Entra SaaS connector provisioning issue

We recently moved from the VA Based Entra connector the the SaaS connector. Everything has been working fine, until we attempted to add an entitlement to 200+ users. The first 5-10 requests were processed properly, then every additional request shows:

sailpoint.connector.ConnectorException: Command timed out

We have tried adjusting the provisioningTimeout, but haven’t been able to figure out a resolution.

Has anyone run into this issue?

I has similar problem i increased timeout value to 90 and it worked for me .

provisioningTimeout

Description: This parameter is set for provisioning timeout.

Resolution: The default value is 60 seconds. If the timeout error continues, increase the value in 15 second increments and try again.

For example,

If your current time value is 60 seconds, update the provisioningTimeout attribute as follows:

[    
  {        "op": "replace",        
           "path": "/connectorAttributes/provisioningTimeout",       
           "value": 90  
  },
]
2 Likes

We previously set it to 90. I will try to bump it up higher and see what happens.

Over the last few weeks I have tried every possible timeout setting, and we still are unable to provision a single entitlement to a large number of Entra Accounts using the SaaS based Entra connector. I have opened a ticket, but so far that hasn’t helped much.

We attempted to add a regular Entra security group to 600+ accounts via a role. The first 10 go through just fine. The next 10 will be provisioned in Entra, but ISC will say the provisioning was incomplete. The rest will not get provisioned in Entra. Then it gets repeated the next time the Role is pushed, with the same results. If there are any other groups being provisioned via Roles or Access Requests, those will also fail.

Support recommended reducing the number of accounts we were provisioning to at one time. We have to do it at 10-20 accounts per run to not run into issues. This is a terrible process for trying to get the entitlement to 600+ accounts.

As a test we tried using the Virtual Appliance based Entra connector, and we were able to provision to 180 accounts in less than 5 minutes with no errors. I am sure it wouldn’t have a problem with 600+ accounts.

There is something wrong with how the SaaS based connector is working, or there is something wrong with the back end SaaS infrastructure.

@colin_mckibben can you help out with this?

We are experiencing this as well. We have added timeouts but it does not help. Sailpoint is able to provisiong a bunch of the desired group memberships, but gets rate limited fairly quickly/regularly. None of the provisioning is shown in Sailpoint as successful so Sailpoint is not aware of what was successful or not. This leads to a failed attempt later when the membership is present already, unless aggregation is done first. Logs in Entra only show a bunch of successful group membership additions.

Edit: using the Microsoft Entra (SaaS) connector

1 Like

Glad and also not glad to hear that others are having the same issue.

The connector works fine when only a couple accounts are being assigned entitlements or having them entitlements removed. But if 10+ accounts are having their entitlements modified (added or removed) then we run into issues. It could be a single entitlement being assigned to all the accounts, or it could be each account is getting a different entitlement added. The connector just doesn’t work well when there are 10+ changes occurring at the same time.

I seem to be in the same boat as you folks with the SaaS connector. If I try a manual identity refresh on a single identity the provisioning works fine. But on a full refresh I get a wall of errors for provisioning to entra. Very frustrating.

Hi

This issue occurs due to rate limiting on Microsoft Entra side when SailPoint attempts too many group membership changes in a short span. Even if Entra processes them successfully, SailPoint marks them as failed because no confirmation is received before the timeout. Since ISC doesn’t record them as successful, it retries later — causing conflicts if memberships already exist. To handle this, reduce concurrency or batch sizes in the provisioning policy and increase retry logic or intervals. Additionally, ensure frequent aggregation runs to sync real-time state and prevent redundant retries.

Thanks
Manvitha.nalabolu

1 Like

Hey @Carlatto,
Thank you for the post. I am not seeing this issue on the VA Based Entra Connector. We were planning to move to Saas Based Connector but seeing this I am hesitant to move to Saas.

Thanks

The VA connector does not have this issue. We have successfully provisioned an entitlement to over 500 accounts in one pass with the VA connector. But can’t provision more than 20 accounts at a time with the SaaS connector.

If it is a Rate Limit issue, the VA connector must have a different mechanism for handling the limit. Or it isn’t a Rate Limit issue and the SaaS connector has a different issue.

At this point, I wouldn’t recommend switching to the SaaS connector. We are considering moving back to the VA connector, but that is a lot of work.