1

I'm trying to write a script for decommissioning user accounts in EntraID using the MS Graph API.

What I'd like to do, is check for and "handle" any case where the user doesn't have a manager set.

Most of them do, but I've found if there is no manager, I get this odd error.

Get-MgUserManager : Resource 'manager' does not exist or one of its queried reference-property objects are not present.
At line:1 char:7
+ try { $mymanager = Get-MgUserManager -UserId ian.testpw@mycompany. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : InvalidOperation: ({ UserId = ian....ndProperty = }:<>f__AnonymousType10`3) [Get-MgUserManager_Get1], RestException`1
 + FullyQualifiedErrorId : Request_ResourceNotFound,Microsoft.Graph.PowerShell.Cmdlets.GetMgUserManager_Get1

I am not an expert coder, but a sys admin with a few years under my belt, but I was expecting to get just a null value returned, that way I could test if there was no manager, and my script would then not bother trying to remove it.

Does anyone have knowledge/experience with this scenario or error. I tried a try,catch for it, but it doesn't seem to catch it.

When I've looked at the $Error variable. the exception is more complex than the usual one you get from powershell and when I tried using that, it failed because there are multiple nested square brackets in the response, which powershell doesn't like.

Any thoughts or suggestions gratefully received.

Tried

$mymanager = Get-MgUserManager -UserId [email protected]

was really expecting a Null response

Santiago Squarzon
66k5 gold badges26 silver badges60 bronze badges
asked May 17, 2024 at 10:49
3
  • Try appending -ErrorAction SilentlyContinue Commented May 17, 2024 at 13:26
  • It's expected behavior of the Graph API. When a user has no manager then Graph API throws 404 Not Found error. learn.microsoft.com/en-us/graph/api/… I'm not familiar with PowerShell how to catch the error. Commented May 17, 2024 at 13:55
  • Thanks, I understand from my research it's expected behaviour, my question was how to approach it, I expected it to return null, and not error out, because my first go with try and catch, caught the first error, but it kept throwing new ones. So, I must be doing something fundamentally wrong. The proposed answer seems to provide a solution. If it's expected behaviour, what's the expected solution? why it needs to fall over in such a dramatic way because it's not inconceivable that a user wouldn't have a manager set, so why not return a null or no manager present type of response, not a 400 Commented May 20, 2024 at 10:53

1 Answer 1

0

A simple way to avoid the error is to use $expand instead of calling the List manager endpoint (this is the endpoint called by Get-MgUserManager behind the scenes).

So to summarize, this approach would avoid the error, it will get you the user you're querying and in addition, if the user has a manager assigned, it will also give you a .manager property otherwise this property will not exist:

$targetUser = '[email protected]'
$user = Invoke-MgGraphRequest GET "v1.0/users/${targetUser}?`$expand=manager"
$user.manager # this can be empty or the reference user but no errors

This approach, same endpoint used by the cmdlet, will throw an error if the user does not have a manager assigned:

$manager = Invoke-MgGraphRequest GET 'v1.0/users/[email protected]/manager'

You can use a try / catch here to avoid the error if you want. -ErrorAction SilentlyContinue wouldn't work here as this is a pipeline terminating error.

$targetUser = '[email protected]'
$manager = try { Invoke-MgGraphRequest GET "v1.0/users/${targetUser}/manager" } catch { }
answered May 17, 2024 at 17:38
Sign up to request clarification or add additional context in comments.

6 Comments

Thank you for this answer, I suppose a deeper question is why doesn't get-MgUserManager handle no manager gracefully. But thanks for your answer.
@iksound because you're getting 404 response from the API, this response is interpreted as an error in a web request.
Thank you @Santiago Squarzon , I understand that 400 is an error, I just don't understand the logic behind the decision, because not having a manager set is a very likely scenario. Trying the above I am not sure how to exchange the hard coded email with a variable.
@iksound updated my answer. As for the logic behind the decision, it's not up to us to answer that, you can take that complain to MSFT who designed this module and all APIs behind the scenes
Thank you, that's worked. can I check which version of the module you're using, as I'm no longer getting the .manager returned, even for valid users with managers? I have 2.19.0
|

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.