Merge pull request #28266 from microsoftgraph/migrateknownissues

FaithOmbongi · web-flow · commit 9f80b3663f8a · 2026-02-25T12:53:34.000+03:00
Migrate known issues
diff --git a/concepts/includes/known-issues/authentication.md b/concepts/includes/known-issues/authentication.md
@@ -0,0 +1,66 @@
+---
+author: ombongifaith
+ms.topic: include
+ms.date: 02/06/2026
+ms.localizationpriority: medium
+---
+
+### Publisher message of "unverified" occurs during PowerShell and CLI app consent
+
+<!-- {
+  "ms.author": "ckigoonya",
+  "ms.reviewer": ""
+} -->
+
+The consent page shows that the command-line app that caters to PowerShell and CLI is from an unverified publisher.
+
+#### Workaround
+
+To remove the "unverified" message, you can do an app registration of your own, on which you can set yourself as the verified publisher. You need to go through the publisher verification process, and use the app ID on the Microsoft Graph PowerShell SDK, as follows:
+
+```powershell
+Connect-MgGraph -AppId "{your-own-app-id}" -Scopes "scope"
+```
+
+### Pre-consent for CSP apps doesn't work in some customer tenants
+
+<!-- {
+  "ms.author": "sureshja",
+  "ms.reviewer": ""
+} -->
+
+Under certain circumstances, pre-consent for cloud solution provider (CSP) apps may not work for some of your customer tenants.
+
+For apps using delegated permissions, when using the app for the first time with a new customer tenant, you might receive this error after sign-in: `AADSTS50000: There was an error issuing a token`.
+
+For apps using application permissions, your app can acquire a token, but unexpectedly gets an access denied message when calling Microsoft Graph.
+
+We're working to fix this issue, so that preconsent works for all CSP customer tenants.
+
+#### Workaround
+
+To unblock development and testing, you can use the following workaround.
+
+> [!NOTE]
+> This isn't a permanent solution and is only intended to unblock development. This workaround won't be required once the issue is fixed. This workaround doesn't need to be undone after the fix is in place.
+
+1. Open an Azure AD v2 PowerShell session and connect to your customer tenant by entering your admin credentials into the sign-in window. You can download and install Azure AD PowerShell V2 from [here](https://www.powershellgallery.com/packages/AzureAD).
+
+    ```powershell
+    Connect-AzureAd -TenantId {customerTenantIdOrDomainName}
+    ```
+
+2. Create the Microsoft Graph service principal.
+
+    ```powershell
+    New-AzureADServicePrincipal -AppId 00000003-0000-0000-c000-000000000000
+    ```
+
+### Azure AD v2.0 endpoint isn't supported for CSP apps
+
+<!-- {
+  "ms.author": "sureshja",
+  "ms.reviewer": ""
+} -->
+
+Cloud solution provider (CSP) apps must acquire tokens from the Azure AD (v1) endpoints to successfully call Microsoft Graph in their partner-managed customers. Currently, acquiring a token through the newer Azure AD v2.0 endpoint isn't supported.
diff --git a/concepts/includes/known-issues/calendar.md b/concepts/includes/known-issues/calendar.md
@@ -0,0 +1,15 @@
+---
+author: ombongifaith
+ms.topic: include
+ms.date: 02/06/2026
+ms.localizationpriority: medium
+---
+
+### Error attaching large files to events
+
+<!-- {
+  "ms.author": "abhda",
+  "ms.reviewer": ""
+} -->
+
+An app with delegated permissions returns `HTTP 403 Forbidden` when attempting to attach large files to an Outlook message or event that is in a shared or delegated mailbox. With delegated permissions, [createUploadSession](/graph/api/attachment-createuploadsession) succeeds only if the message or event is in the signed-in user's mailbox.
diff --git a/concepts/includes/known-issues/change-notifications.md b/concepts/includes/known-issues/change-notifications.md
@@ -0,0 +1,23 @@
+---
+author: ombongifaith
+ms.topic: include
+ms.date: 02/25/2026
+ms.localizationpriority: medium
+---
+
+### Upgrade events for Teams app installation change notifications in chat scope aren't delivered
+
+<!-- {
+  "ms.author": "",
+  "ms.reviewer": ""
+} -->
+
+When a subscription for a Teams app installation change notification is created, if the scope is specific to or includes chats, upgrade events/notifications aren't delivered to the subscriber.
+
+For example: If a customer subscribes to `/appCatalogs/teamsApps/{teams-app-id}/installations?$filter=(scopeInfo/scope eq 'groupChat')`, they won't receive notifications for upgrade/update events. However, they receive other notifications regarding installations and deletions.
