microsoft · richardogundele · Sep 26, 2025 · Sep 30, 2025 · Oct 3, 2025 · Oct 3, 2025
@@ -26,6 +26,8 @@
 )
 from services.authentication import get_access_service
 from services.logging import logger
+from services.access_service import AuthConfigValidationError
+from core import config
 
 
 async def delete_validation(resource: Resource, resource_repo: ResourceRepository):
@@ -158,7 +160,12 @@ def construct_location_header(operation: Operation) -> str:
 
 def get_identity_role_assignments(user):
     access_service = get_access_service()
-    return access_service.get_identity_role_assignments(user.id)
+    try:
+        return access_service.get_identity_role_assignments(user.id)
+    except AuthConfigValidationError:
+        if config.USER_MANAGEMENT_ENABLED:
+            raise
+        return []
 
 
 def get_app_user_roles_assignments_emails(app_obj_id):

@@ -1,3 +1,61 @@
+from types import SimpleNamespace
+import pytest
+from mock import patch
+
+from services.access_service import AuthConfigValidationError
+
+
+@patch("api.routes.resource_helpers.get_access_service")
+def test_get_identity_role_assignments_fallback_when_user_mgmt_disabled(get_access_service_mock):
+    # Arrange: access service raises auth config error
+    class FakeAccessService:
+        def get_identity_role_assignments(self, user_id: str):
+            raise AuthConfigValidationError("graph not available")
+
+    get_access_service_mock.return_value = FakeAccessService()
+
+    # Force feature disabled
+    from core import config as core_config
+    original_value = core_config.USER_MANAGEMENT_ENABLED
+    core_config.USER_MANAGEMENT_ENABLED = False
+
+    try:
+        from api.routes import resource_helpers
+        user = SimpleNamespace(id="user-id")
+
+        # Act
+        result = resource_helpers.get_identity_role_assignments(user)
+
+        # Assert
+        assert result == []
+    finally:
+        core_config.USER_MANAGEMENT_ENABLED = original_value
+
+
+@patch("api.routes.resource_helpers.get_access_service")
+def test_get_identity_role_assignments_raises_when_user_mgmt_enabled(get_access_service_mock):
+    # Arrange: access service raises auth config error
+    class FakeAccessService:
+        def get_identity_role_assignments(self, user_id: str):
+            raise AuthConfigValidationError("graph not available")
+
+    get_access_service_mock.return_value = FakeAccessService()
+
+    # Force feature enabled
+    from core import config as core_config
+    original_value = core_config.USER_MANAGEMENT_ENABLED
+    core_config.USER_MANAGEMENT_ENABLED = True
+
+    try:
+        from api.routes import resource_helpers
+        user = SimpleNamespace(id="user-id")
+
+        # Act / Assert
+        with pytest.raises(AuthConfigValidationError):
+            resource_helpers.get_identity_role_assignments(user)
+    finally:
+        core_config.USER_MANAGEMENT_ENABLED = original_value
+
 import datetime
 from unittest.mock import AsyncMock
 import uuid