Azure AD Source - skipping entitlements that are synced from on prem

We are trying to figure out how to either skip the on prem synced groups in the Azure AD source when it’s aggregating OR filter them out when creating a certification using the API searches.

There are some distinct attributes for the on prem synced groups, but they don’t appear to be searchable since they are in the “Additional Attributes” section. Also the group filter on the source configuration doesn’t appear to like the NOT filter.

Any ideas?

1 Like

Here are 3 scenarios that might help:

  1. Only aggregate cloud only accounts, groups and group membership for Azure: “filterString”: “dirSyncEnabled == true” (this will not aggregate any of the sync’d accounts or entitlements in)
  2. Aggregate all accounts and group memberships, but cloud only groups for the entitlement list: add (dirSyncEnabled -ne true) on the groups filter in the UI…this DOES NOT filter out the sync’d group memberships, and would still appear on a certification
  3. Aggregate all accounts and only cloud only groups and cloud only group memberships: not currently possible, but you can vote on this idea:

Thanks Jill! #2 doesn’t work because the entitlement filter doesn’t like the “ne”. ```
Caused by: sailpoint.connector.ConnectorException: Exception occurred in Iterate Objects. Error message - Exception occurred in processReadRequest. Error - Response Code - 400 Error - 400 Unsupported property filter clause operator ‘NotEqualsMatch’

Unfortunately for #1, I still want the accounts that aren't cloud only, so that won't work for me either.

I did vote up the idea.  Thank you for pointing that out to me.

If you remove the expanded attributes in the schemas, ne should work (remove owners from the group entitlement schema). I had the syntax wrong above, but I don’t know how to edit a previous comment. It’s (dirSyncEnabled ne true)

Found in this documentation: Aggregation Settings

For the Azure Active Directory source, the Azure API does not support advanced query filters (NOT , ENDSWITH , and NE ) along with expanded attribute such as manager in the URL. Now, while using the advanced filters, ensure that you remove the manager attribute from account schema and remove the owners attribute from groups schema.

Update: Nevermind, I got the schema updated and the filter worked! Thank you so much for your help!

Thanks for that documentation. I am trying to update the Schema using the API and running into issues. I’m using this replace-schema | SailPoint Developer Community & getting "cannot consume content type. I can open a support ticket if that makes sense, but I figured I should ask here first.

1 Like