Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Azure AD ACCOUNTS_FILTER Not working

ssrnitish
New Contributor III
New Contributor III

Hi All,

We are trying to import selective accounts from Azure AD using ACCOUNTS_FILTER configuration within the connection.

We are using filter based upon userPrincipalName. Below few of the filters we tried to configure.

startsWith(userPrincipalName,'test.test@abc.com')

userPrincipalName in ('test.test@abc.com', 'test.test2@abc.com', 'test.it@abc.com')

Both the above filters are working if we are running the FULL Account import job and only importing the specific accounts mentioned within the Filter.

But, when we are executing the Incremental Account import job, we are always getting some anonymous accounts which are not supposed to get imported as per the defined filter criteria.

Note: As per Saviynt documentation 23.x, we also tried to change the syntax format of Accounts_Filter query by mentioning unicoded values inside the syntax, but we are still getting accounts outside the defined filter criteria.

Saviynt Doc -> Azure AD Integration Doc 23.x V 

ssrnitish_0-1697018970605.png

As i said above, filter is working with Full Import job, but failing to get the desired outcome with Incremental Import job. We are using EIC 23.9v.

Any pointer to fix above would be helpful.

 

Thanks,

Nitish

 

8 REPLIES 8

Darshanjain
Saviynt Employee
Saviynt Employee

Hi @ssrnitish 

Yes currently the Azure AD using accounts_filter doesn't support incremental recon and only supports full Recon. This is due to the fact that the  delta token url does not support filters and hence the value of delta token won't be updated as per the filters provided. Instead it will bring in and store all the data and use same for incremental import.

 

Thanks

Darshan

alex1
New Contributor III
New Contributor III

Hi @Darshanjain !
From the azure integration documentation it says that it is supported:

alex1_0-1697528101816.png

So I assume that this is completely wrong then? (see https://docs.saviyntcloud.com/bundle/AzureAD-v23x/page/Content/Configuring-the-Integration-for-Accou...)

Hi @alex1 

Incremental works when basic filter is used as the token is not in picture but when you are using advance filter then it doesn't work , I think this is missing in documentation, will get this updated. 

 

Thanks

Darshan

alex1
New Contributor III
New Contributor III

Thanks @Darshanjain 

Just curious though, aren't the examples in thread only using basic filters?

startsWith(userPrincipalName,'test.test@abc.com')

userPrincipalName in ('test.test@abc.com', 'test.test2@abc.com', 'test.it@abc.com')

 I cannot see that those filters are advanced as they are supported under the basic table as seen here:
https://learn.microsoft.com/en-us/graph/filter-query-parameter?tabs=http

Of course I assume that it has been url-encoded as mentioned in the thread

Hi @alex1 

My bad i thought to you are using advance filters, then it looks like some issue then as it should import incremental recon using filters, can you open a ticket and our team will check the logs and see

 

Thanks

Darshan

alex1
New Contributor III
New Contributor III

@Darshanjain  All logs and configurations have been provided in ticket: 2004597

Thanks for you reply!

Incremental Import does not work with basic configuration also (v23.6) , We also rollbacked configuration from Prod due to same issue.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

@rushikeshvartak Thanks for the information! Did you create a ticket about it as well? In that case the limitation has been known for several months.