We recently configured the Entra ID connection to go along with the onprem AD connection in sailpoint. Most of our accounts are created on prem and are synced to Entra ID. However, we are starting to create cloud only accounts which is why we have turned both connections on. My issue is with the sync errors I am seeing. The onprem accounts are trying to sync to the Entra source when they should only be trying to sync with the onprem source not both. Is there something i am missing in the configuration. Can anyone point me in the right direction ?
Can you elaborate on your requirement with some more info like which is the Auth source? What you mean βThe onprem accounts are trying to sync to the Entra source when they should only be trying to sync with the onprem source not bothβ
What i am seeing is for an account that exist in on-prem and syncs to Entra ID. If i try to do an attribute sync it will try to write the sync values to Entra ID source instead of the AD On prem source. it should be trying to sync to AD on prem not Entra ID.
Are you doing attribute sync in SailPoint only?
I do not understand this part of your questionβ¦ Accounts between 2 sources donβt sync directly. Only Identity attributes can sync to account attributes in any source
β¦via Entra Connect, you meant to say, right?
β¦from ISC / IDN. i.e. IDN now has on-prem AD AND Entra as two configured sources, right?
Talking about Entra connectβs sync, or IDNβs attribute sync here?
This is where Iβm lost.
i.e. You have this, right?
βββββ ββββ βββββββ
βISCβ βADβ βEntraβ
βββ¬ββ βββ¬β ββββ¬βββ
βAccount Provisioning & Attribute Sync β β
ββββββββββββββββββββββββββββββββββββββ>β β
β β β
β Account Provisioning & Attribute Sync β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ>β
β β β
β βEntra Connect Sync β
β β β β β β β β β β β>β
βββ΄ββ βββ΄β ββββ΄βββ
βISCβ βADβ βEntraβ
βββββ ββββ βββββββ
2 Likes
sorry for the confusion, i fee like i am not explaining it well. the identity attributes are syncing to the account attributes. but i am seeing errors. let me give an example.
Under Identity for Account A for example. Account A has a Entra ID account listed and a AD on prem account. We have a attribute sync setup. I updated the city attribute in AD. When i did an attribute sync for Account A it syncd and updated the city value for AD on prem successfully, but its trying to update for Entra ID and it errors out with this message
[βUpdate operation failed for bfbd492f-3cd5-4a54-88c7-d092422f82c9, Error: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.β]
Hi @joeykennedy,
This error typically occurs when trying to update attributes for objects that are mastered on-premises and synchronized to Entra ID.
You may want to look into the below solutions:
-
Make the attributes as non-mastered from on-prem AD so that it can be directly synchronized/updated in Entra ID. But in that case, make sure that all of your Entra users have that specific attribute updated via IDN or some other process as the AAD sync will not work for these attributes.
-
Create separate custom attributes in Entra for the cloud only users and sync them from IDN.
hi @joeykennedy
Are you also syncing with AADConnect to On-prem?
This error usually occurs if you try to update properties of users synced from βon-premises domainsβ via Azure AD Connect to Azure AD cloud directly.
Hope this helps 
Tony
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.