We recently moved from the VA Based Entra connector the the SaaS connector. Everything has been working fine, until we attempted to add an entitlement to 200+ users. The first 5-10 requests were processed properly, then every additional request shows:
sailpoint.connector.ConnectorException: Command timed out
We have tried adjusting the provisioningTimeout, but haven’t been able to figure out a resolution.
Has anyone run into this issue?
I has similar problem i increased timeout value to 90 and it worked for me .
Description: This parameter is set for provisioning timeout.
Resolution: The default value is 60 seconds. If the timeout error continues, increase the value in 15 second increments and try again.
For example,
If your current time value is 60 seconds, update the provisioningTimeout attribute as follows:
[
{ "op": "replace",
"path": "/connectorAttributes/provisioningTimeout",
"value": 90
},
]
We previously set it to 90. I will try to bump it up higher and see what happens.
Over the last few weeks I have tried every possible timeout setting, and we still are unable to provision a single entitlement to a large number of Entra Accounts using the SaaS based Entra connector. I have opened a ticket, but so far that hasn’t helped much.
We attempted to add a regular Entra security group to 600+ accounts via a role. The first 10 go through just fine. The next 10 will be provisioned in Entra, but ISC will say the provisioning was incomplete. The rest will not get provisioned in Entra. Then it gets repeated the next time the Role is pushed, with the same results. If there are any other groups being provisioned via Roles or Access Requests, those will also fail.
Support recommended reducing the number of accounts we were provisioning to at one time. We have to do it at 10-20 accounts per run to not run into issues. This is a terrible process for trying to get the entitlement to 600+ accounts.
As a test we tried using the Virtual Appliance based Entra connector, and we were able to provision to 180 accounts in less than 5 minutes with no errors. I am sure it wouldn’t have a problem with 600+ accounts.
There is something wrong with how the SaaS based connector is working, or there is something wrong with the back end SaaS infrastructure.
@colin_mckibben can you help out with this?
We are experiencing this as well. We have added timeouts but it does not help. Sailpoint is able to provisiong a bunch of the desired group memberships, but gets rate limited fairly quickly/regularly. None of the provisioning is shown in Sailpoint as successful so Sailpoint is not aware of what was successful or not. This leads to a failed attempt later when the membership is present already, unless aggregation is done first. Logs in Entra only show a bunch of successful group membership additions.
Edit: using the Microsoft Entra (SaaS) connector
Glad and also not glad to hear that others are having the same issue.
The connector works fine when only a couple accounts are being assigned entitlements or having them entitlements removed. But if 10+ accounts are having their entitlements modified (added or removed) then we run into issues. It could be a single entitlement being assigned to all the accounts, or it could be each account is getting a different entitlement added. The connector just doesn’t work well when there are 10+ changes occurring at the same time.
I seem to be in the same boat as you folks with the SaaS connector. If I try a manual identity refresh on a single identity the provisioning works fine. But on a full refresh I get a wall of errors for provisioning to entra. Very frustrating.
Hi
This issue occurs due to rate limiting on Microsoft Entra side when SailPoint attempts too many group membership changes in a short span. Even if Entra processes them successfully, SailPoint marks them as failed because no confirmation is received before the timeout. Since ISC doesn’t record them as successful, it retries later — causing conflicts if memberships already exist. To handle this, reduce concurrency or batch sizes in the provisioning policy and increase retry logic or intervals. Additionally, ensure frequent aggregation runs to sync real-time state and prevent redundant retries.
Thanks
Manvitha.nalabolu
Hey @Carlatto,
Thank you for the post. I am not seeing this issue on the VA Based Entra Connector. We were planning to move to Saas Based Connector but seeing this I am hesitant to move to Saas.
Thanks
The VA connector does not have this issue. We have successfully provisioned an entitlement to over 500 accounts in one pass with the VA connector. But can’t provision more than 20 accounts at a time with the SaaS connector.
If it is a Rate Limit issue, the VA connector must have a different mechanism for handling the limit. Or it isn’t a Rate Limit issue and the SaaS connector has a different issue.
At this point, I wouldn’t recommend switching to the SaaS connector. We are considering moving back to the VA connector, but that is a lot of work.
Just got off a very frustrating call with Support and Engineering about this issue. Went round and round trying to explain it to them. They kept going down rabbit holes and requesting information that had nothing to do with the actual issue.
Is there anyone that will actually listen and has the knowledge and capability to actually fix this issue?
Hey Carl,
I have an engineer on my team who is very familiar with SaaS connector code in general taking a look at the code to see where the issue might be.
I am going to send you a PM with a meeting invite if you would be willing to meet with us so we can deep dive your issue and figure out the root cause.
Once we understand the root cause we will work with our internal connector team to get the Entra connector updated.
When we identify the issue and fix it, I will loop back here to provide the thread with the details.
Thank you Tyler, I just responded to your DM.
Support updated my ticket and said a bug ticket (CONHOWRAH-5734) has been created.
Hey Carl,
If possible please continue to keep the thread updated as you hear more. We reported the same issue a few months ago and after a lot of back and forth continually having to reproduce the issue it ended with us being told to not provision for more than a handful of people at a time with the SaaS connector.
Thanks!
We received that same guidance about provisioning to a handful of users at a time, which really isn’t good guidance.
I will update the thread as I get more information.
Thanks Carl, we also have the same issue and a ticket linked to that bug.
Did they give you any timeline?
Thanks!
They have not given me a timeline for fixing the bug.
I believe @ManvithaNalabolu06’s point is true. There is definitely rate limiting involved. This issue of failing/time out when a new role with Entra ID group granted to a few hundred uses still happen in VA-based Azure Active Directory source as well. So it would be a good idea to run aggregation for the source when a bulk assignment in Entra ID groups are anticipated.
Yes. When we are trying to add a large number of users to Entra groups, we end up running Account Aggregations upwards of 10 times a day until the access is added to all the users.
Hopefully the Bug in the connector gets fixed soon.