We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Azure AD is failing to add or remove users from AADGroups

venkat
New Contributor III
New Contributor III

We added global administrator role to the application account.  We can remove users from azure AD

 

We however get 403 when we try to remove the user from AADGROUP 

venkat_1-1690393466727.png

 

below is the json we are using for adding access

{
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@ \": \"${member}\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Content-Type": "application/json"
},
"httpContentType": "application/json",
"name": "AADGroup"
}

 

below is the json we remove access

{
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/${account.accountI...\$ref",
"httpMethod": "DELETE",
"httpParams": "",
"httpHeaders": {
"Authorization": "${access_token}",
"Content-Type": "application/json"
},
"httpContentType": "application/json"
}

can anyone suggest a solution to this issue ?

 

thanks

12 REPLIES 12

pmahalle
All-Star
All-Star

Hi @venkat ,

From the screenshot, seems like you are getting 404 NOT FOUND and not 403. Seems like group id which you are using in the url is not exist in AAD.

Can you check it once and try.


Pandharinath Mahalle(Paddy)
If this reply answered your question, please Accept As Solution to help other who may have a same problem. Give Kudos 🙂

venkat
New Contributor III
New Contributor III

got postman to work.  Can add or remove access via postman.  Now getting error when i use ARS

below is the error

DEBUG azure.AzureADProvisioningService - Error while Adding Access to Account
2023-07-28/15:20:02.534 [{}] [quartzScheduler_Worker-11] DEBUG azure.AzureADProvisioningService - Result: false

Error in processGroupInTargetgroovy.lang.GroovyRuntimeException: Ambiguous method overloading for method java.lang.String#<init>.
Cannot resolve which method to invoke for [null] due to overlapping prototypes between:
[class [B]
[class [C]
[class java.lang.String]

 

 

  • Try below for add

{
"call": [{
"name": "AADGroup",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
},
{
"name": "DirectoryRole",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/directoryRoles/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
}
]
}


remove

 

{
"call": [{
"name": "AADGroup",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/${account.accountI...\$ref",
"httpMethod": "DELETE",
"httpHeaders": {
"Authorization": "Bearer ${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
},
{
"name": "DirectoryRole",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/directoryRoles/${entitlementValue.entitlementID}/members/${account....\$ref",
"httpMethod": "DELETE",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
}
]}


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

venkat
New Contributor III
New Contributor III

getting same error.

 

below is the add json.

{
"call": [{
"name": "AADGroup",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
},
{
"name": "DirectoryRole",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/directoryRoles/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
}
]
}

getting error

 

Are you using saviynt default entitlement_attribute configuration in import connection ?

can you check whether entitlement have entitlementid in data analyzer using below query

select entitlementid,entitlement_value from entitlement_values where entitlement_value='Autopilot-Test2'


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

venkat_0-1690811771415.png

 

venkat
New Contributor III
New Contributor III

i have not added anything in entitlement attribute, Can you provide me the default values for it

venkat_1-1690811897899.png

 

 

venkat
New Contributor III
New Contributor III

The Error in processGroupInTargetgroovy.lang.GroovyRuntimeException: Ambiguous method overloading for method java.lang.String#<init>.
Cannot resolve which method to invoke for [null] due to overlapping prototypes between:
[class [B]
[class [C]
[class java.lang.String]  error is got if you use AZURE AD connector to provision access or remove access.  I created another connection and used Azure Rest connection and it provisioned access and removed access

JohnLawson
Regular Contributor
Regular Contributor

Can you please elaborate? I'm having that ambiguous method overloading error for a different rest connection, but I'm also having issues removing AADGroups with the AAD connector. Did you get that resolved?

venkat
New Contributor III
New Contributor III

i used azureAD_provisioning_Template for adding and removing accounts from AADgroups. I did not remove AADgroups

Share json


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

venkat
New Contributor III
New Contributor III

it works in postman with same group and account

venkat_0-1690754784107.png