I’m trying to pull the Admin Roles from Azure into IDN. I’m pretty user the app has the right permissions.
Getting the following errors during entitlement aggregation.
Exception during aggregation of Object Type azureEligibleRole on Application Azure Active Directory [source]. Reason: java.lang.RuntimeException: An error occurred while aggregating Application Azure Active Directory [source]
Exception during aggregation of Object Type azureActiveRole on Application Azure Active Directory [source]. Reason: java.lang.RuntimeException: An error occurred while aggregating Application Azure Active Directory [source]
Looks like I had it checked and tried the filters below. If I uncheck Enable Privileged Identity Management, I can sync entitlements but it doesn’t bring over the built in roles.
Setting things up that way allows group membership to grant roles. Doing this does ‘lock’ the group membership changes to a higher privileged role (GA and Privileged Role Admin).
Once groups are used to manage roles, I think the standard methods for group membership management should work in SP (granted that the service principal SP is using has the proper permissions in Azure).
As a sidenote, once you do get this connected, are you planning on somehow dealing with all of the replica entitlements (groups) that come from on premise AD? These replicated groups will come into IDN (via account aggregation) even if you are using entitlement filters in the source configuration.
We are slow to implement the AAD connector because we have a significant number of ‘replica’/synchronized entitlements (groups) from on premise AD (~3500) and these replicas clutter up search/certifications/access history with extra needless data.
We plan to go the route of creating groups for the roles in regards to Azure instead of directly assigning the role. We have started doing that. Downside seems that SP doesn’t see what role is assigned to the group so we may have to document separately what role is assigned to which group, or add a description in the group.
In regards to the on-prem groups that are synced, that is another can of worms. I was hoping that there was a filter that could be used but it sounds like you have already tried that. There will probably be a lot of complaints from managers when we do our access certifications.
Have you looked into the Exchange Online Admin Roles? I didn’t see them in SP under source entitlements. We are in the process of creating Role Groups for different teams and assigning Exchange Online admin access to the Role Groups. The Role Group I created and assigned to a user isn’t showing up in SP. Not sure what I’m doing wrong.
I did not get that far with our AAD / IDN integration in our sandbox and removed it to restore parity with our prod instance, so I can’t comment on the EXO Roles/ IDN entitlement stuff. However, there are roles in AAD that represent EXO access, EXO admin, Recipient administrator, etc… so they should be exposed as entitlements if you are seeing the other more standard AAD roles.
It looks like that other thread where they talk about entitlement filtering the entitlements discovered via account aggregation might produce a solution. I’m still a little new to IDN, so things like? cloud rules at aggregation? is still a little foggy for me.
