EntraID Entitlement Aggregation (cloud vs. onpremise)

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

We have an EntraID source

And aggregating 100k entitlements. Some of them are Cloud only, and some of them are Onpremise synced.

I know we can filter only Cloud Ent. And the filter works (onPremisesSyncEnabled ne true)

But only when the Owner attribute is removed from Entitlement group schema. As written here…

Is there a way around it? We need this Owner attribute.

Maybe adding some custom attribute (Cloud / Onpremise), and filter for it without need of advanced filter. Or filter for Group attribute like dirSyncEnabled eq null or something.

Ivan.

1 Like
2

With the EntraID source filtering issues are due to the Microsoft Graph API restrictions. To retain the owner attribute while filtering for cloud-only groups, simply you can use non-advanced filters such as startsWith in the schema or during aggregation you can use employing Group Membership Filters to exclude on-premise synced groups.

you can check here all the provided information.

3

Hi Deepak,

a filter with startsWith will not work. It applies to the group names, right? And the names are completely useless. I mean, there is no logic in them, to differentiate if it is cloud or on-premise group.
Can you elaborate little bit on second option “employing Group Membership filters to exclude on-premise groups”

Because only way it works is with “onPremisesSyncEnabled ne true” which is a advanced filter.

E.g. I have these two groups/entitlements…
They have same name. Just one is Cloud only, and second is On-premise synced. Both are “Security”
How could I filter only the cloud group? Without using the advanced filter?

image
image1975×117 10.5 KB

Ivan.

4

You can add a filterString ( IdentityNow Account Filtering during Account Aggregation - Compass ) to the connector. There is a drawback, the Entitlement Aggregation will grab all groups, and then apply the filterString. Versus the Group Filters in the connector will filter the groups via MS Graph. This just means your entitlement aggregations will be slower using the filterString.

The filter string below should remove all onPremise groups.

[
  {
    "op": "add",
    "path": "/connectorAttributes/group.filterString",
    "value": "( onPremisesSecurityIdentifier.startsWith(\"S-1\"))"
  }
]
2 Likes
5

Thank you!

I tested it, and the solution worked. It filtered the cloud ent. out. Very useful.
No idea, why this “filter option” was not also mentioned somewhere in the documentation :slight_smile:

It also doesn’t appear to be slower. But this is maybe due to limited number of cloud entitlements in our test enviroment.

1 Like