Azure AD Account aggregation failed to aggregate group membership

Which IIQ version are you inquiring about?

Version 8.2

Share all details related to your problem, including any error messages you may have received.

Hi,
We are able to perform account aggregation and retrieved the account information such as assignedPlan and assignedLicenses but not the groups.
However, the group provisioning is working.
Is there any configuration that we have missed out?

Hi @sptan

Can you share the current Azure AD configuration?

@sptan
Please share your application xml

Hi @iamksatish and @rajeshs ,
Thanks for the reply.
Here is the configuration for Azure AD
Application-AzureAD.xml (261.8 KB)

The application definition looks good at first glance, did you try to execute aggregation with disabled optimisation?

Second question do you run full or delta aggregation?

1 Like

Hi @kjakubiak ,
I have try both full and delta aggregation with disabled optimization but still no luck with it.

From the logs, it showing IIQ is trying to destroy group membership store, not sure if this is the root cause:

@sptan I dont think this could cause and issue. We need to debug more.

Since the application xml looks good to me. Can you check for the group details in the Azure AD application and the aggregation definition?

No it’s not the message that is causing problems in this case - it is basicaly information about cache destroy operation which is generaly executed once the aggregation is finished.

Can you also add here aggregation task definition xml?

@rajeshs , We have granted the API permissions as per listed in the SailPoint Connector Guide. Can you help to specify any configuration that we should check from Azure AD?

@Kamil, here is the aggregation task definition.
Azure AD Full Account Aggregation.xml (1.9 KB)

Many thanks!