+
+Another example: If a customer subscribes to `/appCatalogs/teamsApps/{teams-app-id}/installations`, they won't receive notifications for upgrade/update events occurring specifically within chats. However, they receive all other forms of notifications in teams and user's personal scope. But, in chats, they only receive installation and deletion notifications.
+
+#### Workaround
+
+Currently no workaround for this issue is available.
diff --git a/concepts/includes/known-issues/customer-booking.md b/concepts/includes/known-issues/customer-booking.md
@@ -0,0 +1,32 @@
+---
+author: ombongifaith
+ms.topic: include
+ms.date: 02/06/2026
+ms.localizationpriority: medium
+---
+
+### Error when querying bookingBusinesses
+
+<!-- {
+  "ms.author": "jhayes",
+  "ms.reviewer": ""
+} -->
+
+Getting the list of **bookingBusinesses** fails with the following error code when an organization has several Bookings businesses and the account making the request is not an administrator:
+
+```json
+{
+  "error": {
+    "code": "ErrorExceededFindCountLimit",
+    "message": "The GetBookingMailboxes request returned too many results. Please specify a query to limit the results."
+  }
+}
+```
+
+#### Workaround
+
+You can limit the set of businesses returned by the request by including a query parameter, for example:
+
+```http
+GET https://graph.microsoft.com/beta/bookingBusinesses?query=Fabrikam
+```
diff --git a/concepts/includes/known-issues/delta-query.md b/concepts/includes/known-issues/delta-query.md
@@ -0,0 +1,15 @@
+---
+author: ombongifaith
+ms.topic: include
+ms.date: 02/06/2026
+ms.localizationpriority: medium
+---
+
+### OData context is returned incorrectly
+
+<!-- {
+  "ms.author": "dkershaw",
+  "ms.reviewer": ""
+} -->
+
+OData context is sometimes returned incorrectly when tracking changes to relationships.
diff --git a/concepts/includes/known-issues/device-app-management.md b/concepts/includes/known-issues/device-app-management.md
@@ -0,0 +1,18 @@
+---
+author: ombongifaith
+ms.topic: include
+ms.date: 02/06/2026
+ms.localizationpriority: medium
+---
+
+### Accessing and updating deployment audiences is not supported
+
+<!-- {
+  "ms.author": "altang",
+  "ms.reviewer": ""
+} -->
+
+Accessing and updating deployment audiences on deployment resources created via Intune is not currently supported.
+
+- Listing deployment audience members and listing deployment audience exclusions returns `404 Not Found`.
+- Updating deployment audience members and exclusions or updating by ID returns `202 Accepted` but the audience is not updated.
diff --git a/concepts/includes/known-issues/groups.md b/concepts/includes/known-issues/groups.md
@@ -0,0 +1,37 @@
+---
+author: ombongifaith
+ms.topic: include
+ms.date: 02/06/2026
+ms.localizationpriority: medium
+---
+
+### Nonadmin user can't add self as group owner during group creation or update
+
+<!-- {
+  "ms.author": "yuhko",
+  "ms.reviewer": ""
+} -->
+
+When a nonadmin user calls the [Create group](/graph/api/group-post-groups) API, [Update group](/graph/api/group-update) API, or [Upsert group](/graph/api/group-upsert) API and adds their user ID in the request body in the **owners@odata.bind** collection, the request fails with a `400 Bad Request` error code with the message "Request contains a property with duplicate values." A nonadmin user can't explicitly add themselves as the group owner.
+
+#### Workaround
+
+There's no workaround for this error.
+
+By default, a nonadmin user who is creating a security or Microsoft 365 group through the [Create group](/graph/api/group-post-groups) API or [Upsert group](/graph/api/group-upsert) API is automatically added to the **owners** collection of the group, if they don't specify any group owners. If they specify others as group owners, the nonadmin group creator is still automatically added to the **owners** collection of the security group, but not for the Microsoft 365 group. The user still can't add themselves to the **owners** collection during group update.
+
+### GET /groups/{id}/members doesn't return service principals in v1.0
+
+<!-- {
+  "ms.author": "mbhargav",
+  "ms.reviewer": ""
+} -->
+
+The [List group members](/graph/api/group-list-members) API operation on the v1.0 endpoint currently doesn't return any service principals that might be members of the queried group.
+
+#### Workaround
+
+As a workaround, use one of the following options:
+
+- Use the [List group members](/graph/api/group-list-members?view=graph-rest-beta&preserve-view=true) API operation on the beta endpoint.
