I’m currently working on onboarding an Azure application. As part of the process, I modified the out-of-the-box provisioning policy to create accounts in Azure AD.
However, while assigning entitlements to a user, I encountered the following error:
“Provisioning failed for b6d31345-b552-4f08-a077-ae8466183b95. Entitlement ID: ab25b826-b82f-42ed-84ce-aa4756c1d292 .Response Code - 400 Error - Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.”
Based on my understanding, this means certain attributes that are managed on-premises cannot be updated through Azure AD provisioning. Is that correct?
Also, is there a way to identify which attributes fall into this category so I can exclude them from the provisioning policy?
Yes, i have gone through this post i can see there is one replay ffom [Kamil Jakubiak] If it is touching groups you won’t be able to write anything there with IIQ. What does it means. How i can identify the specified properties on-premises attributes? So i can remove those from the provision plan.
“Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration”
This message means:
The account is DirSync (on-premises mastered) — typically synced from on-prem AD via Azure AD Connect
You cannot update certain attributes directly via Azure AD for these objects because Azure treats the on-premises AD as the source of truth for those properties.
Why Does This Happen?
Microsoft enforces attribute-level write restrictions for DirSync-enabled accounts, meaning:
Certain attributes must be managed only from on-prem AD
Any attempt to modify them directly in Azure AD (via Graph API or SailPoint provisioning) will result in HTTP 400 errors
