From 89300e7ac78919cbf1df6ae6003c05b7f0fa1456 Mon Sep 17 00:00:00 2001
From: Mike Swanson <mike@azcomputerguru.com>
Date: Mon, 20 Apr 2026 18:51:48 -0700
Subject: [PATCH] fix: add sleep after SP creation + handle null
 appRoleAssignments in jq

New SPs need ~5s to replicate before appRoleAssignments can be granted.
Also fixes jq null iterator error when SP has no existing assignments.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .claude/skills/remediation-tool/scripts/onboard-tenant.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.claude/skills/remediation-tool/scripts/onboard-tenant.sh b/.claude/skills/remediation-tool/scripts/onboard-tenant.sh
index c74ac9a..41c5603 100644
--- a/.claude/skills/remediation-tool/scripts/onboard-tenant.sh
+++ b/.claude/skills/remediation-tool/scripts/onboard-tenant.sh
@@ -184,6 +184,8 @@ create_sp_if_missing() {
   fi
 
   echo "  [CREATED] $app_name SP: $new_oid" >&2
+  # Brief pause for Graph replication before granting appRoleAssignments
+  sleep 5
   echo "$new_oid"
 }
 
@@ -199,7 +201,7 @@ grant_app_role() {
   already=$(curl -s --max-time 15 \
     -H "Authorization: Bearer $token" \
     "https://graph.microsoft.com/v1.0/servicePrincipals/$principal_oid/appRoleAssignments" \
-    | jq --arg rid "$role_id" '[.value[] | select(.appRoleId == $rid)] | length > 0')
+    | jq --arg rid "$role_id" '([.value[]? | select(.appRoleId == $rid)] | length) > 0')
 
   if [[ "$already" == "true" ]]; then
     return 0