DBQueue Processor removes AADUserInGroup memberships for groups marked with 'HasReadOnlyMemberships' (4369746)

DBQueue Processor removes AADUserInGroup memberships for groups marked with 'HasReadOnlyMemberships'

A Person record (Employee) with an Account Definition for an AADAccount and a Full Managed AADAccount.  There is an O3EMailbox for the AADUser.

The mailbox has a membership in table O3EMailboxInDL, as well as in O3EAADUserInUnifiedGroup, the equivalent memberships also exist on Azure level in AADUserInGroup.

The Employee is deactivated, and due to the setting in the Manage Level all group memberships are removed.

Expected result:

The memberships of the O3EMailbox and the AADAccount are removed and provisioned in the target systems.  In this scenario, memberships are controlled exclusively at the O3E level. The AAD memberships are automatically removed as well.

Actual result:

A process "AAD_Group_Insert/Update/Delete" is generated.  The AcHocProjection job in it fails and O3E memberships will remain.

Error message/log:

Error from the AdHocProjection job:
     [1777018] Error running synchronization project (Azure Active Directory tenant 'Contoso')'s workflow (Provisioning).
     [1777124] Error running synchronization step (Group) of synchronization configuration (Provisioning (Provisioning)).
     [1777004] Method (Update (Update)) could not be run successfully.
     [System.Exception] [Exception]: ServiceException occurred

Code: Request_BadRequest

Message: Cannot update a mail-enabled security groups and or distribution list.
[ServiceException]: Code: Request_BadRequest - Message: Cannot Update a mail-enabled security groups and or distribution list.
     [System.Exception] ServiceException occurred

Code: Request_BadRequest

Message: Cannot update a mail-enabled security groups and or distribution list.
     [Microsoft.Graph.ServiceException] Code: Request_BadRequest
     Message: Cannot update a mail-enabled security groups and or distribution list.

Various DBQueueTasks generated in this context fail, e.g.:

(execute slot bulk)50000 0 re-throw in Procedure O3E_ZMailboxInDL, Line 44
50000 0 re-throw in Procedure QBM_PMNTableOriginUpdate, Line 79
50000 0 re-throw in Procedure QBM_PExecuteSQLWithRetry_LLP, Line 21
50000 0 re-throw in Procedure QBM_PExecuteSQLWithRetry_LLP, Line 13
50000 0 re-throw in Procedure O3E_TUO3EMailboxInDL, Line 15
50000 0 re-throw in Procedure AAD_TUAADUserGroup, Line 33
50000 0 detected in (SRV=SERVER, DB=OneIM91) Procedure AAD_TUAADUserinGroup, Line 15
50000 1 #LDS#Cannot update {0} because assignment to groups with read only memberships are not permitted.|AADUserinGroup|

(execute slot bulk)50000 0 re-throw in Procedure O3E_ZAADUserInUnifiedGroup, Line 44
50000 0 re-throw in Procedure QBM_PMNTableOriginUpdate, Line 79
50000 0 re-throw in Procedure QBM_PExecuteSQLWithRetry_LLP, Line 21
50000 0 re-throw in Procedure QBM_PExecuteSQLWithRetry_LLP, Line 13
50000 0 re-throw in Procedure O3E_TUO3EAADUserInUnifiedGroup, Line 15
50000 0 re-throw in Procedure AAD_TUAADUserGroup, Line 33
50000 0 detected in (SRV=SERVER, DB=OneIM91) Procedure AAD_TUAADUserinGroup, Line 15
50000 1 #LDS#Cannot update {0} because assignment to groups with read only memberships are not permitted.|AADUserinGroup|

In the AADUserInGroup calculation, groups with HasReadOnlyMemberships = 1 are not excluded.

WORKAROUND

None

STATUS

Please contact Support and request Hotfix #36327.