SailPoint ISC Entra Connector

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

As part of the Sandbox test environment integration with Microsoft Entra ID, we aim to fetch only those Entra ID user accounts that are members of a specific group.

Based on our current understanding, we considered using the User Filter to achieve this requirement. However, we would like to confirm whether this is the correct approach, or if group-based filtering should instead be handled using Group Filters and Group Membership configuration during aggregation.

Could you please clarify the recommended method to retrieve only users belonging to a specific group?

2

Hi @Shukur

As best pratice it is always good to use User Filter, the documentation Aggregation, Filter, and Partitioning Settings mention this: “When configuring the filters, consider that the connector prioritizes account filters over group filters during aggregation. For example, the connector aggregates groups, which fall outside of the group filter, if the group is associated with an account included within the account filter.”

If an account passes the User Filter, it will still be aggregated even if its group is excluded or its group membership is not linked; however, the account itself will still be present.

3

Hi Shaik,

The first approach of filtering users is the only way is what I understand because if you filter by groups then only those groups would appear in aggregation and it would not affect the account aggregation.

Use the User Filter .

4

Hello Abhishek,

Hope you are doing well. I have configured the group filter as shown in the screenshot below. I am able to see the group name, but I am unable to see the users under the group. I have also run account aggregation, but even after that, I am still unable to see users at the identity level.

Could you please suggest what updates I should make to the user and group filters?

image
image1876×852 261 KB

5

I am able to see the group name, but I am unable to see the users under the group.

image
image1834×787 104 KB

6

Hi @Shukur

DId you perform only entitlment aggregations ?

Account arenot aggregated if you did only entitlement aggregations and you should perform account aggregations that why in your usecase you should try to use Account Filter.

During the account import ISC link accounts to entitlements.

7

Hello @baoussounda

I have performed entitlement and account aggregation. I did not specify any filter in the User Filter, based on the screenshot. What should be my next step?

8

@Shukur then when go to each account you can see the entitlements tabs with list of assigned entitlements to the users.

Or if you go to : Admin > Access Model > Entitlements and select an entitlements you have Identities tab which have the list of identities.

Search also can be use to export or export accounts from source accounts page will include entitlements.

However, from Source Configuration > Entitlements, you cannot directly see the list of accounts.

9

Did you manage to resolve your issue?

I ended up building a WS connector because the OOB for Entra would not do what I needed it to do

10

@Shukur use the user filter to fetch member of specific group try below filter I hope this helps

groups eq "<group ID>"
11

Hello @baoussounda

Yes, when I go to each account, I am able to see the Entitlements tab with the list of entitlements assigned to the users.

Based on the screenshots below, I am unable to see the Identities tab that contains the list of identities.

image
image1840×505 70.4 KB

image
image1917×753 108 KB

12

Can you re-run your aggregations ?

13

Hello @baoussounda

Please find the screenshot below. Is this correct? Can I proceed with running the aggregations?

image
image1494×685 129 KB

14

Are there many groups with the prefix of the group name?
If not, and you are only after one group, then use this:

displayName eq ‘RoleGroup-Entra…’

Rather than: startsWith(displayName, ‘RoleGroup-Entra…’)

15

@Shukur you’ve already aggregate before the same group rights ?

16

Hello @baoussounda ,

Yes, I aggregate same group before.

17

After re-aggregation of accounts and entitlements, the entitlement is still empty ?

18

Hello @phil_awlings

I have completed account and group aggregation. Pls find the screen shots below.
Filter Settings:

image
image1035×474 76.2 KB

Account Aggregation:

image
image1900×544 140 KB

Group Aggregation:

image
image1912×460 117 KB

Account Information:

image
image1912×838 119 KB

Group Information: still entitlement is empty.

image
image1827×771 111 KB

19

Yes, The entitlement still empty.

20

My 1st impression would be that no-one has that entitlement.
Can you check and post a screen shot of users that have that entitlement from that source?