Azure AD Account Aggregation issue

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Hi All,

I am stuck at one issue, we have set up azure ad integeration, and when I test the connection it is successfull. We do not have IQ service configuration, as we are doing provisioning from sailpoint.

When i go to schema and do a preview for account object type preview, I am getting the error "Exception occurred. Error message - Exception occurred in processReadRequest. Error - Exception occurred while trying to receive data from Server. Number of retries exceeded."

While doing the account aggregation, also getting the same error. I have done the analysis and gave all the required permission, but not sure where it is failing.

Group preview and aggregation is working fine.

Can someone please suggest.

I am attaching the screenshot of the error and azure ad permission.

Azure AD screenshot
Azure AD screenshot1333Ă—213 16.9 KB

Preview_error
Preview_error967Ă—261 18.2 KB

2

Hey @naveendobhal115, there are additional permissions that are required for Azure AD Account management. Please ensure the following permissions are granted to the app registration:

API / Permissions name Type Description Admin consent required Status
Application.Read.All Application Read all applications Yes Granted for {Org Name}
AppRoleAssignment.ReadWrite.All Application Manage app permission grants and app role assignments Yes Granted for {Org Name}
Directory.AccessAsUser.All Delegated Access directory as the signed in user Yes Granted for {Org Name}
EntitlementManagement.Read.All Application Read all entitlement management resources Yes Granted for {Org Name}
EntitlementManagement.ReadWrite.All Application Read and write all entitlement management resources Yes Granted for {Org Name}
Group.Read.All Application Read all groups Yes Granted for {Org Name}
Group.ReadWrite.All Application Read and write all groups Yes Granted for {Org Name}
Organization.Read.All Application Read organization information Yes Granted for {Org Name}
RoleManagement.Read.Directory Application Read all directory RBAC settings Yes Granted for {Org Name}
RoleManagement.ReadWrite.Directory Application Read and write all directory RBAC settings Yes Granted for {Org Name}
User.Invite.All Application Invite guest users to the organization Yes Granted for {Org Name}
User.Read.All Application Read all users’ full profiles Yes Granted for {Org Name}
User.ReadWrite.All Application Read and write all users’ full profiles Yes Granted for {Org Name}
UserAuthenticationMethod.Read.All Application Read all users’ authentication methods Yes Granted for {Org Name}
UserAuthenticationMethod.ReadWrite.All Application Read and write all users’ authentication methods Yes Granted for {Org Name}

You can see a breakdown of these required permissions at this Connector Documentation link.

Once you have granted the necessary permissions, try again and let’s see where we can go from there.

3

Hi @brennenscott , Thanks for the Prompt response.

The required API permission have been added at azure portal side. Attaching the screenshot for the reference.

However, again getting the same error, while doing preview.

