2.26.1 | In Set-MgUserLicense, null-value key in BodyParameter is omitted unexpectedly

[Xuzhou-Huang]

Describe the bug

I'm using the following script to assign license to users but failed with error:

[Request_BadRequest] : One or more parameters of the operation 'assignLicense' are missing from the request payload. The missing parameters are: removeLicenses.

$sku = Get-MgSubscribedSku -All | Where-Object { $_.SkuPartNumber -eq "SPB_NO_WIN" } 
$skuId = $sku.SkuId 
$params = @{
                addLicenses = @(
                    @{
                        skuId = $skuId
                        disabledPlans = @() 
                    }
                )
                removeLicenses = @() 
            } 

$convertedparams = $params | ConvertTo-Json -Compress 

Set-MgUserLicense -UserId [email protected] -BodyParameter $params -debug

From debug log, I can see the request body get converted to following content where the null-value key is omitted unexpectedly.

Body:
> {
"addLicenses": [
{
"skuId": "e6222d1d-d4a1-4011-97e4-c5f1cb1072f4"
}
]
}

Running the same script with Graph Powershell 2.23.0, it could run successfully. Here's the debug log for your reference where the null-value key is remained as usual.

Body:
{
"addLicenses": [
{
"disabledPlans": [],
"skuId": "e6222d1d-d4a1-4011-97e4-c5f1cb1072f4"
}
],
"removeLicenses": []
}

Expected behavior

Don't omit the null-value key in JSON parameter

How to reproduce

1. Run script

$sku = Get-MgSubscribedSku -All | Where-Object { $_.SkuPartNumber -eq "SPB_NO_WIN" } 
$skuId = $sku.SkuId 
$params = @{
                addLicenses = @(
                    @{
                        skuId = $skuId
                        disabledPlans = @() 
                    }
                )
                removeLicenses = @() 
            } 

$convertedparams = $params | ConvertTo-Json -Compress 

Set-MgUserLicense -UserId [email protected] -BodyParameter $params -debug

2. Get error output

Body:
{
"error": {
"code": "Request_BadRequest",
"message": "One or more parameters of the operation 'assignLicense' are missing from the request payload. The missing p
arameters are: removeLicenses.",
"innerError": {
"date": "2025-03-06T06:17:57",
"request-id": "4a20cd18-5923-4c0f-b55e-f8127014304e",
"client-request-id": "fe7ec1c1-5f31-47db-9da8-a51f97e35c6f"
}
}
}

SDK Version

2.26.1

Latest version known to work for scenario above?

2.23.0

Known Workarounds

rollback to 2.23.0

Debug output

Set-MgUserLicense -UserId [email protected] -BodyParameter $params -debug
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
POST

Absolute Uri:
https://microsoftgraph.chinacloudapi.cn/v1.0/users/xuhuan%40mcpod.partner.onmschina.cn/microsoft.graph.assignLicense

Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.19045; en-US),PowerShell/5.1.19041.548
6
SdkVersion : graph-powershell/2.26.1
client-request-id : fe7ec1c1-5f31-47db-9da8-a51f97e35c6f

Body:
{
"addLicenses": [
{
"skuId": "e6222d1d-d4a1-4011-97e4-c5f1cb1072f4"
}
]
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 4a20cd18-5923-4c0f-b55e-f8127014304e
client-request-id : fe7ec1c1-5f31-47db-9da8-a51f97e35c6f
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"China North","Slice":"E","Ring":"5","ScaleUnit":"001","RoleIns
tance":"BJ1NEPF00000A4F"}}
Cache-Control : no-cache
Date : Thu, 06 Mar 2025 06:17:56 GMT

Body:
{
"error": {
"code": "Request_BadRequest",
"message": "One or more parameters of the operation 'assignLicense' are missing from the request payload. The missing p
arameters are: removeLicenses.",
"innerError": {
"date": "2025-03-06T06:17:57",
"request-id": "4a20cd18-5923-4c0f-b55e-f8127014304e",
"client-request-id": "fe7ec1c1-5f31-47db-9da8-a51f97e35c6f"
}
}
}

