Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Azure AD is failing to add or remove users from AADGroups

venkat
New Contributor III
New Contributor III

We added global administrator role to the application account.  We can remove users from azure AD

 

We however get 403 when we try to remove the user from AADGROUP 

venkat_1-1690393466727.png

 

below is the json we are using for adding access

{
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@ \": \"${member}\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Content-Type": "application/json"
},
"httpContentType": "application/json",
"name": "AADGroup"
}

 

below is the json we remove access

{
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/${account.accountI...\$ref",
"httpMethod": "DELETE",
"httpParams": "",
"httpHeaders": {
"Authorization": "${access_token}",
"Content-Type": "application/json"
},
"httpContentType": "application/json"
}

can anyone suggest a solution to this issue ?

 

thanks

12 REPLIES 12

pmahalle
All-Star
All-Star

Hi @venkat ,

From the screenshot, seems like you are getting 404 NOT FOUND and not 403. Seems like group id which you are using in the url is not exist in AAD.

Can you check it once and try.


Pandharinath Mahalle(Paddy)
If this reply helps your question, please consider selecting Accept As Solution and hit Kudos 🙂

venkat
New Contributor III
New Contributor III

got postman to work.  Can add or remove access via postman.  Now getting error when i use ARS

below is the error

DEBUG azure.AzureADProvisioningService - Error while Adding Access to Account
2023-07-28/15:20:02.534 [{}] [quartzScheduler_Worker-11] DEBUG azure.AzureADProvisioningService - Result: false

Error in processGroupInTargetgroovy.lang.GroovyRuntimeException: Ambiguous method overloading for method java.lang.String#<init>.
Cannot resolve which method to invoke for [null] due to overlapping prototypes between:
[class [B]
[class [C]
[class java.lang.String]

 

 

  • Try below for add

{
"call": [{
"name": "AADGroup",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
},
{
"name": "DirectoryRole",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/directoryRoles/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
}
]
}


remove

 

{
"call": [{
"name": "AADGroup",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/${account.accountI...\$ref",
"httpMethod": "DELETE",
"httpHeaders": {
"Authorization": "Bearer ${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
},
{
"name": "DirectoryRole",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/directoryRoles/${entitlementValue.entitlementID}/members/${account....\$ref",
"httpMethod": "DELETE",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
}
]}


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

venkat
New Contributor III
New Contributor III

getting same error.

 

below is the add json.

{
"call": [{
"name": "AADGroup",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
},
{
"name": "DirectoryRole",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/directoryRoles/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
}
]
}

getting error

 

Are you using saviynt default entitlement_attribute configuration in import connection ?

can you check whether entitlement have entitlementid in data analyzer using below query

select entitlementid,entitlement_value from entitlement_values where entitlement_value='Autopilot-Test2'


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

venkat_0-1690811771415.png

 

venkat
New Contributor III
New Contributor III

i have not added anything in entitlement attribute, Can you provide me the default values for it

venkat_1-1690811897899.png

 

 

venkat
New Contributor III
New Contributor III

The Error in processGroupInTargetgroovy.lang.GroovyRuntimeException: Ambiguous method overloading for method java.lang.String#<init>.
Cannot resolve which method to invoke for [null] due to overlapping prototypes between:
[class [B]
[class [C]
[class java.lang.String]  error is got if you use AZURE AD connector to provision access or remove access.  I created another connection and used Azure Rest connection and it provisioned access and removed access

JohnLawson
Regular Contributor
Regular Contributor

Can you please elaborate? I'm having that ambiguous method overloading error for a different rest connection, but I'm also having issues removing AADGroups with the AAD connector. Did you get that resolved?

venkat
New Contributor III
New Contributor III

i used azureAD_provisioning_Template for adding and removing accounts from AADgroups. I did not remove AADgroups

Share json


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

venkat
New Contributor III
New Contributor III

it works in postman with same group and account

venkat_0-1690754784107.png