Azure AD Application Onboarding – Provisioning Policy Error

GutteStolt · April 18, 2025, 3:24pm

Hi All,

I’m currently working on onboarding an Azure application. As part of the process, I modified the out-of-the-box provisioning policy to create accounts in Azure AD.

However, while assigning entitlements to a user, I encountered the following error:
“Provisioning failed for b6d31345-b552-4f08-a077-ae8466183b95. Entitlement ID: ab25b826-b82f-42ed-84ce-aa4756c1d292 .Response Code - 400 Error - Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration..”

Based on my understanding, this means certain attributes that are managed on-premises cannot be updated through Azure AD provisioning. Is that correct?

Also, is there a way to identify which attributes fall into this category so I can exclude them from the provisioning policy?

Appreciate any guidance or suggestions.

vishal_kejriwal1 · April 18, 2025, 3:59pm

If you are using AADC in your environment you may not be able to modify attributes/objects synced by this process.

GutteStolt · April 19, 2025, 9:24am

Hi @vishal_kejriwal1 ,

How i can find those the attributes, So i can remove form provisioning policy.

Thanks

vishal_kejriwal1 · April 19, 2025, 3:12pm

I would say discuss with you Azure / AD team.

GutteStolt · April 20, 2025, 2:41am

Hi @vishal_kejriwal1

Sure, l will discuss with team get back to you if any help is needed.

Thanks,

sukanta_biswas · April 20, 2025, 7:31am

@GutteStolt -

Error Explanation

You’re seeing:

“Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration”

This message means:

The account is DirSync (on-premises mastered) — typically synced from on-prem AD via Azure AD Connect
You cannot update certain attributes directly via Azure AD for these objects because Azure treats the on-premises AD as the source of truth for those properties.

Why Does This Happen?

Microsoft enforces attribute-level write restrictions for DirSync-enabled accounts, meaning:

Certain attributes must be managed only from on-prem AD
Any attempt to modify them directly in Azure AD (via Graph API or SailPoint provisioning) will result in HTTP 400 errors

How to Identify On-Prem Mastered Attributes?

There are two good ways:

1. Microsoft Documentation

Refer to the official list from Microsoft:

Attributes synchronized by Azure AD Connect

It includes:

Which attributes are synced
Whether they are read-only in Azure AD
Which attributes must be updated on-prem

2. Check the Object’s Source in Azure AD

You can run this query in PowerShell:

Get-AzureADUser -ObjectId <userId> | Select-Object DirSyncEnabled, OnPremisesImmutableId

If DirSyncEnabled is True, the user is managed from on-prem AD.

To Handle This in SailPoint - You can remove these attributes from the provisioning policy form.

Cheers!!

GutteStolt · April 21, 2025, 6:03am

Hi @sukanta_biswas

Thank you so much for valuable points, I will investigate and execute the command as you mentioned. will let you know if any help is needed.

Thank,

Topic		Replies	Views
Azure AD Application Onboarding – Provisioning Policy Error IIQ Discussion and Questions identityiq	4	165	June 19, 2025
AD Account Creation and Update ISC Discussion and Questions provisioning	5	1685	August 7, 2023
IDN - Update Policy for Active Directory ISC Discussion and Questions identity-security-cloud , provisioning	5	838	July 19, 2024
Update provisioning policy -how to apply retroactive ISC Discussion and Questions identity-security-cloud , provisioning	5	183	November 22, 2024
Update Provisioning Policies trigger ISC Discussion and Questions identity-security-cloud , provisioning	2	311	June 3, 2024