We want to filter certain groups from Entra ID. The issue is even if we filter the groups using the group refresh rule, it still shows up in the user attributes as the user is assigned to that group.
Is there a way to filter the groups in such a way that they are just ignored by IIQ. We want to achieve the below:
The group should not show up in the Entitlement catalog.
The group should not show up in the application link of the identity even if the identity has that particular group assigned to it in Entra ID
Filtering groups in the Group Refresh Rule only affects entitlement aggregation/catalog, not how memberships appear on user accounts. If a user is assigned to a group in Entra ID, IIQ will still reflect that membership on the application link, even if the group itself was filtered.
If you want the group to be completely ignored by IIQ (not in catalog and not on identities), you need to filter it at account aggregation time, not group aggregation.
How it works is:
By using an customization rule Remove the unwanted group values from the user’s group/entitlement attribute before the account link is saved
@rishavghoshacc Have you tried Group Membership Filter available in app configuration? This filter defines the scope of group membership included in account aggregation.
ex:
startswith(displayName,‘Group_A’)
onPremisesSyncEnabled ne true
@rishavghoshacc For this you need to write a customization rule only. Group Refresh rule stops managed attribute object creation, but they can still come as part of account aggregation. you should write a customization rule where you can read the resourceobject and review the groups assigned and then remove the groups which you don’t want.
Hi @rishavghoshacc ,
In this case, if you dont want to see the group when you identity’s application accounts, you have to use groupMembership filters, it is for filtering groups of the accounts, same like group filters
