SignIns value is not a collection

[L4r1k]

Hitting the SignIns list MS Graph API endpoint results in the error value is not a collection. I think this may be related to the SignIn metadata differing from the model go expects.

I have tried dropping back to the v1 SDK to retrieve SignIns and came across a different issue that also blocked SignIn retrieval: microsoftgraph/msgraph-sdk-go#617 so I'm left at the moment not being able to retrieve SignIns from msgraph-sdk-go or msgraph-beta-sdk-go.

[baywet]

Hi @L4r1k
Thanks for reporting this.
Could you please provide the code snippet of what you're executing to get this error?

[L4r1k]

Absolutely! I provided the code snippet here where the code is identical except the imports are replaced with */msgraph-beta-sdk-go/* instead of the v1 package import

[L4r1k]

Hi, has there been any movement on this? It's a big blocker for my application 😢

[baywet]

Thanks for your patience with this. Can you update graph core and see if you're still facing the issue?
We've had a pull request in this area recently.

[L4r1k]

Updating did not fix the issue. For reference I'm using github.com/microsoftgraph/msgraph-beta-sdk-go v0.87.0 + github.com/microsoftgraph/msgraph-sdk-go-core v1.0.1, that's correct right or is there a beta version of graph core?

[baywet]

yes, those are the correct versions/packages.

are you able to provide a stacktrace for the issue?

[L4r1k]

Have you reviewed the code snippet I provided? The error occurs upon making the initial request prior to any pagination loops. It appears this go package does not consider the content returned by the beta signins API to be a valid collection. I can try to provide a stack trace if you tell me exactly what information you need, what more do you need to know?

debug.PrintStack() just points to this line as the issue but doesn't provide further detail (and for reference, the get call succeeds when there's no data returned, which occurs if you try to retrieve data from just further than 30 days ago which indicates to me that it's definitely the content returned not fitting into a model struct or something along those lines):

result, err := req.Get(context.Background(), configuration)

[baywet]

I'm suspecting the error is returned by one of those two locations:
https://github.com/microsoft/kiota-serialization-json-go/blob/a39c4b5e60ac7cb07457bbfd9d74172c097b5f76/json_parse_node.go#L246
https://github.com/microsoft/kiota-serialization-json-go/blob/a39c4b5e60ac7cb07457bbfd9d74172c097b5f76/json_parse_node.go#L273

This is most likely caused by a metadata and service behaviour misalignment.
Could you execute the same request in Graph explorer and paste the data here (sanitize any sensitive or personal information) please?

[L4r1k]

I agree, my hunch is that's is a metadata misalignment as well. Here's a truncated (single value) return value from the beta signins endpoint:

