Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

azure ad b2c connection - directory roles

Go to solution
N598231
New Contributor III
New Contributor III

‎07/05/2024 06:27 AM - edited ‎07/05/2024 09:00 AM

Hi 

imported the azure directoryroles and accounts using following 

access-  not showing the list of accounts which is member of Directory roles. Could you please help

{
"accountParams": {
"connection": "userAuth",
"processingType": "SequentialAndIterative",
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://graph.microsoft.com/v1.0/users",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "Resources",
"keyField": "accountID",
"statusConfig": {
"active": "true",
"inactive": "false"
},
"colsToPropsMap": {
"accountID": "id~#~char",
"name": "userPrincipalName~#~char",
"status": "accountEnabled~#~char",
"displayName": "displayName~#~char",
"customproperty1": "givenName~#~char",
"customproperty2": "surname~#~char",
"customproperty3": "jobTitle~#~char",
"customproperty4": "mail~#~char",
"customproperty5": "mobilePhone~#~char",
"customproperty6": "officeLocation~#~char"
}
}
}
},
"entitlementParams": {
"processingType": "SequentialAndIterative",
"entTypes": {
"DirectoryRole": {
"entTypeOrder": 0,
"call": {
"call1": {
"connection": "userAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"httpHeaders": {
"Authorization": "${access_token}"
},
"url": "https://graph.microsoft.com/v1.0/directoryRoles",
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "Resources",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"description": "description~#~char",
"entitlement_glossary": "description~#~char",
"customproperty4": "description~#~char",
"customproperty3": "deletedDateTime~#~char",
"customproperty8": "roleTemplateId~#~char",
"acctEntMappingInfoColumnFromEnt": "STORE#ACC#ENT#MAPPINGINFO~#~char"
}
}
},
"acctEntMappings": {
"listField": "",
"idPath": "account_id",
"keyField": "accountID",
"importAsAccount": false
}
}
}
},
"acctEntParams": {
"processingType": "entToAcctMapping"
}
}

Labels:
0 Kudos
9 REPLIES 9

Go to solution
naveenss
All-Star
All-Star

‎07/08/2024 03:20 AM

Hi @N598231 can you share the sample response containing the directory role membership?

 

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.
0 Kudos

Go to solution
N598231
New Contributor III
New Contributor III
In response to naveenss

‎07/08/2024 11:03 PM

sure,   API: https://graph.microsoft.com/v1.0/directoryRoles/<role_ID>/members

{
    "value": [
        {
            "@odata.type": "#microsoft.graph.user",
            "id": "<removed>",
            "businessPhones": [],
            "displayName": "<removed>",
            "givenName": null,
            "jobTitle": null,
            "mail": null,
            "mobilePhone": null,
            "officeLocation": null,
            "preferredLanguage": null,
            "surname": null,
            "userPrincipalName": "<removed>"
        },
        {
            "@odata.type": "#microsoft.graph.user",
            "id": "<removed>",
            "businessPhones": [],
            "displayName": "<removed>",
            "givenName": null,
            "jobTitle": null,
            "mail": null,
            "mobilePhone": null,
            "officeLocation": null,
            "preferredLanguage": null,
            "surname": null,
            "userPrincipalName": "<removed>"
        },
        {
            "@odata.type": "#microsoft.graph.user",
            "id": "8eee49dd-d6b6-4874-ad5c-2b64ad604644",
            "businessPhones": [],
            "displayName": "<removed>",
            "givenName": "<removed>",
            "jobTitle": null,
            "mail": null,
            "mobilePhone": null,
            "officeLocation": null,
            "preferredLanguage": null,
            "surname": "<removed>",
            "userPrincipalName": "<removed>"
        }
    ]
}
0 Kudos

Go to solution
Raghu
All-Star
All-Star

‎07/08/2024 04:10 AM

@N598231  try below

{
"accountParams": {
"connection": "userAuth",
"processingType": "SequentialAndIterative",
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://graph.microsoft.com/v1.0/users",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "value",
"keyField": "id",
"statusConfig": {
"active": "true",
"inactive": "false"
},
"colsToPropsMap": {
"accountID": "id~#~char",
"name": "userPrincipalName~#~char",
"status": "accountEnabled~#~char",
"displayName": "displayName~#~char",
"customproperty1": "givenName~#~char",
"customproperty2": "surname~#~char",
"customproperty3": "jobTitle~#~char",
"customproperty4": "mail~#~char",
"customproperty5": "mobilePhone~#~char",
"customproperty6": "officeLocation~#~char"
}
}
}
},
"entitlementParams": {
"processingType": "SequentialAndIterative",
"entTypes": {
"DirectoryRole": {
"entTypeOrder": 0,
"call": {
"call1": {
"connection": "userAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"httpHeaders": {
"Authorization": "${access_token}"
},
"url": "https://graph.microsoft.com/v1.0/directoryRoles",
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "value",
"keyField": "id",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"description": "description~#~char",
"entitlement_glossary": "description~#~char",
"customproperty4": "description~#~char",
"customproperty3": "deletedDateTime~#~char",
"customproperty8": "roleTemplateId~#~char",
"acctEntMappingInfoColumnFromEnt": "STORE#ACC#ENT#MAPPINGINFO~#~char"
}
}
},
"acctEntMappings": {
"listField": "",
"idPath": "account_id",
"keyField": "accountID",
"importAsAccount": false
}
}
}
},
"acctEntParams": {
"processingType": "entToAcctMapping"
},
"errorHandling": {
"authError": ["InvalidAuthenticationToken", "AuthenticationFailed"],
"expiryError": ["TokenExpiredError"],
"retryFailureStatusCode": [401, 403],
"timeOutError": ["ETIMEDOUT", "ESOCKETTIMEDOUT"],
"errorPath": "error",
"maxRefreshTryCount": 3
}
}


