Account Attribute Transform - Account Property Filter on display name of Azure Group

Hello,

I am working on a transform to determine if a user with an Azure account(s) has any Azure group with the group name starting with “GR_”. For example a user has an Azure account and is a member of “GR_Texas”.

I have been testing with an Account Attribute Transform where I can filter by groups. I ran into an issue where the Azure source has the group “value” set to object id which is a guid rather than the name of the group. I know this is the default Azure configuration and I dont think we can change the group schema at this point.

I would like to use the accountPropertyFilter with the displayName of the group rather than the value.
Is this a supported operation for accountPropertyFilter?
I have tried the following with no luck.
“(group.displayName.startswith("GR_"))”
“(groups.displayName.startswith("GR_"))”
“(groups.displayName.contains("GR_"))”
“(groups.displayName.containsAll("GR_"))”
“(groups.contains(displayName, "GR_"))”

{
  "name": "Contains CR Access",
  "type": "lookup",
  "attributes": {
    "input": {
      "attributes": {
        "values": [
          {
            "attributes": {
              "accountPropertyFilter": "(group.displayName.startswith(\"GR_\"))",
              "attributeName": "userPrincipalName",
              "sourceName": "Azure Active Directory"
            },
            "type": "accountAttribute"
          },
          "FALSE"
        ]
      },
      "type": "firstValid"
    },
    "table": {
      "FALSE": "FALSE",
      "default": "TRUE"
    }
  },
  "internal": false
}

Thank you in advance.

Hi

Welcome to SailPoint Developer Community.

Groups return complete DN as value not display name of the Group, so you cannot implement this AFAIK.

You should look into Static Transform, using $identity, $link objects, you can get user groups and iterate them with startsWith condition.

– Krish

Hi @emartinezic
Try below

"accountPropertyFilter": "(group.contains(\"GR_\"))"