I don’t think it’s Azure AD permissions issue - let’s try to remove this line

      <entry key="groupMembershipDeltaToken" value="FBHVbfVEjw9z6IPxJSk9N2tTHaXPyvgogTvTIrHQphEWXCduD9iO5syEyxJgP0TO50_wzN0SrKM17F6H-EfcHvWJrKIGU9ADQoghA84XiVsWtr0wnHx3RB15WwH8N-0LCNAA7MSYfEBe-FFgjiBRnUoITpGsXnWm0wwXo_VH7iSR9C1NE1qIgBciYeXLFiFe_CKvA7EIjKVJLL2dxMKgKdRoeG9HfHVDuH8bmwHeYUY3iCx2cGTEwBVcq297TrO7Ko2E6BWY_Ed1HHgzLejsJUcCGR9Qtm6xls8W1i8G_DBOgS55ZsQz3UQBVdYPBKGpduy15eZKWuyjyNnmDq5ifJregB0d45k9RF_wwKbv2jAHkIel46Y11ywdIMTAvmV8qgAk8D6u0toqIpv3THzTFHaaa9hSlsPoD9Ndo26OXT8dm9uDZ0YL3AzSpJzVoxuxRW9Rln3C_4O45AY2BFArvpCVbFdvW9PXjKNMPyFKV46l04JhHS0Y4LHwA00U0dPgy568vRBjpCyFjFGlZZBgPsOtA34HdrDZlPTKD3xw7z6jmuurex5y1yOFg-ef0lHGtcai0JGJVsbeKoyBScDG8YL9nsvaD_kpfsHv_AeYEpNbGhLlO6-kXdCNnBKf3pXMFL0MVvOw8yadO776ShETMUSD0YdBfa1_Bq0__OQbsl8LXqPwszH-sg1tWbv_lyXMYgaR4pLapaNXi7bzHesnSoim4va2mADMkWFUOeC-L09-ujvDnM5w6Susla0ID51tnmqvp70-GFLJabzWpEnffiOkllhZMCCkUWbmILwL55Hm1qHfsDBcRlP9HTkA7EOhLMSsZyHeL6yHIgpxcMwqu35KgmJzjLTLve3Bgi7WIwMcPOWrZpndRUbrNv2MIRGtOUO1rG0Cyp62EdGsRVb2P4D1w3V8j65LqCd68FeQajwtWjy-n9BJYkn59fux5Utdv-ifjqz3paqcayHI4o5piGInj5MN8EvKmnfXlT1hR7VIlyZYenlHJpsyk11GrOv-wLAZ66znDPAnCtfYGJZU9VgKz5aBrVkLZ-VM8nalLDZ5sQUPEJxuVfblFOuPLJhkL-FHbNBX7WiGcLNbMzq3JAtAJ43kYyoooG3pekMz3PtWFxwLbJFRwjAv2Ww8bjBO-zlfKN_1uu4vJabgvVh2UlL0w3zeyfCks9DQWF18g6z3IBCKQH_T2z2kDQiJkzwquf20fxYxnHue0wrYE0TtPk0EmV6-9zAp_GnB3-dLo1FmyICDXeS5ilCD0BgDT8cfcwvc1Ij537OAP96CZzZ6eSyV3yhvlpJh_T9y4ZZMHKPGl-S4MIMDVEoRVyUFnEolUtL689DQrnkk1NuFNWqTJtW5_Xw98HQFWKR8J6jsMCvPGL6urAnYL_3vu9MLVcATdQZcxS78yu7Wygb8bkCouIPMLiicw4W1Ov2gSU8cxl9I7MwzuXk3nx3nPTTTHR6abnCmWwtJpD2Qce70Rpv7EQXxwa81MWzUv7HZasz5h46BehWU8po06yby-DPkagyhWpo8RKwwDBVcm6SkIQj6lmENyCSJHGkTi1a26X2jvcTgRmFEN6BMlLRjcZybfW4Aeeriwbn9J_jEI78E67MtS6cq81vwSYi_hfS99XN5zLx6chFx6OIHsic7s6mJmbM45MK2yHNNNi_k1eFiGcWV5tyBdL8LUQryejr9UyzJ2PfnStjzUe-dMYphasEXOGbHFEAYjpAA3Nxz1yoyNLRVSPlXC7VlLJ5rxf6GvGYRw5VhkU_hCaS_IjB4XfzpxNxRdqGY_-zJPSq0ix7WSBOVhAYwJU226pOE6821Q-hglkEnOjOtay0k8h_xvx4zJSJdHe7AvyF3G23oKcN5EbEKH9SwbugjW_Afq-8PxdNdXJyYbYPBsBVo7UvP6Tu2wFdfKniPdLr70uGwckSQ_eZm6bSQFJydu5V03yKQrX0tPn_aPkFmiC1Jc9yI037DsU3JvVzy9YoL8YvhSfVij6pmNB0Y02z8X5rLDd8sg3y2GCAsIgJ5PYuG_Nvjr7d9BpgZDoWyTdnktwzGKzA3TA9wwkomxgnjLD5l25o_0CJsoxS4WPnjQf05cxdQmuEkp3gXwo71zWpjGYJKEw8tJumv54bXBC2GKLtTJWROTxbtetpDXSSRpO3yUaX8NrbRL3ljqW9dEv0MNC5NNYNR19jqLFlHP2Gg3bnBg0KrYY80AZKXmnG7nYul-cfNNiKVt5e7W6MbyFgMfSubdYJg38cccWKfgA8v0D0VH5Ks0_s5ehKdS4bEZBwor8P3vaC6tdQH1sf7BZoERCJ-F8nys4s2GAF44wBK6kq26EAerKC1KImJb_YW5bIETu-BdhZM8XPouK5rByXORKbPg3A56fxL-itkYCw8J6qA0q1r1R5B8W0H-eF6miM9MGFmh33vdBqwQ81F5sBsvEUe-1N_VTYegZ5SfIxGh2nMg-fbsDADLXePIF58p4y6f--iYAaORtfdawMVcytQREgSnTfG0qQyik0mi1FbEUT50tYTzTD5diwwPUI3Oll_NCV3ooVo_cEHzGqhSOxQ9EiOQqJUdNq6xTvEsOzvuLuux6IHZNhDjU8.2sNsE8v2xuUx954rWINsoNpLx7LCXhpD7J4kvTY1OAo"/>

from your Application XML and check if it works. If not I would suggest to write customization rule to print out each resource object you are receiving from the connector and see if the groups attribute is present there. That will confirm that you are (or not) receiving group membership from the connector.

Just in case you can also check if all permissions listed here

are correctly granted to your app definition in Azure.

@sptan : I hope you are following the best practices recommended by SailPoint for Azure Connector. I have recently onboarded the azue ad without any issue.

https://community.sailpoint.com/t5/IdentityIQ-Connectors/8-2-Azure-Active-Directory-Connector/ta-p/196553