Microsoft Graph - Create user without onPremisesImmutableId on a Federated Domain

Question

We are trying to create a User on a Federated domain, without sending the JSON field onPremisesImmutableId . As documented on the Create User page, this field becomes mandatory in such cases.

When we issue such a request, the HTTP response status code is strangely 400 without a proper message in the response payload. Below is a sample.

Is it possible to get an accurate message as to why the request failed? The reason why we're asking is, before making this domain Federated, the same request was working perfectly fine, but not anymore. It took us hours to figure out what went wrong and the documentation finally gave a clue.

Request:
Invoke-WebRequest -Method POST https://graph.microsoft.com/v1.0/users -Headers @{"Authorization"="Bearer <access_token>"} -Body '{"accountEnabled":true,"displayName": "displayName-value","mailNickname": "mailNickname-value",  "userPrincipalName": "blah-blah","passwordProfile":{"password": "bleh"}}' -ContentType 'application/json'

===============

Response:
    status: 400 Bad Request
    Date: Thu, 06 Apr 2017 19:35:32 GMT
    x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"South India","Slice":"SliceA","ScaleUnit":"000","Host":"AGSFE_IN_1","ADSiteName":"MAA"}}
    Duration: 148.322
    client-request-id: 516c451a-1052-4918-9671-2ebfa8d2f795
    Content-Type: application/json
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: ETag, Location, Preference-Applied, Content-Range, request-id, client-request-id
    Cache-Control: private
    Transfer-Encoding: chunked
    request-id: 516c451a-1052-4918-9671-2ebfa8d2f795

 {
  "error": {
    "code": "Request_BadRequest",
    "message": "One or more properties contains invalid values.",
    "innerError": {
      "request-id": "516c451a-1052-4918-9671-2ebfa8d2f795",
      "date": "2017-04-06T19:35:32"
    }
  }
}

Answer 1

Your request to create a user in a federated domain must contain an onPremisesImmutableId. That is why your requests started to fail (after converting the domain to be federated). Even though this property says it's immutable, it's meant to indicate that this should be the value of the immutable id for the user on-premises - so that you can tie the on-premises user object to the cloud user object. If you don't set this property correctly, federated sign-in will not work. This property can be updated (although not recommended for obvious reasons) and can be nullified if the user has been moved to a non-federated cloud-only domain.

If you try to create a user in a federated domain without the onPremisesImmutableId being set (or even change a user's userPrincipalName to be under a federated domain without setting the onPremisesImmutableId), then a 400 error is appropriate. The error does indicate that something is not correctly set - however error messages are something that we **do* definitely need to work on improving, and could do with being more precise.

Hope this helps,