I am configuring the Azure AD connector (saas) in ISC to manage Exchange Online shared mailboxes. I have successfully set up Certificate-Based Authentication (CBA) and configured all the required Entra ID app registration api permissions as outlined in the documentation.
My Configuration:
Following the documentation, I have added the sharedMailbox attribute to the Account Schema with the following properties:
-
Type: String
-
Property: Multivalued, Entitlement, Managed
What I am observing:
-
This works perfectly for existing assignments. When a account already has
FullAccessto a mailbox (e.g.,SalesSharedMB:FullAccess), I correctly see this string as an attribute on their account attributes. Critically, only after this first assignment doesSalesSharedMB:FullAccessalso appear as an Entitlement in the entitlement catalog. -
However, shared mailboxes that currently have no users assigned to them in Exchange Online do not appear to be aggregated into the entitlement catalog. They are only discovered as diabled ‘accounts’, but not as requestable ‘entitlements’.
My Requirement:
I need to make all shared mailbox permissions (like FullAccess or SendAs) available in the entitlement catalog so that identities can request them, even if no one is currently assigned to that shared mailbox.
My Question:
I found a previous discussion on this topic (https://developer.sailpoint.com/discuss/t/shared-mailboxes-as-entitlements-on-azure-connector/24527) where a user noted: “You will only see them listed in Entitlements if an account has the SharedMailbox.”
Can someone confirm if this is the intended design of the connector? Is it true that a shared mailbox permission will only appear as an entitlement after its first assignment?
If this is correct, is there any known configuration or workaround to aggregate all available shared mailboxes into the catalog for request, regardless of their current assignment state?
Thank you for your help.