Azure permission
Azure permission1339Ă—853 94.9 KB

sailpoint.connector.AzureADConnector:944 - Exception occurred. Exception occurred in processReadRequest. Error - Exception occurred while trying to receive data from Server. Number of retries exceeded.
sailpoint.connector.ConnectorException: Exception occurred in processReadRequest. Error - Exception occurred while trying to receive data from Server. Number of retries exceeded.
at sailpoint.connector.AzureADConnector.processReadRequest(AzureADConnector.java:1812) ~[connector-bundle.jar:8.1 Build a5c9436-20200213-040253]
at sailpoint.connector.AzureADConnector.getMap(AzureADConnector.java:1201) ~[connector-bundle.jar:8.1 Build a5c9436-20200213-040253]
at sailpoint.connector.AzureADConnector.getObjectsMap(AzureADConnector.java:1015) ~[connector-bundle.jar:8.1 Build a5c9436-20200213-040253]
at sailpoint.connector.AzureADConnector.iterateObjects(AzureADConnector.java:940) ~[connector-bundle.jar:8.1 Build a5c9436-20200213-040253]
at sailpoint.connector.ConnectorProxy.iterateInternal(ConnectorProxy.java:588) ~[connector-bundle-identityiq.jar:8.1 Build a5c9436-20200213-040253]
at sailpoint.connector.ConnectorProxy.iterateObjects(ConnectorProxy.java:558) ~[connector-bundle-identityiq.jar:8.1 Build a5c9436-20200213-040253]
at sailpoint.rest.ApplicationResource.testConnector(ApplicationResource.java:289) ~[identityiq.jar:8.1 Build 8cbeb0e-20200220-143938]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_251]
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:1.8.0_251]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:1.8.0_251]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:1.8.0_251]
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) ~[jersey-server-2.29.1.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124) [jersey-server-2.29.1.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167) [jersey-server-2.29.1.jar:?]
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:219) [jersey-server-2.29.1.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79) [jersey-server-2.29.1.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:469) [jersey-server-2.29.1.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:391) [jersey-server-2.29.1.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:80) [jersey-server-2.29.1.jar:?]
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:253) [jersey-server-2.29.1.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) [jersey-common-2.29.1.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) [jersey-common-2.29.1.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:292) [jersey-common-2.29.1.jar:?]

4

I am still getting the same error om preview. Still getting Exception occurred in processReadRequest. Error - Exception occurred while trying to receive data from Server. Number of retries exceeded

The required roles are added at Azure AD end. Please find the below scrneeshot.

Azure permission
Azure permission1339Ă—853 94.9 KB

5

Hey @naveendobhal115 ,

go through this solution you might have to delete some attributes that cause trouble during aggregation.

Doc1

Doc2

Retries exceed because your when it fails the first time system sends the same requests multiple times

Also ensure your server is up and running(restart if needed)
Please let me know if this solution worked

6

Hey @703hardik , I have gone through both of these document and still when i click preview getting the same error “Exception occurred in processReadRequest. I have not added any new attribute.Error - Exception occurred while trying to receive data from Server. Number of retries exceeded”.
Attaching schema attribute screenshot.

Schema Attribute
Schema Attribute978Ă—1000 53.3 KB

7

Could you share the accountschema

8

I have shared the screenshot above

9

I am also not sure as you have not added any additional attribute.
However, please try with only the mandatory attributes and then slowly go ahead with one attribute at a time. I know its a lengthy process but you will find out which of the attribute is giving you the error.

10

@naveendobhal115 look in your CCG log when running an aggregation. I found an error message in my implementation that pointed to a missing API permission that wasn’t included in the documentation - ChannelMember.Read.All or ChannelMember.ReadWrite.All

{
    "stack": "ccg",
    "pod": "stg02-useast1",
    "connector-logging": "148",
    "clusterId": "1009",
    "buildNumber": "909",
    "apiUsername": "EEdqJYDaVsehgGEL",
    "orgType": "",
    "file": "ChannelMembershipCollector.java",
    "encryption": "1266",
    "connector-bundle-identityiq": "202",
    "line_number": 178,
    "@version": 1,
    "logger_name": "sailpoint.connector.azuread.ChannelMembershipCollector",
    "mantis-client": "1266",
    "class": "sailpoint.connector.azuread.ChannelMembershipCollector",
    "clientId": "3781",
    "source_host": "56ba4021574b",
    "method": "getMembersOfChannel",
    "org": "chk-sb",
    "level": "ERROR",
    "IdentityIQ": "8.0 Build c4f8c7056eb-20230718-073755",
    "message": "Forbidden : Caller does not have the required permissions for accessing this API. AllowedPermissions:'ChannelMember.Read.All,ChannelMember.ReadWrite.All'",
    "pipeline": "1266",
    "@timestamp": "2023-07-26T13:02:15.822Z",
    "thread_name": "pool-109-thread-4",
    "metrics": "1266",
    "region": "us-east-1",
    "request_id": "a490d9f1c7144ea6a478b2d3a70d1123",
    "queue": "stg02-useast1-chk-sb-cluster-1009",
    "SCIM Common": "8.0 Build 00b1f252d1b-20200225-190809"
}
11

Hi @vambrale @703hardik @mcheek … I have tried it again and still getting the same error. I have just kept given name and surname as the two attribute and rest I have removed it, but still on preview it throws an error.

