Azure AD Group adding error

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

Version 8.2

Share all details related to your problem, including any error messages you may have received.

Hello,

I’m posting because I’ve had a problem with aggregation with Sailpoint and Azure AD for several days.
When I add some entitlement (group in ENTRA) in a User in Sailpoint. I have an error :

Provisioning failed for XXXXXX. Entitlement ID: YYYYYY .Response Code - 400 Error - Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.

The rights on API permissions are

Application.Read.All
Directory.Read.All
Group.Read.All
GroupMember.ReadWrite.All
Organization.Read.All
User.Read
User.Read.All

Can you help to understand what might be the problem ?
I have no problem when i connect a user in sailpoint with the user is ENTRA.

Thanks for your help

1 Like
2

Can you check if the permission mentioned in the below documentation is enabled or not.
Required Permissions (sailpoint.com)

Thanks

1 Like
3

I thought I only needed the GroupMember.ReadWrite.All
What permission might be needed to do this action

Thanks you

1 Like
4

If you are using AADC in your environment you may not be able to modify attributes/objects synced by this process.

1 Like
5

Hello
Yes, I am using the Azure Active Directory Connector .
What Can I do to connect add a group in Sailpoint and this appear in ENTRA .

Thank you

1 Like
6

Hey all

Already tried also with

Directory.ReadWriteAll
RoleManagement.ReadWrite.Directory

But the issue remains

7

Hi Ricardo,
AADC stands for AzureADConnect - it’s microsoft tool which allows you to sync on prem AD with Azure. If it is touching groups you won’t be able to write anything there with IIQ.

You have to ask this to AD Admins - they should be able to answer.

1 Like
8

Hello

But I have a connection between sailpoint and Azure AD. Because i can bring useres from AAD to Sailpoint . Its not strange ?
And what can AD Admins do to help on this case ?

9

Aggregation will work without any issues but if you use AADC - see details here

you cannot write attributes which are synced via AADC - you have to write it to the on prem AD and then it will get synced to AAD via AADC.

10

Hello
As the sync is not Bidirectional I only can manage groups directly created in AAD
And for those everything is ok
Thank all for your support

11

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.