provisioningTimeout Max limit

Identity Security Cloud (ISC) ISC Discussion and Questions
1

We have a AD - After Create powershell script that updates few attributes in Azure AD after the account is created in AD. For this we have a retry logic in the script which will wait for the User account to be available in Azure AD before updating the required attributes. The AD to Azure sync runs every 30 mins. The powershell script runs fine and does its job.

For this, we have set the following timeout attribute in the source:
“provisioningTimeout”: “600”,
“IQServiceResponseTimeout”: “3600”,

  1. We are trying to set provisioningTimeout = 3600 (60 mins) to avoid any internal sync issues. But the IDN source can set the value to “600” max. If we update any value more than 600, it defaults back to 600. This causes a timeout error while waiting for the AD-Azure sync to finish. Is there any option to update this value to 3600?

  2. If not, can we implement this in a different way?

2

hi @sndppnyk

You can probably put a Start-Sleep wait time on your powershell. You also need to adjust your timeout attribute if you want to try this approach.

Thanks,
Uday

3

This is already part of the powershell script and works as expected. The issue is with the AD source “provisioningTimeout” attribute. IDN marks the request as incomplete after 600 seconds.

How can we set the “provisioningTimeout” more than 600 seconds? The source attribute is getting default to 600 if we try to set any value above 600.

4

Another approach if you can use roles with membership criteria,

Role 1: Basic AD account with birthright entitlements

  • ISC triggers create of AD account
  • Azure sync occurs to create Entra account
  • Aggregate EntraID

Role 2: Role to trigger additional entitlements
In the membership criteria, use the Azure account and the specific attributes that you need to trigger the new role. Then in this role, add the access profile(s) with your additional entitlements.

Since you are triggering the second role based on the Azure account existing, you will always know that it is there before adding the additional entitlements.

5

This is an option but the provisioning has to wait until the account is pulled as part of next Azure account aggregation.
Other than updating Azure attributes, we are also updating ExchangeOnline attributes. So the script dependency cannot be avoided.

If the “provisioningTimeout” source attribute can be set to more than 600, this would be helpful and resolve the issue.
Any idea how can we set this?
Why is there a max value of 600 for “provisioningTimeout” source attribute?

6

Hello @sndppnyk , Did you wrote all the code inside Native rule or are you invoking another PS script from native rule?

PowerShell background jobs allow you to run scripts asynchronously in the background. You can start a background job with Start-Job

You can try to follow below approach -

  1. Below code in after create native rule that will run the job
Write-Host "Prasad Started"

$job = Start-Job -ScriptBlock {
    & "C:\Prasad\myScript1.ps1"
}
Write-Host "Prasad Ended"

the Output of below code will be -

Prasad Started
Prasad Ended
7

Hi Prasad,

Have you tried to call Start-Job from the native rule? I tried to create a .ps1 file and it was not getting triggered with Start-Job.

While going through the documentation below, found the statement saying " Creating an out-of-process background job with Start-Job is not supported in the scenario where PowerShell is being hosted in other applications, such as the PowerShell Azure Functions."

So wanted to check if you have a working code of calling an external powershell script from native rule?