Set-MgUserLicense : One or more parameters of the operation 'assignLicense' are missing from the request payload. The
missing parameters are: removeLicenses.
Status: 400 (BadRequest)
ErrorCode: Request_BadRequest
Date: 2025-03-06T06:17:57
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 4a20cd18-5923-4c0f-b55e-f8127014304e
client-request-id : fe7ec1c1-5f31-47db-9da8-a51f97e35c6f
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"China
North","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"BJ1NEPF00000A4F"}}
Cache-Control : no-cache
Date : Thu, 06 Mar 2025 06:17:56 GMT
At line:12 char:1

• Set-MgUserLicense -UserId [email protected] -BodyPara ...

•   + CategoryInfo          : InvalidOperation: ({ UserId = xuhu...ionJsonSchema }:<>f__AnonymousType0`3) [Set-MgUserLice 
   nse_Assign], Exception
    + FullyQualifiedErrorId : Request_BadRequest,Microsoft.Graph.PowerShell.Cmdlets.SetMgUserLicense_Assign
  

DEBUG: [CmdletEndProcessing]: - Set-MgUserLicense end processing.

Configuration

No response

Other information

No response

[Xuzhou-Huang]

a similar bug found at #3201

[jrs-anthony-borrow]

I concur that I was able to get the Set-MgUserLicense command to work again by going back to version 2.23.0 (Install-Module -Name Microsoft.Graph -RequiredVersion 2.23.0).

In #3201 there were comments indicating that 2.24.0 worked for some users; however, for the non-beta version 2.24.0 produced the same error for me but I did not include the LicenseAssignment.ReadWrite.All permissions when connecting the MgGraph. When I tested 2.24.0 and included the LicenseAssignment permission in the scope when connecting Set-MgUserLicense works as expected.

I was testing with Powershell in Ubuntu because in Windows I find everything much slower. I did follow the recommendations to run a script to remove all of the Graph related modules for all versions and then install the desired version. I would be curious to see what is actually causing the issue. A cursory look at the code seemed to indicate that essentially the Set-MgUserLicense command mapping in:

./src/Authentication/Authentication/custom/common/MgCommandMetadata.json: "Command": "Set-MgUserLicense",

What I noticed in 2.24.0 is that the LicenseAssignment.ReadWrite.All permission was added and that for the permission User.ReadWrite.All" the IsLeastPrivilege was switched from false (in 2.23.0) to true. Here are the differences in the various versions between the different versions.

• 2.23.0: Directory (IsAdmin:false, IsLeastPrivilege: false); License (undefined); User (IsAdmin:false, IsLeastPrivilege: true)
• 2.24.0: Directory (IsAdmin:false, IsLeastPrivilege: false); License (IsAdmin:false, IsLeastPrivilege: true); User (IsAdmin:false, IsLeastPrivilege: false)
• 2.26.1: Directory (IsAdmin:true, IsLeastPrivilege: false); License (IsAdmin:true, IsLeastPrivilege: true); User (IsAdmin:true, IsLeastPrivilege: false)

I suspect that the issues folks are experiencing were introduced by the changes in permissions. Hopefully we can get those reverted back to functional state.

[jrs-anthony-borrow]

I wonder if @timayabi2020 might be willing to take a quick look at my notes and provide a recommendation.

[jrs-anthony-borrow]

I checked and 2.25.0 works (even without the scope LicenseAssignment.ReadWrite.All). I installed 2.25.0 and then used:

Connect-MgGraph -scope User.ReadWrite.All, Organization.Read.All, Group.ReadWrite.All -NoWelcome

and

Set-MgUserLicense -UserId $upn -AddLicenses @{SkuId = $fabric_sku.SkuId} -RemoveLicenses @() worked just fine.

[Xuzhou-Huang]

Hi @jrs-anthony-borrow I doubt it's a permission related issue. Per permission required as below, I added the license one, but the error still remains. From the error message, it's still related with the missing parameter.

