Error While Removing Entitlement from Access Review – Microsoft Entra SaaS Connector

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi,

We are encountering an issue while attempting to remove an entitlement from an Access Review using the Microsoft Entra SaaS connector.

Error Message:

sailpoint.connector.ConnectorException: java.lang.reflect.InvocationTargetException

Environment Details:

  • Connector Type: Microsoft Entra (SaaS)

  • Operation: Removing entitlement via Access Review

  • Identity Security Platform: ISC

  • Entitlement Type: group

2

Hi @shubhamsingh4 ,

This error is caused by timeout issues during group entitlement removal operations.

Step 1: Increase Timeout Values via API

PATCH /v3/sources/{your-source-id}

Content-Type: application/json

[

{“op”: “replace”, “path”: “/connectorAttributes/provisioningTimeout”, “value”: 90},

{“op”: “replace”, “path”: “/connectorAttributes/aggregateTimeout”, “value”: 45},

{“op”: “replace”, “path”: “/connectorAttributes/healthCheckTimeout”, “value”: 45}

]

Step 2: Test the Fix

  • Wait 2-3 minutes for changes to take effect

  • Retry your access review entitlement removal operation

  • If still failing, increase provisioningTimeout to 120

Why This Works:
The default 60-second provisioning timeout is insufficient for Microsoft Graph API operations on large groups. The InvocationTargetException wraps the actual timeout error.

Alternative (if API access not available):
update these connector attributes via the Admin UI under Source Configuration > Advanced Options.

Success Rate: This solution works for timeout-related issues (majority of cases). If this doesn’t work, the issue is likely authentication/permissions related - verify your Microsoft Entra app has Directory.ReadWrite.All permissions with admin consent granted.

3

Thanks for your guidance regarding the timeout configuration. We have followed the steps and increased the provisioningTimeout value to 90 seconds, and later to 120 seconds, as suggested. However, we are still encountering the same error:

sailpoint.connector.ConnectorException: java.lang.reflect.InvocationTargetException

Additional Context:

  • Our Microsoft Entra app is configured with read-only permissions as our use case is limited to aggregating users and entitlements and do the access review.

  • The application is integrated with ServiceNow, and the expected behavior is that a ServiceNow ticket should be created when an entitlement is removed via Access Review.

  • Since we are not using write permissions (Directory.ReadWrite.All), could this be contributing to the failure during the removal operation?