+- Use the `/groups/{id}?$expand=members` API operation.
diff --git a/concepts/includes/known-issues/identity-access.md b/concepts/includes/known-issues/identity-access.md
@@ -0,0 +1,56 @@
+---
+author: ombongifaith
+ms.topic: include
+ms.date: 02/06/2026
+ms.localizationpriority: medium
+---
+
+### Use of specific query parameters on /subscribedSkus and /domains doesn't return the expected results
+
+<!-- {
+  "ms.author": "tazkiaafra",
+  "ms.reviewer": ""
+} -->
+
+The following usage of query parameters that target **subscribedSkus** and **domain** entities might not return the expected results:
+
+- Use of `$search` on both **subscribedSkus** or **domain** entities
+- Use of `$top` and `$filter` on the **domain** entity
+
+Currently, these parameters are effectively ignored, and the queries don't return the expected results.
+
+#### Workaround
+
+To prevent any disruption to your business processes, we recommend that you modify your application code to remove usage of these query parameters from queries that target the **subscribedSkus** or **domain** entities and run the search, top, and filter on the client side.
+
+### Configuring federated domains in delegated scenarios requires Directory.AccessAsUser.All permission
+
+<!-- {
+  "ms.author": "rahulnagraj",
+  "ms.reviewer": ""
+} -->
+
+The [Create internalDomainFederation](/graph/api/domain-post-federationconfiguration), [Update internalDomainFederation](/graph/api/internaldomainfederation-update), and [Delete internalDomainFederation](/graph/api/internaldomainfederation-delete) might require you to grant consent to the *Directory.AccessAsUser.All* permission. This requirement is a temporary workaround till we provide a more granular delegated permission for managing federated domains.
+
+### Claims mapping policy might require consent to additional permissions
+
+<!-- {
+  "ms.author": "paulgarn",
+  "ms.reviewer": ""
+} -->
+
+The [claimsMappingPolicy](/graph/api/resources/claimsmappingpolicy) API might require consent to both the *Policy.Read.All* and *Policy.ReadWrite.ConditionalAccess* permissions for the `LIST /policies/claimsMappingPolicies` and `GET /policies/claimsMappingPolicies/{id}` methods, as follows:
+
+- If no **claimsMappingPolicy** objects are available to retrieve in a LIST operation, either permission is sufficient to call this method.
+- If there are **claimsMappingPolicy** objects to retrieve, your app must consent to both permissions. If not, a `403 Forbidden` error is returned.
+
+In the future, either permission will be sufficient to call both methods.
+
+### Conditional access policy requires consent to additional permission
+
+<!-- {
+  "ms.author": "davidspo",
+  "ms.reviewer": ""
+} -->
+
+The [conditionalAccessPolicy](/graph/api/resources/conditionalaccesspolicy) API currently requires consent to the *Policy.Read.All* permission to call the POST and PATCH methods. In the future, the *Policy.ReadWrite.ConditionalAccess* permission will enable you to read policies from the directory.
diff --git a/concepts/includes/known-issues/json-batching.md b/concepts/includes/known-issues/json-batching.md
@@ -0,0 +1,21 @@
+---
+author: ombongifaith
+ms.topic: include
+ms.date: 02/06/2026
+ms.localizationpriority: medium
+---
+
+### Request dependencies are limited
+
+<!-- {
+  "ms.author": "sriramd",
+  "ms.reviewer": ""
+} -->
+
+Individual requests can depend on other individual requests. Currently, requests can only depend on a single other request, and must follow one of these three patterns:
+
+- **Parallel** - no individual request states a dependency in the **dependsOn** property.
+- **Serial** - all individual requests depend on the previous individual request.
+- **Same** - all individual requests that state a dependency in the **dependsOn** property, state the same dependency. Note: Requests made using this pattern will run sequentially.
+
+As JSON batching matures, these limitations will be removed.
diff --git a/concepts/includes/known-issues/mail.md b/concepts/includes/known-issues/mail.md
@@ -0,0 +1,24 @@
+---
+author: ombongifaith
+ms.topic: include
+ms.date: 02/25/2026
+ms.localizationpriority: medium
+---
+
+### Delta calls to the messages API using immutable Ids
+
+<!-- {
+  "ms.author": "abhda",
+  "ms.reviewer": ""
+} -->
+
+When you make `/delta` calls to the messages API using immutable Ids in some cases (for example when a message moves out of a folder and is then moved back in), you might miss some change notifications.
