\x04\x10INTERN.IZT.DEaat’, b’02\xa1\x130\x11\xa0\x03\x02\x01\x01\xa1\n\x04\x08kz\x07/\xa2\xec\x92\xfe\xa2\x1b0\x19\xa0\x03\x02\x01\x03\xa1\x12\x04\x10INTERN.IZT.DEaat’, b’02\xa1\x130\x11\xa0\x03\x02\x01\x02\xa1\n\x04\x08kz\x07/\xa2\xec\x92\xfe\xa2\x1b0\x19\xa0\x03\x02\x01\x03\xa1\x12\x04\x10INTERN.IZT.DEaat’, b’0J\xa1+0)\xa0\x03\x02\x01\x12\xa1"\x04 \x04\xa9-NL\xc6\x11j\xc4\x81\x15\\\x8f\x82Sy\x19\xf3\xd2C\x1e\xb6\x15s\xab\x82;\x9cd\xf4\xef\x93\xa2\x1b0\x19\xa0\x03\x02\x01\x03\xa1\x12\x04\x10INTERN.IZT.DEaat’, b’02\xa1\x130\x11\xa0\x03\x02\x01\x03\xa1\n\x04\x08kz\x07/\xa2\xec\x92\xfe\xa2\x1b0\x19\xa0\x03\x02\x01\x03\xa1\x12\x04\x10INTERN.IZT.DEaat’, b’0:\xa1\x1b0\x19\xa0\x03\x02\x01\x11\xa1\x12\x04\x10n\xf8\xf2\x17\x9a\xf4\x91\x08\x84],\xd0\xf56\n\xbc\xa2\x1b0\x19\xa0\x03\x02\x01\x03\xa1\x12\x04\x10INTERN.IZT.DEaat’, b’0:\xa1\x1b0\x19\xa0\x03\x02\x01\x17\xa1\x12\x04\x10i\x88<\x85[\xcd\x8f\x92\x8c\xee~X\xf3\x08\x81\xe1\xa2\x1b0\x19\xa0\x03\x02\x01\x03\xa1\x12\x04\x10INTERN.IZT.DEaat’], ‘krb5KeyVersionNumber’: [b’1’], ‘pwhistory’: [b’ $6$0SD3mvvLUmnuAGpt$sjNS5n/At8Mo0vnYIH97hWggj.f6ERIuhIpyWN52hIzs8SsNVpLSGgbzBtJqgzS91M54XCrlA0hKraWjNUucR.’], ‘sambaNTPassword’: [b’69883C855BCD8F928CEE7E58F30881E1’], ‘shadowLastChange’: [b’19258’], ‘sambaPwdLastSet’: [b’1663922689’], ‘sambaBadPasswordCount’: [b’0’], ‘sambaBadPasswordTime’: [b’0’], ‘sambaAcctFlags’: [b’[U ]’], ‘gidNumber’: [b’513’], ‘sambaPrimaryGroupSID’: [b’S-1-5-21-1732664294-487528853-3244829601-513’], ‘univentionObjectType’: [b’users/user’], ‘structuralObjectClass’: [b’inetOrgPerson’], ‘entryUUID’: [b’ba51ad78-cf67-103c-9283-ed30161cdfec’], ‘creatorsName’: [b’uid=Administrator,cn=users,dc=intern,dc=izt,dc=de’], ‘createTimestamp’: [b’20220923084449Z’], ‘memberOf’: [b’cn=Domain Users,cn=groups,dc=intern,dc=izt,dc=de’], ‘sambaSID’: [b’S-1-5-21-1732664294-487528853-3244829601-11475’], ‘objectClass’: [b’organizationalPerson’, b’krb5KDCEntry’, b’automount’, b’shadowAccount’, b’inetOrgPerson’, b’univentionObject’, b’top’, b’univentionPWHistory’, b’krb5Principal’, b’univentionOffice365’, b’sambaSamAccount’, b’univentionMail’, b’person’, b’posixAccount’], ‘univentionOffice365Enabled’: [b’1’], ‘univentionOffice365Data’: [b’eJwVy7EOgjAQANBfITdbBjygddLEhcXwC9e7a1KDrcGyQPh3YXzD20A00DKVx5NzSsol5gS3aoPs34cGOQC2tb3TrjWuYTaI7I0VJ0aDR8ZwxUAdXCpYfjqPc0wcvzS96KNnppqo3ONaalHY9z862SSE’], ‘univentionOffice365ADConnectionAlias’: [b’defaultADconnection’], ‘entryCSN’: [b’20220923094908.887101Z#000000#000#000000’], ‘modifiersName’: [b’cn=admin,dc=intern,dc=izt,dc=de’], ‘modifyTimestamp’: [b’20220923094908Z’], ‘entryDN’: [b’uid=aat,cn=users,dc=intern,dc=izt,dc=de’], ‘subschemaSubentry’: [b’cn=Subschema’], ‘hasSubordinates’: [b’FALSE’]}
new={‘krb5MaxLife’: [b’86400’], ‘krb5MaxRenew’: [b’604800’], ‘uid’: [b’aat’], ‘uidNumber’: [b’1491’], ‘givenName’: [b’aat’], ‘sn’: [b’aat’], ‘gecos’: [b’aat aat’], ‘displayName’: [b’aat aat’], ‘o’: [b’IZT’], ‘street’: [b’Schopenhauerstr. 26’], ‘mail’: [b’a.aat@izt.de’], ‘postalCode’: [b’14129’], ‘l’: [b’Berlin’], ‘st’: [b’DE’], ‘telephoneNumber’: [b’+49308030880’], ‘homeDirectory’: [b’/home/aat’], ‘loginShell’: [b’/bin/false’], ‘sambaHomePath’: [b’\\\\fs1\\home\\aat’], ‘sambaLogonScript’: [b’logon.bat’], ‘sambaProfilePath’: [b’\\\\fs1\\profiles\\aat’], ‘sambaHomeDrive’: [b’H:’], ‘mailPrimaryAddress’: [b’a.aat@izt.de’], ‘cn’: [b’aat aat’], ‘krb5PrincipalName’: [b’aat@INTERN.IZT.DE’], ‘krb5KDCFlags’: [b’126’], ‘userPassword’: [b’{crypt}$6$P2sGSPxPuhYCFjtM$4AyJnZ8ClryTuW7hyEWZ7TtD4THQc/jh6a04zDuBZ0UxaYoCAO01aRIiLFAJZ8zpl9uOJhzqA9XdSol0fcmnK0’], ‘krb5Key’: [b’0B\xa1#0!\xa0\x03\x02\x01\x10\xa1\x1a\x04\x18\x80\x10\xb9\x1cJR\xb5\x8c\x1c\xceb\xd6\x15\xb6F\xef\xb0\xd5\x8c\x13\x19\xaeL\xf8\xa2\x1b0\x19\xa0\x03\x02\x01\x03\xa1\x12\x04\x10INTERN.IZT.DEaat’, b’02\xa1\x130\x11\xa0\x03\x02\x01\x01\xa1\n\x04\x08kz\x07/\xa2\xec\x92\xfe\xa2\x1b0\x19\xa0\x03\x02\x01\x03\xa1\x12\x04\x10INTERN.IZT.DEaat’, b’02\xa1\x130\x11\xa0\x03\x02\x01\x02\xa1\n\x04\x08kz\x07/\xa2\xec\x92\xfe\xa2\x1b0\x19\xa0\x03\x02\x01\x03\xa1\x12\x04\x10INTERN.IZT.DEaat’, b’0J\xa1+0)\xa0\x03\x02\x01\x12\xa1"\x04 \x04\xa9-NL\xc6\x11j\xc4\x81\x15\\\x8f\x82Sy\x19\xf3\xd2C\x1e\xb6\x15s\xab\x82;\x9cd\xf4\xef\x93\xa2\x1b0\x19\xa0\x03\x02\x01\x03\xa1\x12\x04\x10INTERN.IZT.DEaat’, b’02\xa1\x130\x11\xa0\x03\x02\x01\x03\xa1\n\x04\x08kz\x07/\xa2\xec\x92\xfe\xa2\x1b0\x19\xa0\x03\x02\x01\x03\xa1\x12\x04\x10INTERN.IZT.DEaat’, b’0:\xa1\x1b0\x19\xa0\x03\x02\x01\x11\xa1\x12\x04\x10n\xf8\xf2\x17\x9a\xf4\x91\x08\x84],\xd0\xf56\n\xbc\xa2\x1b0\x19\xa0\x03\x02\x01\x03\xa1\x12\x04\x10INTERN.IZT.DEaat’, b’0:\xa1\x1b0\x19\xa0\x03\x02\x01\x17\xa1\x12\x04\x10i\x88<\x85[\xcd\x8f\x92\x8c\xee~X\xf3\x08\x81\xe1\xa2\x1b0\x19\xa0\x03\x02\x01\x03\xa1\x12\x04\x10INTERN.IZT.DEaat’], ‘krb5KeyVersionNumber’: [b’1’], ‘pwhistory’: [b’ $6$0SD3mvvLUmnuAGpt$sjNS5n/At8Mo0vnYIH97hWggj.f6ERIuhIpyWN52hIzs8SsNVpLSGgbzBtJqgzS91M54XCrlA0hKraWjNUucR.’], ‘sambaNTPassword’: [b’69883C855BCD8F928CEE7E58F30881E1’], ‘shadowLastChange’: [b’19258’], ‘sambaPwdLastSet’: [b’1663922689’], ‘sambaBadPasswordCount’: [b’0’], ‘sambaBadPasswordTime’: [b’0’], ‘sambaAcctFlags’: [b’[U ]’], ‘gidNumber’: [b’513’], ‘sambaPrimaryGroupSID’: [b’S-1-5-21-1732664294-487528853-3244829601-513’], ‘univentionObjectType’: [b’users/user’], ‘structuralObjectClass’: [b’inetOrgPerson’], ‘entryUUID’: [b’ba51ad78-cf67-103c-9283-ed30161cdfec’], ‘creatorsName’: [b’uid=Administrator,cn=users,dc=intern,dc=izt,dc=de’], ‘createTimestamp’: [b’20220923084449Z’], ‘memberOf’: [b’cn=Domain Users,cn=groups,dc=intern,dc=izt,dc=de’], ‘sambaSID’: [b’S-1-5-21-1732664294-487528853-3244829601-11475’], ‘objectClass’: [b’organizationalPerson’, b’krb5KDCEntry’, b’automount’, b’shadowAccount’, b’inetOrgPerson’, b’univentionObject’, b’top’, b’univentionPWHistory’, b’krb5Principal’, b’univentionOffice365’, b’sambaSamAccount’, b’univentionMail’, b’person’, b’posixAccount’], ‘univentionOffice365Data’: [b’eJwVy7EOgjAQANBfITdbBjygddLEhcXwC9e7a1KDrcGyQPh3YXzD20A00DKVx5NzSsol5gS3aoPs34cGOQC2tb3TrjWuYTaI7I0VJ0aDR8ZwxUAdXCpYfjqPc0wcvzS96KNnppqo3ONaalHY9z862SSE’], ‘univentionOffice365ADConnectionAlias’: [b’defaultADconnection’], ‘entryCSN’: [b’20220923095233.423431Z#000000#000#000000’], ‘modifiersName’: [b’uid=Administrator,cn=users,dc=intern,dc=izt,dc=de’], ‘modifyTimestamp’: [b’20220923095233Z’], ‘entryDN’: [b’uid=aat,cn=users,dc=intern,dc=izt,dc=de’], ‘subschemaSubentry’: [b’cn=Subschema’], ‘hasSubordinates’: [b’FALSE’]}
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/univention/office365/microsoft/exceptions/core_exceptions.py”, line 266, in inner
return func(*args, **kwargs)
File “/usr/lib/python3/dist-packages/univention/office365/microsoft/core.py”, line 853, in _call_graph_api
raise MSGraphError(response, expected_status=expected_status)
univention.office365.microsoft.exceptions.core_exceptions.MSGraphError: HTTP response status: 403
HTTP response expected status: [204]