2.26.1: Directory (IsAdmin:true, IsLeastPrivilege: false); License (IsAdmin:true, IsLeastPrivilege: true); User (IsAdmin:true, IsLeastPrivilege: false)

Set-MgUserLicense -UserId [email protected] -BodyParameter $params -debug
DEBUG: [CmdletBeginProcessing]: - Set-MgUserLicense begin processing with parameterSet 'Assign'.
DEBUG: [Authentication]: - AuthType: 'AppOnly', TokenCredentialType: 'ClientCertificate', ContextScope: 'Process', AppName: 'xuzhou-powershell'.
DEBUG: [Authentication]: - Scopes: [PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup, LicenseAssignment.ReadWrite.All, RoleManagementPolicy.Read.AzureADGroup, Application.Rea
d.All, Policy.ReadWrite.ApplicationConfiguration, PrivilegedAccess.ReadWrite.AzureAD, Device.ReadWrite.All, RoleManagementPolicy.Read.Directory, User.ReadWrite.All, DeviceManage
mentManagedDevices.ReadWrite.All, RoleManagementPolicy.ReadWrite.Directory, DeviceManagementManagedDevices.PrivilegedOperations.All, EntitlementManagement.Read.All, Policy.ReadW
rite.ConditionalAccess, Directory.ReadWrite.All, PrivilegedAccess.Read.AzureAD, PrivilegedAssignmentSchedule.Read.AzureADGroup, Device.Read.All, Directory.Read.All, UserAuthenti
cationMethod.ReadWrite.All, PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup, UserAutheticationMethod.Read.All, Organization.ReadWrite.All, CustomSecAttributeAssignment.Read
Write.All, EntitlementManagement.ReadWrite.All, Policy.Read.All, DeviceManagementManagedDevices.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup, RoleManagementPolicy.R
eadWrite.AzureADGroup, Application.ReadWrite.All, PrivilegedAccess.ReadWrite.AzureADGroup, PrivilegedAccess.Read.AzureResources, PrivilegedAccess.Read.AzureADGroup, PrivilegedAc
cess.ReadWrite.AzureResources, AuditLog.Read.All].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
POST

Absolute Uri:
https://microsoftgraph.chinacloudapi.cn/v1.0/users/xuhuan%40mcpod.partner.onmschina.cn/microsoft.graph.assignLicense

Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26100; en-US),PowerShell/5.1.26100.2161
SdkVersion : graph-powershell/2.26.1
client-request-id : 63a4817c-8f24-4b4e-be81-2be65e4bb4dd

Body:
{
"addLicenses": [
{
"skuId": "e6222d1d-d4a1-4011-97e4-c5f1cb1072f4"
}
]
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 97ecb59c-93a1-470c-9746-c7aab789059e
client-request-id : 63a4817c-8f24-4b4e-be81-2be65e4bb4dd
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"China East","Slice":"E","Ring":"6","ScaleUnit":"001","RoleInstance":"SH1NEPF00000914"}}
Cache-Control : no-cache
Date : Mon, 10 Mar 2025 06:24:00 GMT

Body:
{
"error": {
"code": "Request_BadRequest",
"message": "One or more parameters of the operation 'assignLicense' are missing from the request payload. The missing parameters are: removeLicenses.",
"innerError": {
"date": "2025-03-10T06:24:00",
"request-id": "97ecb59c-93a1-470c-9746-c7aab789059e",
"client-request-id": "63a4817c-8f24-4b4e-be81-2be65e4bb4dd"
}
}
}

[jrs-anthony-borrow]

Thanks for sharing the additional information. The request does not seem to include the null removeLicenses. Rather than passing it as a param, in my usage it is directly passed as:

Set-MgUserLicense -UserId $upn -AddLicenses @{SkuId = $fabric_sku.SkuId} -RemoveLicenses @()

I wonder if it is possible that somewhere during the processing of $params something is changed such that null or empty parameters are not being passed.

I was simply exploring the code changes between the versions to try to see I could make sense of the change in behavior..

Obviously, others who are more knowledgeable may have a better understanding of what is the best way to resolve the issue. Hopefully, some of this information will be useful.

[Xuzhou-Huang]

Thanks for the insights @jrs-anthony-borrow . Look forward to if any changes on null/empty parameter handling are found.