+
+### The comment parameter for creating a draft isn't part of the message body
+
+<!-- {
+  "ms.author": "abhda",
+  "ms.reviewer": ""
+} -->
+
+The **comment** parameter for creating a reply or forward draft ([createReply](/graph/api/message-createreply), [createReplyAll](/graph/api/message-createreplyall), [createForward](/graph/api/message-createforward)) isn't part of the body of the response message draft.
diff --git a/concepts/includes/known-issues/query-parameters.md b/concepts/includes/known-issues/query-parameters.md
@@ -0,0 +1,79 @@
+---
+author: ombongifaith
+ms.topic: include
+ms.date: 02/25/2026
+ms.localizationpriority: medium
+---
+
+### $search for directory objects fails for encoded ampersand (&) character
+
+<!-- {
+  "ms.author": "syprieur",
+  "ms.reviewer": ""
+} -->
+
+As per RFC 3986 and as described in [Encoding query parameters](/graph/query-parameters#encoding-query-parameters), reserved characters in query strings must be percent-encoded. For example, the syntax for `$search` on a group name like "Hiking&Recreation" is as follows:
+
+```http
+GET https://graph.microsoft.com/v1.0/groups?$search="displayName:Hiking%26Recreation group"
+```
+
+Microsoft Graph currently returns a `400 Bad Request` error code on the v1.0 endpoint on searches that include encoded ampersand (&) characters, with the following error message: `Unrecognized query argument specified: ''.`. The same request succeeds on the beta endpoint.
+
+Some apps have implemented double-percent encoding on the v1.0 endpoint as a workaround. For example, the double-percent encoded request becomes `/users?$search="displayName:Hiking%2526Recreation group"`. However, this isn't the officially recommended workaround.
+
+#### Workaround
+
+**Workaround 1:**
+
+On the v1.0 endpoint, when using the proper percent-encoding, include the `Prefer` request header set to `legacySearch=false`. For example:
+
+```http
+GET https://graph.microsoft.com/v1.0/groups?$search="displayName:Hiking%26Recreation group"
+ConsistencyLevel: eventual
+Prefer: legacySearch=false
+```
+
+In the future, the behavior on the v1.0 endpoint will be corrected, and you won't need to include this header.
+
+**Workaround 2:**
+
+When the behavior on the v1.0 endpoint is corrected, apps with dependency on the double-percent encoding may experience breaking changes unless they're opted-in to maintain their implementation by including the `Prefer` request header set to `legacySearch=true`. For example:
+
+```http
+GET https://graph.microsoft.com/v1.0/groups?$search="displayName:Hiking%2526Recreation group"
+ConsistencyLevel: eventual
+Prefer: legacySearch=true
+```
+
+### Some limitations apply to query parameters
+
+<!-- {
+  "ms.author": "lucaspol",
+  "ms.reviewer": ""
+} -->
+
+The following limitations apply to query parameters:
+
+- Multiple namespaces aren't supported.
+- GET requests on `$ref` and casting aren't supported on users, groups, devices, service principals, and applications.
+- `@odata.bind` isn't supported. This means that you can't properly set the **acceptedSenders** or **rejectedSenders** navigation property on a group.
+- `@odata.id` isn't present on noncontainment navigations (like messages) when using minimal metadata.
+- `$expand` on relationships of directory objects:
+  - Returns a maximum of 20 objects except for `/users?$expand=registeredDevices`, which returns up to 100 objects.
+  - No support for `@odata.nextLink`.
+  - No support for more than one level of expand.
+  - No support for nesting other query parameters such as `$filter` and `$select` inside an `$expand` query.
+- `$filter`:
+  - `/attachments` endpoint doesn't support filters. If present, the `$filter` parameter is ignored.
+  - Cross-workload filtering isn't supported.
+  - When using the `in` operator, the request is limited to 15 expressions in the filter clause by default OR a URL length of 2,048 characters when using advanced query capabilities.
+  - When filtering using the `eq` operator, the maximum limit of the value to match is 120 characters. That is, `$filter=displayName eq 'value-to-match-max-120-char'`. This limitation applies even for properties like **displayName** on directory objects that can be up to 256 characters. When using advanced queries, the limit is applied on the URL length at 2,048 characters instead of the matched value.
+- `$search`:
+  - Full-text search is only available for a subset of entities, such as messages.
+  - Cross-workload searching isn't supported.
+  - Searching isn't supported in Azure AD B2C tenants.
+- `$count`:
+  - Not supported in Azure AD B2C tenants.
+  - When using the `$count=true` query string when querying against directory resources, the `@odata.count` property is present only on the first page of the paged data.
+- Query parameters specified in a request might fail silently. This can be true for unsupported query parameters and for unsupported combinations of query parameters.
diff --git a/concepts/includes/known-issues/search.md b/concepts/includes/known-issues/search.md
diff --git a/concepts/includes/known-issues/sites-lists.md b/concepts/includes/known-issues/sites-lists.md
diff --git a/concepts/includes/known-issues/teamwork-communications.md b/concepts/includes/known-issues/teamwork-communications.md
diff --git a/concepts/includes/known-issues/users.md b/concepts/includes/known-issues/users.md
diff --git a/concepts/known-issues.md b/concepts/known-issues.md
