Hello! I have a customer preparing to include Office 365 (O365) entitlements in their access certification campaign. Currently, the O365 entitlements display many duplicates of native on-premise groups and built-in roles. To streamline the certification, they are aiming to limit the O365 source to only capture entitlements related to native-cloud groups. How can they configure the source connection to accomplish this?
I spoke with @mcheek and he mentioned that the Microsoft entra connector just recently obtained an additional filter feature that allows you to filter out accounts and groups to avoid the duplicates. Check out step 5 in the filter settings about group membership filters. That’s the key to make sure you filter out the entitlements and accounts won’t bring those entitlements in as well.
Yep, see the announcement from Dinesh
So, we implemented the filter: onPremisesSyncEnabled ne true to exclude on-premise active directory groups from being aggregated into IdentityNow. However, after forcing both user and entitlement aggregation, we’re not seeing the on-premise groups be dropped from entitlements. Has anyone experienced this same issue? If Yes, how did you get IdentityNow to drop the on-premise AD groups from the entitlements?
Edit: To be extra clear, the source we have is the “Azure Active Directory” and not the “Microsoft Entra”.. Not sure if this makes a difference since the “Learn more about filter settings” in the Azure Active Directory source still sends us to the Entra ID Filter help document: Aggregation, Filter, and Partitioning Settings
ISC doesn’t clean-up its entitlement repositories even if the entitlements are no longer aggregated. You basically need to reset the source entitlements via API call and start fresh.
Hey Kevin,
Do you know where I could find documentation for that API Call? Also, do you know if there is any end-user impact when you reset entitlements like that?