IdentityGovernanceEntitlementManagement Manage Connected organization with internal / external sponsor

[achrafamor]

Description

With 1.9.1 version of the Microsoft.Graph.Identity.* modules, it was impossible to manage the internal / external sponsor with the following commands:

New-MgEntitlementManagementConnectedOrganization
Update-MgEntitlementManagementConnectedOrganization
new-MgEntitlementManagementConnectedOrganizationInternalSponsor
Update-MgEntitlementManagementConnectedOrganizationInternalSponsor 
New-MgEntitlementManagementConnectedOrganizationExternalSponsor
Update-MgEntitlementManagementConnectedOrganizationExternalSponsor

I updated the modules to the 1.9.2 version, only creating a new connected organization with a sponsor is possible with the command New-MgEntitlementManagementConnectedOrganization, and the same errors persist with the rest of commands. (look below for error messages)

step to reproduce

connexion to azure AD with access token
Select-MgProfile -Name "beta"
Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"

...
[.. ] check if domain is AzureAD tenant or One time pass-code
... if One time pass-code domain :

$DomainName = "test0001.com"
$IdentitySources = @{
            "@odata.type" = "#microsoft.graph.domainIdentitySource"
            domainName = "$DomainName"
            displayName = "$DomainName"
        }
$AzureADUserSponsor = @{
                id = "{User_GUID}"
                "@Odata.id" = "https://graph.microsoft.com/beta/users/{User_GUID}"
            }
New-MgEntitlementManagementConnectedOrganization -DisplayName "test0001.com"  -Description "desc0001" -IdentitySources $IdentitySources -internalSponsors $AzureADUserSponsor

Update-MgEntitlementManagementConnectedOrganization -ConnectedOrganizationId {Org_Id} -Description "desc0002" -IdentitySources $IdentitySources -DisplayName "test0002.com" -internalSponsors $AzureADUserSponsor
Update-MgEntitlementManagementConnectedOrganization : **The model is invalid**.
Au caractère Ligne:1 : 1
+ Update-MgEntitlementManagementConnectedOrganization -ConnectedOrganiz ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation : ({ ConnectedOrga...Organization1 }:<>f__AnonymousType84`2) [Update-MgEntitl..._UpdateExpanded], RestException`1
    + FullyQualifiedErrorId : InvalidModel,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgEntitlementManagementConnectedOrganization_UpdateExpanded


New-MgEntitlementManagementConnectedOrganizationInternalSponsor -ConnectedOrganizationId {GUID_of_Other_org} -Id  {User_Guid}
New-MgEntitlementManagementConnectedOrganizationInternalSponsor : **No HTTP resource was found that matches the request URI
'https://igaelm-asev3-pdsapi-neu.igaelm-asev3-environment-neu.p.azurewebsites.net/api/v1/connectedOrganizations('7933ca34-7eb3-4d39-9f5f-bf92a4fb30c6')/internalSponsors'.**
Au caractère Ligne:1 : 1
+ New-MgEntitlementManagementConnectedOrganizationInternalSponsor -Conn ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation : ({ ConnectedOrga...rectoryObject }:<>f__AnonymousType84`2) [New-MgEntitleme..._CreateExpanded], RestException`1
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.NewMgEntitlementManagementConnectedOrganizationInternalSponsor_CreateExpanded

related bugs

• The command get-MgEntitlementManagementConnectedOrganization return a null value on internal/external sponsor even if the sponsor exist on the ConnectedOrganization.
  => behaviors not seen on graph API explorer.

actual modules version

get-module -name *Microsoft.Graph.*

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     1.9.2      Microsoft.Graph.Authentication      {Add-MgEnvironment, Connect-MgGraph, Disconnect-MgGraph, Get-MgContext...}
Script     1.9.2      Microsoft.Graph.Identity.Governance {Get-MgAgreement, Get-MgAgreementAcceptance, Get-MgAgreementFile,

[peombwa]

Thanks for bringing this to our attention.

1. The API does not support managing internal/external sponsors by updating a connectedOrganization; thus, The model is invalid error message when using Update-MgEntitlementManagementConnectedOrganization -ConnectedOrganizationId {Org_Id} -Description "desc0002" -IdentitySources $IdentitySources -DisplayName "test0002.com" -internalSponsors $AzureADUserSponsor. See https://docs.microsoft.com/en-us/graph/api/connectedorganization-update?view=graph-rest-1.0&tabs=http#request-body for properties that can be updated. Unfortunately, the metadata (that the SDK is generated from) is not currently fully annotated to tell us which properties are updatable, so we don't generate parameters for them.
2. New-MgEntitlementManagementConnectedOrganizationInternalSponsor is not the correct command to add an internal sponsor to a connected organization and should not be generated. The correct command, New-MgEntitlementManagementConnectedOrganizationInternalSponsorByRef, is currently missing and will be added to the SDK as part of the next release.

Please use the List, Add, and Remove APIs to manage external/internal sponsors, as shown in the linked API reference docs.

You can use Inoke-MgGraphRequest to make direct REST calls as a workaround to the missing commands as we work on making them available. e.g., Add internalSponsors - Microsoft Graph v1.0 | Microsoft Docs:

$Uri = "/v1.0/identityGovernance/entitlementManagement/connectedOrganizations/$OrgId/internalSponsors/`$ref"
$Body = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/users/$UserId"
}
Invoke-MgGraphRequest -Uri $Uri -Body $Body -Method POST -Debug