Which IIQ version are you inquiring about?
8.4
Share all details about your problem, including any error messages you may have received.
We got the “IdentityIQ Cloud Governance” license to manage resources in azure (and then google and aws). We received some basic initial steps from sailpoint csm (i.e modify azure app xml in 2 places), implemented it…however the results are “none” so far, i.e application is able to aggregate azureAD data, but not the “proper” azure like subscriptions/resourcegroups/roles etc. (so exactly like before)
I am not even sure if steps provided worked, for (previous-gen) CAM one could see module is enabled, here I don’t know how to verify iiq-cloud-gov components started working…
Any help with navigating us with initial iiq cloud governance configuration would be greatly appreciated, thanks!
Rgds,
Bogdan
Hi @bogdanlipski, if you already enabled the flag in the application XML, can you please check whether the schema objects and attributes are in place.
References -
In case, you are getting any error during aggregation; I would suggest to open a support ticket and get it investigated.
Thanks!
Thx Dinesh, yeah I saw that piece, but unsure how/where to find it
EDIT: just grepped through the whole sailpoint directory, not finding mentioned (example, tried: “managementGroup” string), but I wouldn’t be able to find it if it’s in container file.
…can you give me some details on where/how to find it?
Rgds,
Bogdan
Hi Bogdan, can you please add following entry in your application XML from debug page and perform account-group aggregation. It’s there in the above documentation links that I shared in my previous comment.
<Schema aggregationType="group" descriptionAttribute="" displayAttribute="displayName" identityAttribute="id" instanceAttribute="" nativeObjectType="managementGroup" objectType="managementGroup">
<AttributeDefinition name="displayName" type="string">
<Description>Display Name</Description>
</AttributeDefinition>
<AttributeDefinition name="id" type="string">
<Description>Fully qualified ID for the management group</Description>
</AttributeDefinition>
<AttributeDefinition name="type" type="string">
<Description>Object type</Description>
</AttributeDefinition>
<AttributeDefinition name="name" type="string">
<Description>Name of the management group</Description>
</AttributeDefinition>
</Schema>
If you have not added this entry in the account schema, you can also do that by adding this attribute as follows,
<AttributeDefinition entitlement="true" managed="true" multi="true" name="managementGroup" schemaObjectType="managementGroup" type="string"> <Description>managementGroup</Description></AttributeDefinition>
Thanks!
Hi @dinesh_mishra , thanks. Where exactly in Debug please? Can you help navigating me to the right section where I should see it/find it? There are like dozens of various objects there and then I usually have to provide the correct name for it also:
OK, re-read: “application XML”…OK, trying now
However, part#2…not sure how to navigate to “account Schema”…if you could help please.
Yes, that’s the application where you need to add the schema objects for groups.
You can access the account schema from application definition itself. If you need any help, please reached out to our support or services team. Alternately, you can also go through the IdentityIQ documentations. Thanks!
going to “application definition” I am able to see new objects/attributes schema added:
Question#1: However I still don’t see how I could access the full account or group schema there (in application Definition) to be able to add that schema as in given-XML-file “ managementGroup”
Or do you intend for me to do it this way? Is this correct?
I would please ask to clarify this further, thanks!
Question#2: when running (group) aggregation I am getting errors now…kind of a good thing though because the application seems to try to (finally)
pull data from subscriptions/resources (where it has no access to…but still)
“Exception during aggregation of Object Type managementGroup on Application ***** AzureAD.
Reason: java.lang.RuntimeException: AuthorizationFailed : The client ‘’ with object id ‘’ does not have authorization
to perform action ‘Microsoft.Management/managementGroups/read’ over scope ‘/providers/Microsoft.Management’ or the scope is invalid.
If access was recently granted, please refresh your credentials.”
seems application might be be assuming whole tenant for this operation, but we will need it to only target specific subscriptions/resourceGroups…how to modify the scope please?
okey one more day of tests:
- we are able to see various groups/resources/subscriptions in entitlement catalog now…progress!
- however if checking “members” tab, they always seem to be empty
- also with our test users we are not able to spot any extra “azure entitlements” added to them
- i have added the extra account schema configuration for all object-types from your guide, found as well that in application XML it generates correct entries, i.e like in your online documentation (e.g. snippet above).
Question#1: still no entitlements added to identity cubes. can you help please? (edit: should probably call out empID is used for correlation…and works well for AzureAD, but somehow not for this one, ie “wide azure”)
Question#2: (from yesterday) we need to be able to modify the scope for azure application, ie to target specific resource,subscription only…how please?
Hi @bogdanlipski, I am sharing few pointers to check on it further based on the details that you shared.
Question#1: still no entitlements added to identity cubes. can you help please? (edit: should probably call out empID is used for correlation…and works well for AzureAD, but somehow not for this one, ie “wide azure”)
If the accounts which are aggregated from Microsoft Entra ID has the associated entitlements, then those will be populated in the account details and not in the Identity details.
In general, I would suggest to open a support ticket for detailed investigation if there is an issue or error during the operations.
Question#2: (from yesterday) we need to be able to modify the scope for azure application, ie to target specific resource,subscription only…how please?
There are few filters available in the connector configuration but not for specific resource or subscription. We need to check whether there is a way available from Microsoft side or not. Could you please share based on what condition you are looking details?
Thanks,
Dinesh
Question#1: However I still don’t see how I could access the full account or group schema there (in application Definition) to be able to add that schema as in given-XML-file “ managementGroup”
Or do you intend for me to do it this way? Is this correct?
You can directly do a copy and paste of the schema object that I share from the documentation page. To see all the schema attributes, please scroll the page to the bottom. I am sure you must be figured out that as of now and it must be resolved. If not, then please let me know.
Question#2: when running (group) aggregation I am getting errors now…kind of a good thing though because the application seems to try to (finally)
pull data from subscriptions/resources (where it has no access to…but still)
“Exception during aggregation of Object Type managementGroup on Application ***** AzureAD.
Reason: java.lang.RuntimeException: AuthorizationFailed : The client ‘’ with object id ‘’ does not have authorization
to perform action ‘Microsoft.Management/managementGroups/read’ over scope ‘/providers/Microsoft.Management’ or the scope is invalid.
If access was recently granted, please refresh your credentials.”
seems application might be be assuming whole tenant for this operation, but we will need it to only target specific subscriptions/resourceGroups…how to modify the scope please?
Yes, this is a permission error. Please provide the required permissions as mentioned in the documentation at Azure Cloud Object Management.
API permission “user_impersonation " from the above document should be provided to the client credentials.
Roles mentioned under the Required Permissions section should be provided.
Sharing the steps as well for the reference,
- Login to portal.azure.com and navigate to “All Services" → Management Groups → (CU tenant)
- Go to Access control (IAM) present on the left pane of the window
- Click on “Role Assignments" and +ADD button to assign Owner AND /ORUser Access Administrator role AND/OR Reader on the resource/client cred app.
Thanks,
Dinesh
what does this specifically mean, please? (just to make sure we are in sync)
“Existing clients must be modified for supporting management.azure.com as the scope.”