After removing the attribute, I have restarted the application as well, but still the same error. Attaching the screenshot.
In logs alos getting the same error.
sailpoint.connector.AzureADConnector:944 - Exception occurred. Exception occurred in processReadRequest. Error - Exception occurred while trying to receive data from Server. Number of retries exceeded.
sailpoint.connector.ConnectorException: Exception occurred in processReadRequest. Error - Exception occurred while trying to receive data from Server. Number of retries exceeded.
at sailpoint.connector.AzureADConnector.processReadRequest(AzureADConnector.java:1812) ~[connector-bundle.jar:8.1 Build a5c9436-20200213-040253]
at sailpoint.connector.AzureADConnector.getMap(AzureADConnector.java:1201) ~[connector-bundle.jar:8.1 Build a5c9436-20200213-040253]
at sailpoint.connector.AzureADConnector.getObjectsMap(AzureADConnector.java:1015) ~[connector-bundle.jar:8.1 Build a5c9436-20200213-040253]
at sailpoint.connector.AzureADConnector.iterateObjects(AzureADConnector.java:940) ~[connector-bundle.jar:8.1 Build a5c9436-20200213-040253]
at sailpoint.connector.ConnectorProxy.iterateInternal(ConnectorProxy.java:588) ~[connector-bundle-identityiq.jar:8.1 Build a5c9436-20200213-040253]
at sailpoint.connector.ConnectorProxy.iterateObjects(ConnectorProxy.java:558) ~[connector-bundle-identityiq.jar:8.1 Build a5c9436-20200213-040253]
at sailpoint.rest.ApplicationResource.testConnector(ApplicationResource.java:289) ~[identityiq.jar:8.1 Build 8cbeb0e-20200220-143938]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_251]
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:1.8.0_251]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:1.8.0_251]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:1.8.0_251]
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) ~[jersey-server-2.29.1.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124) [jersey-server-2.29.1.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167) [jersey-server-2.29.1.jar:?]
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:219) [jersey-server-2.29.1.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79) [jersey-server-2.29.1.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:469) [jersey-server-2.29.1.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:391) [jersey-server-2.29.1.jar:?]

Schema_attribute_error
Schema_attribute_error2224Ă—705 45.8 KB

12

Could you please send SS of your configuration, black out anything confidential

13

Hi @naveendobhal115 ,
I would suggest to make a fresh application. The identity attribute that you’ve set(in your screenshot) is not even in your schema now.

Make a fresh Azure AD application(As you’ve not done aggregation yet) with the same configuration and make sure to use the right user and group filters maybe the system is not able to read user data due to incorrect filters and sending out this exception as a response.

14

Hi @703hardik ,

I removed the old one, and created a fresh application and kept removed unwanted attribute, and kept only few attribute.

When i select preview for group, it works fine, but with account schema preview again getting the same error.

Attaching the screenshot of both

Group_preview
Group_preview1074Ă—244 27 KB

Schema_error
Schema_error1656Ă—1177 83 KB

15

Backing up a second… are you using IIQ or IDN? The screenshots don’t look familiar to me but I’ve never used IIQ

16

Sailpoint ii1.

This is the schema attribute page while onboarding azure ad application

17

You might find more help asking the people in the IIQ Discussion and Questions topic, as this area of the community is dedicated to IdentityNow (Identity Security Cloud) users.

Someone like @colin_mckibben should be able to move this post to the correct category.

18

This topic has been moved to IIQ Discussion and Questions

19

Thanks! How do I mention a category like you did there?

20

Use the pound # symbol and then start typing the category name. You’ll see a list pop up.

1 Like