Azure AD Provisioning

Hi Everyone,

We have integrated Azure Active Directory source in IdentityNow and the objectId is considered as AccountID and userPrincipalName as AccountName as per the schema.

While creating the user account in Azure AD from IdentityNow, we are not sending objectId in the create profile and IdentityNow is auto-generating the objectId while creating the account.

Randomly I see the issue with creation of account which is :

[“sailpoint.connector.ConnectorException: Exception occurred. Error message - HTTP not ended OK. Response Code - 400 Error - A password must be specified to create a new user.”]

This error is very random while creation of users and we are sending password in create profile using “Create Password” Generator. Our observation with success and failure scenarios from provisioning activities is that - In failure cases, we dont see the objectId being generated and added as the nativeIdentity. In success cases, we can see the objectId being generated and added as nativeIdentity to the plan.

Any insights for this random issue?

Thanks,
Archana

A couple of recommendations here:

1. Make sure that the password generator does not allow to have backslashes ‘\’, there is a known issues that account creation will fail when password have backslashes.

2. To debug, create account logs with debug level with below loggers only:

• sailpoint.connector.AzureADConnector
• sailpoint.connector.azuread
• org.apache.http.wire
• Do clean the log file before collecting the logs and do disable any other loggers than above three temporarily so that only Azure Active Directory connector related messages are captured.

Visit Compass links Enabling Connector Logging in IdentityNow, or CCG Enable Debug Log by Connector for details on enabling debug on the entire cluster or on an individual VA. Regardless of preferred method it is recommended to shutdown other VAs to ensure that the running VA will be the one getting all the tasks and recording all the logs.