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#auditLogs/signIns",
    "@odata.nextLink": "https://graph.microsoft.com/beta/auditLogs/signIns?$skiptoken=adsfweaeawfc447dd1ca4bd00f45fcbf9ae9asdaaewwadxd1231235e5adea3a4f9d9dc",
    "@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET auditLogs/signIns?$select=appDisplayName,appId",
    "value": [
        {
            "id": "<uuid>",
            "createdDateTime": "2023-12-05T16:33:31Z",
            "userDisplayName": "Jack H",
            "userPrincipalName": "[email protected]",
            "userId": "<uuid>",
            "appId": "<uuid>",
            "appDisplayName": "Azure Portal",
            "ipAddress": "<ipv4>",
            "ipAddressFromResourceProvider": null,
            "clientAppUsed": "Browser",
            "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",
            "correlationId": "<uuid>",
            "conditionalAccessStatus": "success",
            "originalRequestId": "",
            "isInteractive": true,
            "tokenIssuerName": "",
            "tokenIssuerType": "AzureAD",
            "clientCredentialType": "none",
            "processingTimeInMilliseconds": 85,
            "riskDetail": "none",
            "riskLevelAggregated": "none",
            "riskLevelDuringSignIn": "none",
            "riskState": "none",
            "riskEventTypes_v2": [],
            "resourceDisplayName": "Windows Azure Service Management API",
            "resourceId": "<uuid>",
            "resourceTenantId": "<uuid>",
            "homeTenantId": "<uuid>",
            "homeTenantName": "",
            "authenticationMethodsUsed": [],
            "authenticationRequirement": "multiFactorAuthentication",
            "signInIdentifier": "",
            "signInIdentifierType": null,
            "servicePrincipalName": null,
            "signInEventTypes": [
                "interactiveUser"
            ],
            "servicePrincipalId": "",
            "federatedCredentialId": null,
            "userType": "member",
            "flaggedForReview": false,
            "isTenantRestricted": false,
            "autonomousSystemNumber": "<5digitint>",
            "crossTenantAccessType": "none",
            "servicePrincipalCredentialKeyId": null,
            "servicePrincipalCredentialThumbprint": "",
            "uniqueTokenIdentifier": "<string>",
            "incomingTokenType": "primaryRefreshToken",
            "authenticationProtocol": "none",
            "resourceServicePrincipalId": "<uuid>",
            "signInTokenProtectionStatus": "unbound",
            "originalTransferMethod": "none",
            "authenticationAppDeviceDetails": null,
            "status": {
                "errorCode": 0,
                "failureReason": "Other.",
                "additionalDetails": "MFA requirement satisfied by claim in the token"
            },
            "deviceDetail": {
                "deviceId": "",
                "displayName": "",
                "operatingSystem": "MacOs",
                "browser": "Chrome 119.0.0",
                "isCompliant": false,
                "isManaged": false,
                "trustType": ""
            },
            "location": {
                "city": "Westminster",
                "state": "Greater London",
                "countryOrRegion": "GB",
                "geoCoordinates": {
                    "altitude": null,
                    "latitude": "<lat>",
                    "longitude": "<lon>"
                }
            },
            "mfaDetail": {
                "authMethod": null,
                "authDetail": null
            },
            "appliedConditionalAccessPolicies": [],
            "authenticationContextClassReferences": [],
            "authenticationProcessingDetails": [
                {
                    "key": "Root Key Type",
                    "value": "Unknown"
                },
                {
                    "key": "Oauth Scope Info",
                    "value": "[\"user_impersonation\"]"
                }
            ],
            "networkLocationDetails": [],
            "authenticationDetails": [
                {
                    "authenticationStepDateTime": "2023-12-05T16:33:31Z",
                    "authenticationMethod": "Previously satisfied",
                    "authenticationMethodDetail": null,
                    "succeeded": true,
                    "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token",
                    "authenticationStepRequirement": ""
                }
            ],
            "authenticationRequirementPolicies": [
                {
                    "requirementProvider": "multiConditionalAccess",
                    "detail": "Conditional Access"
                }
            ],
            "sessionLifetimePolicies": [],
            "privateLinkDetails": {
                "policyId": "",
                "policyName": "",
                "resourceId": "",
                "policyTenantId": ""
            },
            "appliedEventListeners": [],
            "authenticationAppPolicyEvaluationDetails": [],
            "managedServiceIdentity": {
                "msiType": "none",
                "associatedResourceId": null,
                "federatedTokenId": null,
                "federatedTokenIssuer": null
            }
        }
    ]
}

[baywet]

Thanks for the additional information.
I couldn't find a misalignment just by comparing the metadata with the payload.
The next step would be to feed that to DeserializeFromJson the second argument being this function reference

And see on which field exactly it fails.
To ease up the identification you'll want to clone microsoft/kiota-serialization-json-go locally as well and add a replace entry in your project, as well as break points on the lines I mentioned in my previous reply.

[L4r1k]

Thanks for the guidance. My findings after a little debugging are that the MS Graph request to signins goes through OK and does return initial data. I set breakpoints on the lines you suggested and they didn't fire, but I realized there's a third line in which value is not a collection is returned and when I set a breakpoint there it fired. The package errors here when parsing the data "application,users" from one of the fields:

Tracking this a bit further back up the callstack it appears this data occurs in the conditionsSatisfied field of numerous signin events.

I wonder if there is infact a metadata misalignment, related to conditional access similar to this issue but I'm not sure how to verify that.

[baywet]

Thanks for digging into this, this seems like a metadata drift as well.
The metadata says that appliedConditionalAccessPolicy's conditionsSatisfied property is a collection of conditionalAccessConditions, but the service in fact returns a single value.
I'll open an ICM on the responsible team shortly so they can address the issue.

[baywet]

Created the ICM: https://portal.microsofticm.com/imp/v3/incidents/incident/448554894/summary
Let's wait to see what the service team replies.

[baywet]

Update from the ICM: here is the full story. The service originally documented a single value, but returned a collection. We implemented a postfix when this was reported by customers and advised the service. Where we thought they'd change the metadata to a collection in the source, they in facts changed the service behavior to return a single value without notifying us.
So all that's left is to remove the postfix and kick off a new generation.
We have a number of people out of office already, but I'm hoping it'll happen by end of next week.

[baywet]

Update: the outdated post fix was removed, we should see the next generation (Tuesday) address this issue. Thanks for your patience.