request url: https://graph.microsoft.com/v1.0/groups/101ba90e-bc19-448d-9d18-a0b7ba5423b6/members/85879e65-92cc-44cb-8d9d-efb4c4f34fa6/$ref

request header: {
“User-Agent”: “Univention Microsoft 365 Connector”,
“Accept-Encoding”: “gzip, deflate”,
“Accept”: “/”,
“Connection”: “keep-alive”,
“Authorization”: “XXX”,
“Content-Type”: “application/json”,
“Content-Length”: “0”
}

request body: -NONE-

response header: {
“Cache-Control”: “no-cache”,
“Transfer-Encoding”: “chunked”,
“Content-Type”: “application/json”,
“Content-Encoding”: “gzip”,
“Vary”: “Accept-Encoding”,
“Strict-Transport-Security”: “max-age=31536000”,
“request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”,
“client-request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”,
“x-ms-ags-diagnostic”: “{“ServerInfo”:{“DataCenter”:“Germany West Central”,“Slice”:“E”,“Ring”:“5”,“ScaleUnit”:“000”,“RoleInstance”:“FR1PEPF000007A9”}}”,
“x-ms-resource-unit”: “1”,
“Date”: “Fri, 23 Sep 2022 09:52:16 GMT”
}

response body: {
“error”: {
“code”: “Authorization_RequestDenied”,
“message”: “Insufficient privileges to complete the operation.”,
“innerError”: {
“date”: “2022-09-23T09:52:16”,
“request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”,
“client-request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”
}
}
}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/univention/listener/api_adapter.py”, line 161, in _handler
self._module_handler.modify(dn, old, new, self._saved_old_dn if self._rename else None)
File “/usr/lib/univention-directory-listener/system/office365-user.py”, line 82, in modify
self.connector.modify(new_object=new_udm_user, old_object=old_udm_user)
File “/usr/lib/python3/dist-packages/univention/office365/connector/connector.py”, line 569, in modify
old_azure.deactivate(rename=False)
File “/usr/lib/python3/dist-packages/univention/office365/microsoft/objects/azureobjects.py”, line 414, in deactivate
self._core.remove_group_member(group[“id”], self.id)
File “/usr/lib/python3/dist-packages/univention/office365/microsoft/core.py”, line 561, in remove_group_member
expected_status=[204]
File “/usr/lib/python3/dist-packages/univention/office365/microsoft/exceptions/core_exceptions.py”, line 272, in inner
raise exception_class(e)
univention.office365.microsoft.exceptions.core_exceptions.GraphPermissionError: Forbidden Error. Your application may not have the correct
permissions for the Microsoft Graph API.
Please check MS365 Connector: Listener Error: Authorization Error. Your application may not have the correct permissions for the Microsoft Graph API.
HTTP response status: 403
HTTP response expected status: [204]

request url: https://graph.microsoft.com/v1.0/groups/101ba90e-bc19-448d-9d18-a0b7ba5423b6/members/85879e65-92cc-44cb-8d9d-efb4c4f34fa6/$ref

request header: {
“User-Agent”: “Univention Microsoft 365 Connector”,
“Accept-Encoding”: “gzip, deflate”,
“Accept”: “/”,
“Connection”: “keep-alive”,
“Authorization”: “XXX”,
“Content-Type”: “application/json”,
“Content-Length”: “0”
}

request body: -NONE-

response header: {
“Cache-Control”: “no-cache”,
“Transfer-Encoding”: “chunked”,
“Content-Type”: “application/json”,
“Content-Encoding”: “gzip”,
“Vary”: “Accept-Encoding”,
“Strict-Transport-Security”: “max-age=31536000”,
“request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”,
“client-request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”,
“x-ms-ags-diagnostic”: “{“ServerInfo”:{“DataCenter”:“Germany West Central”,“Slice”:“E”,“Ring”:“5”,“ScaleUnit”:“000”,“RoleInstance”:“FR1PEPF000007A9”}}”,
“x-ms-resource-unit”: “1”,
“Date”: “Fri, 23 Sep 2022 09:52:16 GMT”
}

response body: {
“error”: {
“code”: “Authorization_RequestDenied”,
“message”: “Insufficient privileges to complete the operation.”,
“innerError”: {
“date”: “2022-09-23T09:52:16”,
“request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”,
“client-request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”
}
}
}

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/univention/office365/microsoft/exceptions/core_exceptions.py”, line 266, in inner
return func(*args, **kwargs)
File “/usr/lib/python3/dist-packages/univention/office365/microsoft/core.py”, line 853, in _call_graph_api
raise MSGraphError(response, expected_status=expected_status)
univention.office365.microsoft.exceptions.core_exceptions.MSGraphError: HTTP response status: 403
HTTP response expected status: [204]

request url: https://graph.microsoft.com/v1.0/groups/101ba90e-bc19-448d-9d18-a0b7ba5423b6/members/85879e65-92cc-44cb-8d9d-efb4c4f34fa6/$ref

request header: {
“User-Agent”: “Univention Microsoft 365 Connector”,
“Accept-Encoding”: “gzip, deflate”,
“Accept”: “/”,
“Connection”: “keep-alive”,
“Authorization”: “XXX”,
“Content-Type”: “application/json”,
“Content-Length”: “0”
}

request body: -NONE-

response header: {
“Cache-Control”: “no-cache”,
“Transfer-Encoding”: “chunked”,
“Content-Type”: “application/json”,
“Content-Encoding”: “gzip”,
“Vary”: “Accept-Encoding”,
“Strict-Transport-Security”: “max-age=31536000”,
“request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”,
“client-request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”,
“x-ms-ags-diagnostic”: “{“ServerInfo”:{“DataCenter”:“Germany West Central”,“Slice”:“E”,“Ring”:“5”,“ScaleUnit”:“000”,“RoleInstance”:“FR1PEPF000007A9”}}”,
“x-ms-resource-unit”: “1”,
“Date”: “Fri, 23 Sep 2022 09:52:16 GMT”
}

