Hey guys,
We have a Azure connector and just want to bring in One group Name instead of them all. I am able to pull everything in but the group filter is not kicking in wanted to know if anyone has done this below before. I feel like I am overthinking this today
sadly that what i was trying and still can not get it to catch just that 1 group
Hi @VBsupport,
If you have already aggregated the groups, then changing the filter will not remove the aggregated groups and bring that one group alone. I also tried something similar, but was unsuccessful. Another solution is recreate a new source and in initial entitlement aggregation itself giving this filter condition. Please try if that works.
Tried to rebuild the application however it still pulling in all the 2,000 groups. I feel like i need to do it with the advanced option with the new graph API but that is unknow to the team so a lot of trial and error. Thank you for any help on this for who leaves a comment.
Hi @VBsupport ,
I am sure you might have seen it by now, if not, then just a highlight that your filter in this image missing s in startwith
So, after you can reset your source or on a new source connector, if try startswith(displayName,'AZ-Edh'), should work here.
You can try out filters yourself at Graph Explorer | Try Microsoft Graph APIs - Microsoft Graph. This filter startswith(displayName,'AZ-Edh') looks fine.
HTH
Thanks,
Shailee
Exception during aggregation of Object Type group on Application Azure Data Factory (Prod) [source]. Reason: java.lang.RuntimeException: An error occurred while aggregating Application Azure Data Factory [source] Exception occurred in Iterate Objects. Error message - sailpoint.connector.ConnectorException: Exception occurred in processReadRequest. Error - Response Code - 400 Error - 400 Invalid filter clause: There is an unterminated string literal at position 63 in ‘securityEnabled eq true and (startswith(displayName,‘AZ-Edh’’))'.
This is what i am getting and wondering if its a permission thing or something else. I am going to try in postman later as well. Such a pain
The filter expression contains both single and double quotes within the displayName value. This can lead to syntax errors if not balanced correctly. To ensure proper syntax, use the following filter
securityEnabled eq true and (startswith(displayName, 'AZ-Edh'))
I got it to work. There is an extra step that are not in the white pages that need to be added. Unless you add the access type it will pull everything in and look to not work. Once i filter in the UI to just look at the group i was able to just pull in the group i needed and nothing else.
Unfortunately, you will still have a problem about entitlements showing up in your AAD source if you are doing a user aggregation.
When you do a user aggregation, ISC will add entitlements back in from the user aggregation it discovers that are listed on the user.
There is currently no easy way to prevent this (there is no entitlement filter option) that applies to the user aggregation entitlement discovery that is happening.
We encountered this with groups that are replicated from AD into our AAD. (We do not want our AD groups listed as duplicate entitlements in our AAD source).
There is a possibility to use the new cloud only AAD connector with a “customizer” to possibly filter groups during user aggregation, but we have not had a chance to experiment with this.
TBH, with the # of companies that replicate their AD Groups into AAD, it’s a little disappointing that there is not an OOTB way to filter these out. Before we removed our AAD source, we had 3000+ duplicate entitlements, all from the user aggregation.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
