We are working on an integration between our application and Azure AD where we provision user accounts using the Graph API. In our tests, we sometimes see that a newly created user seems to be gone on a subsequent request and pop up again later on. A great example of this, is the following sequence of requests:
2021-10-03 15:13:19,125 Starting to send request, URL https://graph.microsoft.com/v1.0/users 2021-10-03 15:13:19,125 Request Method POST 2021-10-03 15:13:19,299 Response code 201, Created 2021-10-03 15:13:19,301 Starting to send request, URL https://firstname.lastname@example.org 2021-10-03 15:13:19,301 Request Method PATCH 2021-10-03 15:13:19,403 Response code 204, No Content 2021-10-03 15:13:19,405 Starting to send request, URL https://email@example.com?%24select=accountEnabled%2CdisplayName%2CgivenName%2Cmail%2CmailNickname%2CuserPrincipalName%2ClastPasswordChangeDateTime 2021-10-03 15:13:19,405 Request Method GET 2021-10-03 15:13:19,564 Response code 404, Not Found 2021-10-03 15:13:19,941 Starting to send request, URL https://graph.microsoft.com/v1.0/users?%24select=accountEnabled%2Cid&%24filter=userPrincipalName%20eq%20%27o-internal%40testtopicuskeyhub.onmicrosoft.com%27 2021-10-03 15:13:19,941 Request Method GET 2021-10-03 15:13:19,989 Response code 200, OK 2021-10-03 15:13:19,997 Starting to send request, URL https://graph.microsoft.com/v1.0/users/8d8f02f0-16ed-4de3-87c6-be05312f6655 2021-10-03 15:13:19,997 Request Method DELETE 2021-10-03 15:13:20,110 Response code 204, No Content
Here, the user is created at 15:13:19,125 and patched at 15:13:19,301, but when it's read at 15:13:19,405, it seems to be gone. However, at 15:13:19,941 it's back again and at 15:13:19,997 it's deleted. We see similar problems in other places. Sometimes that patch fails, sometimes when a user is added to security groups, the API later reports that the user was not. It seems the Graph API is eventual consistent. All I could find about that is the Consistencylevel header used for some advanced queries, but we don't use those. Is this expected behavior for the Graph API, or are we missing something?