Error Azure Active Directory Role entitlement aggregation


I’m trying to pull the Admin Roles from Azure into IDN. I’m pretty user the app has the right permissions.

Getting the following errors during entitlement aggregation.

Exception during aggregation of Object Type azureEligibleRole on Application Azure Active Directory [source]. Reason: java.lang.RuntimeException: An error occurred while aggregating Application Azure Active Directory [source]

Exception during aggregation of Object Type azureActiveRole on Application Azure Active Directory [source]. Reason: java.lang.RuntimeException: An error occurred while aggregating Application Azure Active Directory [source]

Looks like IDN can pull



Hi Nai,
Did you follow this part of the documentation?

Hi Kamil,

Looks like I had it checked and tried the filters below. If I uncheck Enable Privileged Identity Management, I can sync entitlements but it doesn’t bring over the built in roles.

Anything else to check?

We aren’t using PIM.

We would want to be able to pull what admin roles are assigned to whom. This would allow us to do certifications.

Seems like we would need to create a group and assign roles to it. IDN doesn’t appear to be able to see what roles are assigned to the group though.

Anyone else able to get roles assignment for Azure or Exchange Online?

Not an answer to your question, but if you are considering a change on the Azure side, Azure has a feature that can connect Roles to Groups.
Use Microsoft Entra groups to manage role assignments - Microsoft Entra ID | Microsoft Learn

Setting things up that way allows group membership to grant roles. Doing this does ‘lock’ the group membership changes to a higher privileged role (GA and Privileged Role Admin).

Once groups are used to manage roles, I think the standard methods for group membership management should work in SP (granted that the service principal SP is using has the proper permissions in Azure).

As a sidenote, once you do get this connected, are you planning on somehow dealing with all of the replica entitlements (groups) that come from on premise AD? These replicated groups will come into IDN (via account aggregation) even if you are using entitlement filters in the source configuration.

I didn’t understand this at first, and posted here about it: IDN: Source Entitlement filtering only sometimes works? - IdentityNow (IDN) / IDN Discussion and Questions - SailPoint Developer Community Forum

We are slow to implement the AAD connector because we have a significant number of ‘replica’/synchronized entitlements (groups) from on premise AD (~3500) and these replicas clutter up search/certifications/access history with extra needless data.

1 Like

Thanks for the reply Chad!

We plan to go the route of creating groups for the roles in regards to Azure instead of directly assigning the role. We have started doing that. Downside seems that SP doesn’t see what role is assigned to the group so we may have to document separately what role is assigned to which group, or add a description in the group.

In regards to the on-prem groups that are synced, that is another can of worms. I was hoping that there was a filter that could be used but it sounds like you have already tried that. There will probably be a lot of complaints from managers when we do our access certifications.

Have you looked into the Exchange Online Admin Roles? I didn’t see them in SP under source entitlements. We are in the process of creating Role Groups for different teams and assigning Exchange Online admin access to the Role Groups. The Role Group I created and assigned to a user isn’t showing up in SP. Not sure what I’m doing wrong.

I did not get that far with our AAD / IDN integration in our sandbox and removed it to restore parity with our prod instance, so I can’t comment on the EXO Roles/ IDN entitlement stuff. However, there are roles in AAD that represent EXO access, EXO admin, Recipient administrator, etc… so they should be exposed as entitlements if you are seeing the other more standard AAD roles.

It looks like that other thread where they talk about entitlement filtering the entitlements discovered via account aggregation might produce a solution. I’m still a little new to IDN, so things like? cloud rules at aggregation? is still a little foggy for me.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.