[Azure AD Plan] Update access for GDAP users who were previously guests#8441
Draft
onbuyuka wants to merge 1 commit into
Draft
[Azure AD Plan] Update access for GDAP users who were previously guests#8441onbuyuka wants to merge 1 commit into
onbuyuka wants to merge 1 commit into
Conversation
… guests
A delegated-admin (GDAP) user who had previously logged in to the
environment as a guest had their plan row swapped to the GDAP plan but
never had their user access (user groups / permissions) updated, so they
did not effectively get the GDAP license.
In codeunit 9018 "Azure AD Plan Impl.".AssignPlanToUserWithDelegatedRole,
the caller passes SkipUpdateUserAccess = UserLoggedInEnvironment, which is
true for any returning user. After deleting the old guest plan and inserting
the GDAP plan, the procedure hit two early-exits:
if SkipUpdateUserAccess then exit; // true for returning users
...
if HasPlans then exit; // true for former guests
so OnUpdateUserAccessForSaaS (user-group/permission assignment) never ran.
The earlier "if IsPlanAssignedToUser(PlanId, UserSID) then exit" guard
already prevents re-processing when the GDAP plan is unchanged, so the
access update now only runs when the plan actually changes. Remove the two
redundant early-exits (and the now-unused HasPlans) so access is updated on
the guest -> GDAP transition.
Revives the previously abandoned PR #7490 (closed without merging); same
change + regression test GDAPUserWithPreviousGuestPlanGetsAccessUpdated.
Fixes AB#612420
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jun 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A delegated-admin (GDAP) user who had previously logged in to the environment as a guest got the GDAP plan row, but their user access (user groups / permissions) was never updated — so they did not effectively receive the GDAP license. IcM 1888383.
Root cause
In
codeunit 9018 "Azure AD Plan Impl.".AssignPlanToUserWithDelegatedRole, the caller (AzureADUserMgmtImpl.Run) passesSkipUpdateUserAccess = UserLoggedInEnvironment, which is true for any returning user. After deleting the old guest plan and inserting the GDAP plan, the procedure hit two early-exits before the access update:so
OnUpdateUserAccessForSaaS(the user-group / permission assignment) and the SUPER handling never ran for a former-guest GDAP user.The earlier guard
if IsPlanAssignedToUser(PlanId, UserSID) then exit;already prevents re-processing when the GDAP plan is unchanged, so the two removed checks are redundant for correctness — and crucially, that guard means the access update only re-runs when the plan actually changes (no per-login perf regression for normal returning users).Fix
Remove the two redundant early-exits and the now-unused
HasPlanslocal, so access is updated on the guest → GDAP transition. Adds regression testGDAPUserWithPreviousGuestPlanGetsAccessUpdated.Note on provenance
This revives the previously abandoned PR #7490 (closed without merging on 2026-04-01). I reproduced the same code change and test against current
main. Posting as draft so the original owners can confirm there was no hidden blocking concern behind the earlier abandonment before this lands.Verification
mainmatches the pre-fix state exactly. Verified all test-library helpers referenced by the new test exist on currentmain.Linked work item: AB#612420
🤖 Generated with Claude Code