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.
0 Kudos

Go to solution
N598231
New Contributor III
New Contributor III
In response to Raghu

‎07/08/2024 11:07 PM

this one not working - job is failing 

Job NameApplication Data Import (Multi Threaded)
Job Typefull
Import Typeaccess
Warning invalid record for DirectoryRoleInvalid record not processed for DirectoryRole. Error Message - null
Total invalid records skipped for DirectoryRole2
Entitlements2 Mapping deleted0
EntitlementMap Mapping deleted0

 

error : 

2024-07-09T11:21:58+05:30-ecm-worker--null-j85fg--2024-07-09T05:51:58.256605399Z stdout F 2024-07-09 05:51:58,256 [quartzScheduler_Worker-8] ERROR rest.RestProvisioningService - Exception in pullObjectsByRest :401
 
2024-07-09T11:21:58+05:30-ecm-worker--null-j85fg--2024-07-09T05:51:58.257488731Z stdout F 2024-07-09 05:51:58,257 [quartzScheduler_Worker-8] ERROR rest.RestProvisioningService - Inside token Expiry Exception block. connectionParamMap.refreshTryCount : 0
 
2024-07-09T11:21:58+05:30-ecm-worker--null-j85fg--2024-07-09T05:51:58.873075718Z stdout F 2024-07-09 05:51:58,873 [quartzScheduler_Worker-8] DEBUG rest.RestProvisioningService - responseError : null
 
2024-07-09T11:21:58+05:30-ecm-worker--null-j85fg--2024-07-09T05:51:58.873150491Z stdout F 2024-07-09 05:51:58,873 [quartzScheduler_Worker-8] DEBUG rest.RestProvisioningService - isAuthError: false
 
2024-07-09T11:21:58+05:30-ecm-worker--null-j85fg--2024-07-09T05:51:58.874097016Z stdout F 2024-07-09 05:51:58,873 [quartzScheduler_Worker-8] ERROR rest.RestProvisioningService - Exception in persistObjects :
 
2024-07-09T11:21:58+05:30-ecm-worker--null-j85fg--2024-07-09T05:51:58.874166513Z stdout F 2024-07-09 05:51:58,874 [quartzScheduler_Worker-8] ERROR rest.RestProvisioningService - Invalid record not processed for DirectoryRole: [id:<removed>, deletedDateTime:null, description:Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities., displayName:Global Administrator, roleTemplateId:removed]
 
2024-07-09T11:21:58+05:30-ecm-worker--null-j85fg--2024-07-09T05:51:58.878033608Z stdout F 2024-07-09 05:51:58,877 [quartzScheduler_Worker-8] ERROR rest.RestProvisioningService - Exception in persistObjects :
 
2024-07-09T11:21:58+05:30-ecm-worker--null-j85fg--2024-07-09T05:51:58.878106136Z stdout F 2024-07-09 05:51:58,878 [quartzScheduler_Worker-8] ERROR rest.RestProvisioningService - Invalid record not processed for DirectoryRole: [id:<removed>, deletedDateTime:null, description:Can manage all aspects of users and groups, including resetting passwords for limited admins., displayName:User Administrator, roleTemplateId:<removed>]
0 Kudos

Go to solution
Raghu
All-Star
All-Star
In response to N598231

‎07/09/2024 12:26 AM

@N598231  it is working in postman ? correclty?


