Is there a way to search the entitlement by dirSyncEnabled attribute exists?
I know there are multiple ideas submitted to SailPoint for connector level filter. But I’m specifically looking for a Search query. dirSyncEnabled is not a searchable attribute and cannot do UI search hence looking for other possibilities like using Search API.
Hi Suresh,
You are correct we can not search identities based on account attributes. Is there any way you can map that attribute to any Identity profile? Once setup you can search with this query “attributes.ATTRIBUTENAME:TrueorFalse”
The topic author is asking about searching entitlement attributes, not identity attributes or account attributes.
For this particular use case, client-side filtering is required. @suresh4iam if you just need this to get an export, the PowerShell SDK will work for this purpose.
Here is a sample PS script that will get an export of directory sync enabled entitlements in your Entra ID source
$aad_source_name = "<YOUR ENTRA ID SOURCE NAME>"
$aad_source_id = (Get-Sources -Filters "name eq `"$($aad_source_name)`"").id
invoke-paginate -function "get-betaentitlements" -Increment 250 -Limit 10000 -Initialoffset 0 -Parameters @{"Filters" = "source.id eq `"$($aad_source_id)`"";"Sorters" = "-created"} | where-object { $_.attributes.dirSyncEnabled -eq $true } | select name
Thank you, Mark. PS will not work in my case. I could have given more detail about my scenario. Anyway, here is the detail, I’m developing a Workflow where I’m trying to get list of entitlements from EntraID sources where dirSyncEnabled=true by using the SailPoint Search API.
If dirSyncEnabled is not set in EntraID, it will not bring the attribute at all into ISC, I would expect at least it should bring it as dirSyncEnabled=false. So only way is to check the existence of this attribute. Now I’m looking for the Search API where I could extend the search by using this entitlement attribute and I feel currently the chances are remote.
Hello Suresh,
I am not sure this might help. However, the dirSyncEnabled=false from EntraID is available only through Graph API call embedded in Entra (Azure AD) connector. You may want to look at this from that perspective too, else your search API related approach may not work out.
PS script is external approach, and graph API call is internal and might only work with Azure AD connector. Even, that filter is not allowed in connector level configuration at least from UI.
Thanks Rahul. I understand that Graph API is the only way to access the attribute. I need to look after a few more scenarios like is there a way to ignore on-perm AD sync groups in Azure by using connector filter in hybrid AD-Azure model?
If I’m able to do that, then Azure only entitlements get aggregated into ISC and it handles most of my issues in the Workflow.
Any suggestions?
I am trying to do the same thing and haven’t been able to figure it out. I am syncing my entire active directory forest to Entra, which is great until I try to add Entra to Sailpoint and it duplicates every group thats already aggragated from Active Directory. I need a filter that lets me aggregate and manage ONLY the cloud groups.