We are trying to create a Entra ID group from SailPoint with members, the group is getting provisioned successfully but few attributes are not correctly set on the group. We are trying to create a Teams Enabled group with members in it. When SailPoint is trying to set the Teams Enabled Flag to True , Entra gives the below Error:
<ProvisioningResult status="failed">
<Errors>
<Message key="Team activation for group failed : Team owner not found for group <Group ID>." type="Error"/>
</Errors>
</ProvisioningResult>
<Value>
<Boolean>true</Boolean>
</Value>
While Setting the owners in the same provisioning plan gives the below Error:
AttributeRequest name=“owners” op=“Add” — Add/Remove owners failed for group id :<Group_D>Response Code - 404 Error - Resource '<Owner_ID>' does not exist or one of its queried reference-property objects are not present.
The Owners being passed are the UPN values of the Entra Account which exists on the Entra Side.
Any help on resolving this would be highly appreciated.
The errors you are encountering are due to a mismatch between the attribute format SailPoint is sending and what the Microsoft Graph API (via Entra ID) expects for group owners.
The error Resource '<Owner_ID>' does not exist occurs because you are passing the UserPrincipalName (UPN) for the owners attribute.
Issue: While UPNs are unique, the Entra ID connector (and the underlying Graph API) requires the Object ID (GUID) of the user to establish a relationship like ownership. When you pass a UPN, Entra ID looks for a resource with that literal string as its ID, fails to find it, and returns a 404.
Fix: You must update your Provisioning Policy or Rule to pass the Object ID of the owners instead of their UPN.
The error Team activation for group failed : Team owner not found is a direct consequence of the first error.
Issue: Microsoft Teams requires at least one valid owner to be present at the moment of activation. Because the owner assignment failed (due to the UPN/Object ID mismatch), the group was created with zero owners. When SailPoint then tried to set teamsEnabled to true, Entra ID rejected the request because a Team cannot exist without an owner.
Fix: Once you fix the owners attribute to use Object IDs, the owner assignment will succeed, and the subsequent Team activation will have the required owner context to complete.
Rule Example: Retrieving Entra ID Object ID
import sailpoint.object.Identity;
import sailpoint.object.Link;
import sailpoint.object.Application;
import sailpoint.api.SailPointContext;
import org.apache.log4j.Logger;
public String getEntraIdObjectId(SailPointContext context, Identity identity, String applicationName) throws Exception {
Logger log = Logger.getLogger("rule.getEntraIdObjectId");
log.debug("Entering getEntraIdObjectId rule for identity: " + identity.getName() + " on application: " + applicationName);
if (identity == null) {
log.error("Identity object is null.");
return null;
}
if (applicationName == null || applicationName.isEmpty()) {
log.error("Application name is null or empty.");
return null;
}
Application application = context.getObjectByName(Application.class, applicationName);
if (application == null) {
log.error("Application '" + applicationName + "' not found.");
return null;
}
// Get the Link (account) for the identity on the specified Entra ID application
Link entraIdLink = identity.getLink(application);
if (entraIdLink != null) {
String objectId = entraIdLink.getNativeIdentity();
log.debug("Found Entra ID Object ID for '" + identity.getName() + "': " + objectId);
return objectId;
} else {
log.warn("No Entra ID account found for identity '" + identity.getName() + "' on application '" + applicationName + "'.");
return null;
}
}
// Example usage if this were a standalone rule called from a Transformation or another rule:
// Assuming 'identity' and 'applicationName' are passed as arguments
// String objectId = getEntraIdObjectId(context, identity, "My Entra ID Application");
// return objectId;
// If used as a Field Value Rule in a Provisioning Policy, the 'identity' object is usually available
// and 'applicationName' would be the name of your Entra ID application.
// For example, in a Field Value Rule for the 'owners' attribute:
// return getEntraIdObjectId(context, identity, "Your Entra ID Application Name");
Example Rule Body for owners attribute:
import sailpoint.object.Identity;
import sailpoint.object.Link;
import sailpoint.object.Application;
import sailpoint.api.SailPointContext;
import org.apache.log4j.Logger;
Logger log = Logger.getLogger("rule.EntraIdOwnerObjectId");
String applicationName = "Your Entra ID Application Name"; // **IMPORTANT: Replace with your actual application name**
if (identity == null) {
log.error("Identity object is null in owner rule.");
return null;
}
Application application = context.getObjectByName(Application.class, applicationName);
if (application == null) {
log.error("Application '" + applicationName + "' not found in owner rule.");
return null;
}
Link entraIdLink = identity.getLink(application);
if (entraIdLink != null) {
String objectId = entraIdLink.getNativeIdentity();
log.debug("Returning Entra ID Object ID for owner '" + identity.getName() + "': " + objectId);
return objectId;
} else {
log.warn("No Entra ID account found for owner identity '" + identity.getName() + "' on application '" + applicationName + "'. Returning null.");
return null;
}