response body: {
“error”: {
“code”: “Authorization_RequestDenied”,
“message”: “Insufficient privileges to complete the operation.”,
“innerError”: {
“date”: “2022-09-23T09:52:16”,
“request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”,
“client-request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”
}
}
}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/univention/listener/api_adapter.py”, line 169, in _handler
self._module_handler.error_handler(dn, old, new, command, exc_type, exc_value, exc_traceback)
File “/usr/lib/python3/dist-packages/univention/listener/handler.py”, line 261, in error_handler
reraise(exc_type, exc_value, exc_traceback)
File “/usr/lib/python3/dist-packages/six.py”, line 693, in reraise
raise value
File “/usr/lib/python3/dist-packages/univention/listener/api_adapter.py”, line 161, in _handler
self._module_handler.modify(dn, old, new, self._saved_old_dn if self._rename else None)
File “/usr/lib/univention-directory-listener/system/office365-user.py”, line 82, in modify
self.connector.modify(new_object=new_udm_user, old_object=old_udm_user)
File “/usr/lib/python3/dist-packages/univention/office365/connector/connector.py”, line 569, in modify
old_azure.deactivate(rename=False)
File “/usr/lib/python3/dist-packages/univention/office365/microsoft/objects/azureobjects.py”, line 414, in deactivate
self._core.remove_group_member(group[“id”], self.id)
File “/usr/lib/python3/dist-packages/univention/office365/microsoft/core.py”, line 561, in remove_group_member
expected_status=[204]
File “/usr/lib/python3/dist-packages/univention/office365/microsoft/exceptions/core_exceptions.py”, line 272, in inner
raise exception_class(e)
univention.office365.microsoft.exceptions.core_exceptions.GraphPermissionError: Forbidden Error. Your application may not have the correct
permissions for the Microsoft Graph API.
Please check MS365 Connector: Listener Error: Authorization Error. Your application may not have the correct permissions for the Microsoft Graph API.
HTTP response status: 403
HTTP response expected status: [204]

request url: https://graph.microsoft.com/v1.0/groups/101ba90e-bc19-448d-9d18-a0b7ba5423b6/members/85879e65-92cc-44cb-8d9d-efb4c4f34fa6/$ref

request header: {
“User-Agent”: “Univention Microsoft 365 Connector”,
“Accept-Encoding”: “gzip, deflate”,
“Accept”: “/”,
“Connection”: “keep-alive”,
“Authorization”: “XXX”,
“Content-Type”: “application/json”,
“Content-Length”: “0”
}

request body: -NONE-

response header: {
“Cache-Control”: “no-cache”,
“Transfer-Encoding”: “chunked”,
“Content-Type”: “application/json”,
“Content-Encoding”: “gzip”,
“Vary”: “Accept-Encoding”,
“Strict-Transport-Security”: “max-age=31536000”,
“request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”,
“client-request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”,
“x-ms-ags-diagnostic”: “{“ServerInfo”:{“DataCenter”:“Germany West Central”,“Slice”:“E”,“Ring”:“5”,“ScaleUnit”:“000”,“RoleInstance”:“FR1PEPF000007A9”}}”,
“x-ms-resource-unit”: “1”,
“Date”: “Fri, 23 Sep 2022 09:52:16 GMT”
}

response body: {
“error”: {
“code”: “Authorization_RequestDenied”,
“message”: “Insufficient privileges to complete the operation.”,
“innerError”: {
“date”: “2022-09-23T09:52:16”,
“request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”,
“client-request-id”: “8e958326-699e-4c91-bdae-26d0df5fff53”
}
}
}

23.09.22 11:52:34.527 LISTENER ( WARN ) : handler: office365-user (failed)

We finally realized that the problem was that the primary email address on Tab “General” was all small letters, while the email address on the contact Tab was the same but capitalized. In order to fix this we added “<:lower>” at the end of the template (for good measures on both fields). Now new accounts are synced to MS365 again. The reason some accounts were synced was that these had umlauts in the names thus somehow preventing the template to generate identical email addresses
which only differed in capitalization.

The way the process fails here is a bug, IMHO.

That’s still the case.

Thanks for your attention, Gregor