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.
0 Kudos

Go to solution
N598231
New Contributor III
New Contributor III
In response to Raghu

‎07/09/2024 06:01 AM

yes, its working in postman and i tried below by updating the connection type to acctauth and job is success but its not showing any accounts under Global administrator or any directory role

{
"accountParams": {
"connection": "acctAuth",
"processingType": "SequentialAndIterative",
"statusAndThresholdConfig": {
"statusColumn": "customproperty11",
"activeStatus": [
"false"
],
"deleteLinks": true,
"accountThresholdValue": 10,
"correlateInactiveAccounts": false,
"inactivateAccountsNotInFile": true,
"deleteAccEntForActiveAccounts": true
},
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://graph.microsoft.com/v1.0/users",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "users",
"keyField": "accountID",
"statusConfig": {
"active": "true",
"inactive": "false"
},
"colsToPropsMap": {
"accountID": "id~#~char",
"name": "userPrincipalName~#~char",
"status": "accountEnabled~#~char",
"displayName": "displayName~#~char",
"customproperty1": "givenName~#~char",
"customproperty2": "surname~#~char",
"customproperty3": "jobTitle~#~char",
"customproperty4": "mail~#~char",
"customproperty5": "mobilePhone~#~char",
"customproperty6": "officeLocation~#~char"
}
}
}
},
"entitlementParams": {
"connection": "acctAuth",
"processingType": "SequentialAndIterative",
"entTypes": {
"DirectoryRole": {
"entTypeOrder": 0,
"entTypeLabels": {
"customproperty1": "Deleted",
"customproperty2": "CreatedAt",
"customproperty3": "UpdatedAt"
},
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://graph.microsoft.com/v1.0/directoryRoles",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "value",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"description": "description~#~char",
"entitlement_glossary": "description~#~char",
"customproperty4": "description~#~char",
"customproperty3": "deletedDateTime~#~char",
"customproperty8": "roleTemplateId~#~char",
"acctEntMappingInfoColumnFromEnt": "STORE#ACC#ENT#MAPPINGINFO~#~char"
},
"disableDeletedEntitlements": true
}
}
}
}
},
"acctEntParams": {
"connection": "acctAuth",
"entTypes": {
"DirectoryRole": {
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"processingType": "httpEntToAcct",
"http": {
"httpHeaders": {
"Authorization": "${access_token}"
},
"url": "https://graph.microsoft.com/v1.0/directoryRoles/${id}/members",
"httpContentType": "application/x-www-form-urlencoded",
"httpMethod": "GET"
},
"listField": "value",
"entKeyField": "entitlementID",
"acctIdPath": "id",
"acctKeyField": "accountID"
}
}
}
}
}
}

0 Kudos

Go to solution
N598231
New Contributor III
New Contributor III
In response to N598231

‎07/09/2024 06:25 AM

update: this issue has been resolved with below one

{
"accountParams": {
"connection": "acctAuth",
"processingType": "SequentialAndIterative",
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://graph.microsoft.com/v1.0/users",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "value",
"keyField": "accountID",
"colsToPropsMap": {
"accountID": "id~#~char",
"name": "userPrincipalName~#~char",
"status": "accountEnabled~#~char",
"displayName": "displayName~#~char",
"customproperty1": "givenName~#~char",
"customproperty2": "surname~#~char",
"customproperty3": "jobTitle~#~char",
"customproperty4": "mail~#~char",
"customproperty5": "mobilePhone~#~char",
"customproperty31": "STORE#ACC#ENT#MAPPINGINFO~#~char"
}
}
}
},
"entitlementParams": {
"connection": "acctAuth",
"processingType": "SequentialAndIterative",
"entTypes": {
"DirectoryRole": {
"entTypeOrder": 0,
"entTypeLabels": {
"customproperty1": "Deleted",
"customproperty2": "CreatedAt",
"customproperty3": "UpdatedAt"
},
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://graph.microsoft.com/v1.0/directoryRoles",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "value",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"description": "description~#~char",
"entitlement_glossary": "description~#~char",
"customproperty4": "description~#~char",
"customproperty3": "deletedDateTime~#~char",
"customproperty8": "roleTemplateId~#~char",
"acctEntMappingInfoColumnFromEnt": "STORE#ACC#ENT#MAPPINGINFO~#~char"
},
"disableDeletedEntitlements": true
}
}
}
}
},
"acctEntParams": {
"connection": "acctAuth",
"entTypes": {
"DirectoryRole": {
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"processingType": "httpEntToAcct",
"http": {
"httpHeaders": {
"Authorization": "${access_token}"
},
"url": "https://graph.microsoft.com/v1.0/directoryRoles/${id}/members",
"httpContentType": "application/x-www-form-urlencoded",
"httpMethod": "GET"
},
"listField": "value",
"entKeyField": "entitlementID",
"acctIdPath": "id",
"acctKeyField": "accountID"
}
}
}
}
}
}

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star

‎07/08/2024 07:56 PM

Quick question - Is there any limitation with Azure AD connector hence you are using REST connector ?


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
N598231
New Contributor III
New Contributor III

‎07/08/2024 10:59 PM

yes, we are getting following error when connecting to b2c tenant using AzureAD connector.

 

024-07-05T08:57:31.611+00:00ecm null-plwzj 2024-07-05T08:57:31.258241441Z stdout F 2024-07-05 08:57:31,258 [http-nio-8080-exec-428] ERROR azure.AzureProvisioningService  - Error while saving the Connection: Request Header/Body is incorrect. Target Response status Code: 400, Target Error Message: [Change enumeration is not supported for requested tenant.]
0 Kudos
Copyright © 2024 Khoros, LLC