Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Add Access task for Azure AD failing

Go to solution
JK
New Contributor II
New Contributor II

‎02/06/2024 04:05 AM

Hi,

I am using the ARS to place request for an Azure AD group which is of the entitlement type AADGroup in Saviynt.

The request gets submitted and Add Access task gets generated successfully.

But, when I run the provisioning job, Task is not getting complete, there is no error in the logs

AddAccessJson:

{
  "call": [
    {
      "name": "AADGroup",
      "connection": "userAuth",
      "url": "https://graph.microsoft.com/v1.0/groups/${entitlement.entitlementID}/members/\\$ref",
       "showResponse": true,
      "httpMethod": "POST",
      "httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
      "httpHeaders": {
        "Authorization": "${access_token}"
      },
      "httpContentType": "application/json",
      "successResponses": {
        "statusCode": [
          200,
          201,
          204,
          205
        ]
      }
    }
  ]
}

referred from : Solved: Re: Add Access task for Azure AD failing - Saviynt Forums - 21656

Labels:
0 Kudos
14 REPLIES 14

Go to solution
Amit_Malik
Valued Contributor II
Valued Contributor II

‎02/06/2024 06:19 AM

HI @JK , In your URL , you are using ${entitlement.entitlementID} instead use ${entitlementValue.entitlementID}.

https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref"

If you have right permissions , this should work.

Good Look!!

Best Regards,

Amit

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".
0 Kudos

Go to solution
JK
New Contributor II
New Contributor II

‎02/06/2024 06:44 AM

Hi @Amit_Malik 

1. I have tried with below url also still task is not completing

"url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref"

2. I have ROLE_ADMIN access

3. This is AzureAD connector(it was working for rest connector )

0 Kudos

Go to solution
Amit_Malik
Valued Contributor II
Valued Contributor II
In response to JK

‎02/06/2024 06:47 AM - edited ‎02/06/2024 06:48 AM

Ah Okay, Yeah , make sense. 

In my knowledge , you need to use REST connector for Provisioning and ootb for import. 

This is how we are doing. Do you see any problem with that? I am not sure if ootb now supports provisioning and recon both but I dont think it is yet.

BR,Amit

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to Amit_Malik

‎02/06/2024 06:52 AM

As per release note azure ad connector should support import and provision 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
Amit_Malik
Valued Contributor II
Valued Contributor II
In response to rushikeshvartak

‎02/06/2024 07:36 AM

Yeah, it does it seems from v23.10. But it didn't work for us also and using REST connector only for provisioning. 

AmitM_0-1707231740565.png

 

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".
0 Kudos

Go to solution
Amit_Malik
Valued Contributor II
Valued Contributor II
In response to JK

‎02/06/2024 10:23 PM

Hi @JK , you can raise a freshdesk ticket. We have one as well.

Meanwhile continue to use REST for provisioning which you mentioned has been working.

Kind Regards,

Amit

If helped, please ACCEPT SOLUTION and hit Kudos

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".
0 Kudos

Go to solution
NM
Esteemed Contributor
Esteemed Contributor

‎02/06/2024 08:42 AM

Hi @JK , Worth checking ConnectionJson in AzureAD OOTB connector, we can define it and use it for provisioning..


