Azure Dynamic and On-Prem groups breaking lifecycle events

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

During Azure aggregations I do not want on-prem groups or dynamic groups to aggregate. I have a group customization rule that excludes these types of groups. During account aggregation, these groups are added to user application accounts for azure since they are members of those groups in azure. However, these groups are not editable in Azure. During the group aggregation, these groups are removed from the entitlement catalog, but the groups remain in identity application accounts for Azure. They will have no object reference if clicked on. This causes issues during lifecycle events if these entitlements are attempted to be removed, since on-prem and dynamic group memberships are not editable through the Azure. How can I ensure that these groups are removed from application accounts during group aggregation?

Well, 2 options i see right now

  1. Make a customization rule to exclude them from aggregations
  2. Make before provisioning rule to exclude them from provisioning

The group aggregation successfully excludes these groups. Since these groups exist in azure though, and azure users are members of these groups, the groups pull in during the account aggregation. The issue is the data for filtering (dirSyncEnabled and groupTypes) is in the group aggregation schema, but the groups are being first pulled in through the account aggregation. During account aggregation there is no way to determine if a group is onprem or dynamic. So even though these groups are not in the entitlement catalog, they are still listed in in application accounts.

For example, we have an AD group All_Employees. This is synced into azure as it is an on prem AD group. All users are a member of this group. In azure group id is 1b83f544… During account agg, identity will show an entitlement for 1b83f544, and the application account for azure for the identity will show this 1b83f544 under groups. However, since this is an on prem group, it will not show up in the entitlement catalog since the group aggregation excluded it.

I was thinking about accounts customization rule to exclude them from member of attribute

Account customization rule worked. I ran group aggregation first, then during account aggregation I check entitlement catalog to see if the group exists there, and if it does not we remove the group from the application account. This allowed the group filters to also apply during the account aggregation.