Description
When exporting Access Reviews with Export-Entra -All, the contactedReviewers grandchild endpoint fails with 400 errors for definitions that use non-GUID IDs (base64-encoded strings like 2G3-4TG6YU2J54hjnaRoPQE).
Error
Failed batch request:
- Url: 'identitygovernance/accessReviews/definitions/2G3-4TG6YU2J54hjnaRoPQE/instances/2G3-4TG6YU2J54hjnaRoPQE/contactedReviewers'
- StatusCode: '400'
- Error: 'Invalid guid 2G3-4TG6YU2J54hjnaRoPQE passed in'
Root Cause
The schema defines the contactedReviewers URL template with two <placeholder> strings:
identityGovernance/accessReviews/definitions/<placeholder>/instances/<placeholder>/contactedReviewers
When New-GraphBatchRequest processes this, it replaces all <placeholder> occurrences with the same value (the instance ID). However:
- The first
<placeholder> should be the definition ID (parent)
- The second
<placeholder> should be the instance ID (child)
Since both get the same value, and Access Review definition IDs are non-GUID strings, the API rejects the request.
Suggested Fix
The placeholder system in New-GraphBatchRequest.ps1 would need to support distinct parent/grandparent IDs, for example via numbered placeholders (<placeholder1>, <placeholder2>) or by pre-resolving the parent portion of the URL before passing it to the grandchild level.
This would also require changes in Export-Entra.ps1 (_processChildrenRecursive) to pass both the grandparent and parent IDs when building grandchild URLs.
Environment
- EntraExporter version: 3.0.1
- PowerShell version: 7.5.2
- OS: macOS (Darwin 25.3.0)
Description
When exporting Access Reviews with
Export-Entra -All, thecontactedReviewersgrandchild endpoint fails with 400 errors for definitions that use non-GUID IDs (base64-encoded strings like2G3-4TG6YU2J54hjnaRoPQE).Error
Root Cause
The schema defines the
contactedReviewersURL template with two<placeholder>strings:When
New-GraphBatchRequestprocesses this, it replaces all<placeholder>occurrences with the same value (the instance ID). However:<placeholder>should be the definition ID (parent)<placeholder>should be the instance ID (child)Since both get the same value, and Access Review definition IDs are non-GUID strings, the API rejects the request.
Suggested Fix
The placeholder system in
New-GraphBatchRequest.ps1would need to support distinct parent/grandparent IDs, for example via numbered placeholders (<placeholder1>,<placeholder2>) or by pre-resolving the parent portion of the URL before passing it to the grandchild level.This would also require changes in
Export-Entra.ps1(_processChildrenRecursive) to pass both the grandparent and parent IDs when building grandchild URLs.Environment