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to NM

‎02/06/2024 06:54 PM - edited ‎02/06/2024 06:59 PM

Its same connection json as REST connector

"2024-02-07T02:57:02.559+00:00","ecm-worker","azure.AzureADRestProvisioningService","quartzScheduler_Worker-7-ngcnt","DEBUG","params.memento.addAccessJSON : [call:[[name:AADGroup, connection:userAuth, url:https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\$ref, showResponse:true, httpMethod:POST, httpParams:{"@odata.id":"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}"}, httpHeaders:[Authorization:${access_token}], httpContentType:application/json, successResponses:[statusCode:[200, 201, 204, 205]]]]]"
"2024-02-07T02:57:02.559+00:00","ecm-worker","azure.AzureADRestProvisioningService","quartzScheduler_Worker-7-ngcnt","DEBUG","currentEntitlementJsonMap : [call:[[name:AADGroup, connection:userAuth, url:https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\$ref, showResponse:true, httpMethod:POST, httpParams:{"@odata.id":"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}"}, httpHeaders:[Authorization:${access_token}], httpContentType:application/json, successResponses:[statusCode:[200, 201, 204, 205]]]]] | entitlementname: AADGroup"
"2024-02-07T02:57:02.559+00:00","ecm-worker","azure.AzureADRestProvisioningService","quartzScheduler_Worker-7-ngcnt","DEBUG","currentEntitlementJsonMap : [call:[[name:AADGroup, connection:userAuth, url:https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\$ref, showResponse:true, httpMethod:POST, httpParams:{"@odata.id":"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}"}, httpHeaders:[Authorization:${access_token}], httpContentType:application/json, successResponses:[statusCode:[200, 201, 204, 205]]]]]"
"2024-02-07T02:57:02.559+00:00","ecm-worker","azure.AzureADRestProvisioningService","quartzScheduler_Worker-7-ngcnt","DEBUG","params.memento.addAccessJSON: [call:[[name:AADGroup, connection:userAuth, url:https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\$ref, showResponse:true, httpMethod:POST, httpParams:{"@odata.id":"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}"}, httpHeaders:[Authorization:${access_token}], httpContentType:application/json, successResponses:[statusCode:[200, 201, 204, 205]]]]]"
"2024-02-07T02:57:02.559+00:00","ecm-worker","rest.RestProvisioningService","quartzScheduler_Worker-7-ngcnt","DEBUG","Total Call: 1"
"2024-02-07T02:57:02.579+00:00","ecm-worker","rest.RestProvisioningService","quartzScheduler_Worker-7-ngcnt","DEBUG","connection: userAuth"
"2024-02-07T02:57:02.589+00:00","ecm-worker","azure.AzureADRestProvisioningService","quartzScheduler_Worker-7-ngcnt","DEBUG","Task Response: null"
"2024-02-07T02:57:02.589+00:00","ecm-worker","azure.AzureADRestProvisioningService","quartzScheduler_Worker-7-ngcnt","DEBUG","Result: false"


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to rushikeshvartak

‎02/14/2024 06:15 PM

@prasannta  As discussed on call waiting for update 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
prasannta
Saviynt Employee
Saviynt Employee
In response to rushikeshvartak

‎02/15/2024 12:13 PM

Hi @rushikeshvartak 

You will have to raise a support ticket for this as this issue would require feedback from our engg team. I was unable to find any other customer who are using Azure AD for provisioning.

Thanks

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to prasannta

‎02/27/2024 10:39 AM

This has been resolved and working for all JSONs 

Connection name should ${connectionName}

 

{
 "call": [
 {
 "name": "AADGroup",
 "connection": "${connectionName}",
 "url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\\\$ref",
 "httpMethod": "POST",
 "httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\\"}",
 "httpHeaders": {
 "Authorization": "${access_token}"
 },
 "httpContentType": "application/json",
 "successResponses": {
 "statusCode": [
 200,
 201,
 204,
 205
 ]
 }
 }
 ]
}
 

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
Manu269
All-Star
All-Star

‎02/06/2024 09:43 PM

@JK we even faced similar issue where OOTB connector was failing for access provisioning.

Ended up using the REST Connector.

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.
0 Kudos

Go to solution
Mamatha
Saviynt Employee
Saviynt Employee

‎02/27/2024 06:20 PM

We have identified the cause of your issue:
 
can you use below JSON and confirm us on the result -
 
 
{
 "call": [
 {
 "name": "AADGroup",
 "connection": "${connectionName}",
 "url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\\\$ref",
 "httpMethod": "POST",
 "httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\\"}",
 "httpHeaders": {
 "Authorization": "${access_token}"
 },
 "httpContentType": "application/json",
 "successResponses": {
 "statusCode": [
 200,
 201,
 204,
 205
 ]
 }
 }
 ]
}
 
 
Primary difference is in the way connection parameter is configured, suggestion is to use "connection": "${connectionName}" and you don’t need to use showResponse
 
As Rushi confirmed it is working as expected using above JSON in ticket 

Go to solution
rushikeshvartak
All-Star
All-Star
In response to Mamatha

‎02/27/2024 06:41 PM

Please update respective documentation on docs portal https://docs.saviyntcloud.com/bundle/AzureAD-v2021x/page/Content/Configuring-the-Integration-for-Pro... 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos
Copyright © 2024 Khoros, LLC