appRoleAssignments support in Azure Active Directory Connector

We got a requirement to get application role assignments for the users for the Azure AD connector.
I investigated this in our current 8.3p2, but unfortunately I didn’t find any docs or code related to that.

Luckily there was a new release 8.4 where the docs mentioned the support for appRoleAssignments (see the documentation)
Again, if you take the connector out of the box and include

      <AttributeDefinition entitlement="true" managed="true" multi="true" name="appRoleAssignments" schemaObjectType="applicationRole" type="string">
        <Description>Application roles assigned to the user</Description>
      </AttributeDefinition>

in the schema (combined with applicationRole group as well) you’ll still see empty appRoleAssignments attribute for your Azure AD accounts.

I filed a case for support, but unfortunately they can’t help us either.

I did some investigation on my own looking at the AzureAppRoleAssignmentCollector class, I noticed that in the method populateAppRoleAssignments they check that objectId should contain an indentifier in a format :, which is wrong since they look at the azure ad user account which never has that format.

I posted a similar question in the regular forum, but without much luck.
Did anyone had issues with the appRoleAssignments attribute? How did you fix it?

Hi @andreis

I don’t think appRoleAssignment is supported in SailPoint 8.3p2 version. It is a new feature included in IIQ and is for ServicePrincipal. Adding the schema appicationRole and attribute appRoleAssignment in the accounts schema might not help.

This will be only supported if ServicePrincipal is managed as accounts. Check the SailPoint 8.4 documentation, for more information.

image737×373 30.7 KB

hi, @Jarin_James, thanks for your reply, if you read my post you’ll see that I already use 8.4.
My question was about a specific bug in 8.4.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.