What problem are you observing?

I noticed that the Group Membership Filter is not working if the ‘Role’ schema is removed from the application and/or the Roles attribute is removed from the ‘account’ schema. After both are re-added, the filter works properly.

What is the correct behavior?

Since the Group Membership Filter is only applicable to groups, it should work no matter if the Role schema and roles attribute are present or not.

What product feature is this related to?

The EntraID (a.k.a. Azure Active Directory) connector.

What are the steps to reproduce the issue?

1. Connect your environment to an EntraID instance, using the Azure Active Directory connector
2. Use this as the Group Filters: NOT groupTypes/any(c:c eq ‘DynamicMembership’) AND onPremisesSyncEnabled ne true
3. Use this as the Group Membership Filter: NOT groupTypes/any(c:c eq ‘DynamicMembership’) AND onPremisesSyncEnabled ne true
4. Remove the ‘Role’ schema from the application
5. Remove the roles attribute from the account schema
6. Run an aggregation and notice that the group membership filter is not considered.
7. Re-add the Role schema en roles attribute.
8. Run an aggregation and notice that the group membership filter is again used.

Do you have any other information about your environment that may help?

I’m working on IdentityIQ 8.5p1, but I’d guess this is a problem for ISC as well.