When the DELTA Aggregation flag is checked in ENTRAID source connector….
With next scheduled aggregation…
The DELTA aggregation works for Accounts (only changed accounts are aggregated)
The DELTA aggregation doesn’t work for Entitlements (always full 100k+ entitlements/groups are aggregated)
Why, am I missing something obvious?
Thank you!
Hi @vasilcin3
According to the documentation, this should be supported out of the box.
Blockquote Select the Delta Aggregation checkbox to aggregate delta changes for accounts and groups.
Is there any attribute you’re pulling in for the groups that are changing frequently, for example, a sync from on-prem AD to EntraID, which may be triggering the delta aggregation to pull them in?
I would also try removing some non-required attributes from the group schema to see if that fixes your issue.
Hiya,
Have you checked the entitlements schema? Are you pulling back at date/time attribute that is changing regularly
As far I see no.
In Group Schema, we have regular EntraID attributes. Only one with “time” are the “lastDirSyncTime”, but these are only for On-premise synced groups. The cloud groups don’t have it. And on-premise groups they are irrelevant anyway. Because I filtered them out ( EntraID Entitlement Aggregation (cloud vs. onpremise) - #3 by vasilcin3 )
[
{
“op”: “add”,
“path”: “/connectorAttributes/group.filterString”,
“value”: “( onPremisesSecurityIdentifier.startsWith(\“S-1\”))”
}
]
So now I have only EntraID Cloud groups aggregated, so far so good…
The problem is, aggregation pulling all Cloud groups, not only the changed/delta Cloud groups.
Group/schema:
description
dirSyncEnabled
displayName
groupTypes
lastDirSyncTime
mailEnabled
mailNickname
memberOf
objectId
onPremisesSecurityIdentifier
owners
proxyAddresses
securityEnabled
teamsEnabled
I already checked EntraID with MS Graph Explorer, this is one Cloud group that is aggregated always (as example). And I don’t see any attribute or date/time that changed, so it should not be aggregated, as there is no Delta. (I have put ‘xxxxx’ chars in some attributes for security reasons)
"value": \[
{
"id": "000022f4-7432-445f-8175-xxxxxx",
"deletedDateTime": null,
"classification": null,
"createdDateTime": "2019-07-05T17:38:54Z",
"creationOptions": \[\],
"description": "GROUP_ACC_I_I:\\\\PROJEKTE\\\\xxxxxx",
"displayName": "ACC_xxxxxx",
"expirationDateTime": null,
"groupTypes": \[\],
"infoCatalogs": \[\],
"isAssignableToRole": null,
"mail": null,
"mailEnabled": false,
"mailNickname": "ACC_xxxxxxx",
"membershipRule": null,
"membershipRuleProcessingState": null,
"onPremisesDomainName": "xxxxxx",
"onPremisesLastSyncDateTime": null,
"onPremisesNetBiosName": "xxxxxxx",
"onPremisesSamAccountName": "ACC_xxxxxxx",
"onPremisesSecurityIdentifier": null,
"onPremisesSyncEnabled": null,
"preferredDataLocation": null,
"preferredLanguage": null,
"proxyAddresses": \[
"X500:/o=RWE/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/xxxxxxxx,
"renewedDateTime": "2019-07-05T17:38:54Z",
"resourceBehaviorOptions": \[\],
"resourceProvisioningOptions": \[\],
"securityEnabled": true,
"securityIdentifier": "S-1-12-1-8948-1147106354-4069291393-xxxxxxx",
"theme": null,
"uniqueName": null,
"visibility": null,
"onPremisesProvisioningErrors": \[\],
"serviceProvisioningErrors": \[\]
},
I really cannot see where the problem might be.
Have you tried a graph api where you filter on modifieddatetime being greater than the last aggregation?
The filter parameter doesn’t need to be in the select parameter for it to work. You could always add it to your select parameter to get the info you are after. Maybe add it to your Entitlement schema for visibility purposes during aggregation.
My last thought is that the description on documentation is incorrect.
There is this thread (Is Delta aggregation supported for groups (entitlements) for Custom connector, if yes how to use it? - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community) that is running concurrently to this one and the consensus over there is that delta aggregation is not supported for entitlements, just users
Hi @phil_awlings You’ll see in that other thread, that we were talking about a SaaS Web Services connector where there is no facility for Delta Entitlement aggregation, but we did say that it is supported for Entra (according to the documentation)
Not sure if this bit helps at all, but reading the info, it appears that the delta brings back all information regardless of whether its changed or not, and eyeballing it is difficult. But I’m probably misreading that
group: delta - Microsoft Graph v1.0 | Microsoft Learn
Further to that, the documentation links are broken:
404 - Content not found
Hi @j_place how would a filter with modifieddatetime look like? There is no such attribute on groups. And I cannot find any example filter in MS documentation.
I tried this…
Hi @phil_awlings I also think, this can be a lead. And it could be related to this…
If I use groups/delta in MS graph…
I get 200 results only, with URL @odata.nextLink response/url
What is need is the @odata.deltaLink response/url, but that would be issued only in the end (obviously I have no intention to click manually “next” like 500 times to get the response 
) As we have 100k+ groups. I would say, it never comes so far. Or doesn’t use the @odata.deltaLink in response.
But that would mean Groups Delta aggregation never works for EntraID source, and I cannot believe nobody noticed that so far.
from documentation:
Apologies, my bad. You are right, there is no modifiedDateTime on Entra Groups.
I opened a Sailpoint ticket and got a reply, that they checked with engeneering team and documentation is wrong and DELTA aggregation is not supported for EntraId source.
