Hello!
We’re integrating our Sailpoint IIQ enviroment with out Azure Entra ID tenant via the built-in connector for this. We have a hybrid enviroment where accounts are synced from on-prem AD. However, one user can have two accounts in the Entra ID tenant, one normal account and a privileged account. The privileged account is therefor a standalone account and not on-prem managed, i.e the privileged account has a @onmicrosoft.com UPN.
We want to correlate the privileged entra id account to the id cube by using the Manager attribute in Entra and then using that to access the on-prem sAMAccountName from the normal account. Object ID is the standard Identity Attribute for this connector. We have a correlation rule that checks if the aggregated account is privileged. If it is, it looks at the manager attribute. It then finds the link with nativeIdentity = value of manager and looks at the onPremSamAccountName (which is the username on cubes in our environment) of that link to correlate it to the correct cube.
The problem here is that IIQ only reads the UPN of the manager while I want it to read the objectId of the manager. This is because I can’t query the correct link if nativeIdentity of the normal account is objectId while the value of the manager attribute is UPN. Object ID of the manager attribute is available when quering users through graph. It just seems like IIQ is hard coded to select the UPN instead of Object ID. A solution could be to create a searchable application attribute but we’d rather not just for this use case.
Has anyone figured out how to get Object ID of the manager instead of UPN?