Saviynt Forums

kunal_saxena · ‎11/30/2023

Hi,

We have onboarded Azure AD as an application in Saviynt. As part of the requirements, we need to import the Azure AD accounts and entitlements.

For entitlement import, we need to import the following types of groups:

SKU
DirectoryRole

We have configured the connection and the job to import SKU & DirectoryRole groups. For SKU, we are getting all SKU groups as entitlements in Saviynt + their membership after running import jobs.

However, for DirectoryRole, although we are able to fetch all the roles into Saviynt but their membership is not getting imported.

We have verified that the client that we are using in Azure AD connection has the required permission to read DirectoryRole membership.

Please advise.

sudeshjaiswal · ‎12/03/2023

Hello @kunal_saxena,

Can you please share the importjson and the endpoint_filter.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

kunal_saxena · ‎12/04/2023

Hi @sudeshjaiswal ,

We have created a connection of type AzureAD. Within the connection, we cannot find any field for importjson or endpoint_filter. We have configured account_attributes and entitlement_attribute.

ACCOUNT_ATTRIBUTES:

{
"acctLabels": {
"customproperty1":"Given Name",
"customproperty2":"Surname",
"customproperty3":"BusinessPhones",
"customproperty4":"Company Name",
"customproperty5":"MobilePhone",
"customproperty6":"OfficeLocation",
"customproperty7":"PreferredLanguage",
"customproperty8":"User Type",
"customproperty9":"Job Title",
"customproperty10":"Account Enabled",
"customproperty11":"DirSync Enabled",
"customproperty12":"Immutable ID",
"customproperty14":"Last DirSyncTime",
"customproperty15":"On-Premise Security Identifier",
"customproperty16":"City",
"customproperty17":"Country",
"customproperty18":"Department",
"customproperty19":"UsageLocation",
"customproperty20":"Employee ID"
},
"colsToPropsMap": {
"accountID":"id~#~char",
"Name":"userPrincipalName~#~char",
"displayName":"displayName~#~char",
"status":"accountEnabled~#~char",
"customproperty1":"givenName~#~char",
"customproperty2":"surName~#~char",
"customproperty3":"businessPhones~#~char",
"customproperty4":"mail~#~char",
"customproperty5":"mobilePhone~#~char",
"customproperty6":"officeLocation~#~char",
"customproperty7":"preferredLanguage~#~char",
"customproperty8":"userType~#~char",
"customproperty9":"jobtitle~#~char",
"customproperty10":"accountEnabled~#~char",
"customproperty11":"onPremisesSyncEnabled~#~char",
"customproperty12":"onPremisesImmutableId~#~char",
"customproperty14":"onPremisesLastSyncDateTime~#~char",
"customproperty15":"onPremisesSecurityIdentifier~#~char",
"customproperty16":"city~#~char",
"customproperty17":"country~#~char",
"customproperty18":"department~#~char",
"customproperty19":"usageLocation~#~char",
"customproperty20":"employeeId~#~char"
}
}

ENTITLEMENT_ATTRIBUTE:

{
"entitlementAttribute": {
"DirectoryRole": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"customproperty4": "description~#~char",
"customproperty6": "deletedDateTime~#~char",
"customproperty8": "roleTemplateId~#~char"
}

},
"SKU": {
"colsToPropsMap": {
"entitlementID": "skuId~#~char",
"entitlement_value": "skuPartNumber~#~char",
"customproperty1": "appliesTo~#~char",
"customproperty2": "capabilityStatus~#~char",
"customproperty5": "consumedUnits~#~char",
"customproperty7": "prepaidUnits~#~listAsString"
}
}
}
}

Thanks,

Kunal

sudeshjaiswal · ‎12/04/2023

Hello @kunal_saxena,

Thanks for the sharing the json, its look fine to me,
Can you please share the postman snapshot for the SKU and DirectotyRole and how their memberships are nested?

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

kunal_saxena · ‎12/06/2023

Hi @sudeshjaiswal , Thank you for reviewing the JSONs.

1st screenshot shows the request for fetching directory roles:

2nd screenshot shows the request to get directory role membership:

https://learn.microsoft.com/en-us/graph/api/directoryrole-list-members?view=graph-rest-1.0&tabs=http...

rushikeshvartak · ‎12/07/2023

Please check service account have required permissions

https://learn.microsoft.com/en-us/graph/permissions-reference

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sudeshjaiswal · ‎12/07/2023

Hello @kunal_saxena,

Can you please confirm if the access import job is failing, as directory role member dont get imported job will fail.
Also would recommnend to check the api permissions.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

kunal_saxena · ‎12/07/2023

Hi @rushikeshvartak , @sudeshjaiswal ,

Service account has the required permissions, since we are using the same account through postman and are able to retrieve the Directory Role membership.

Also, access import job is successful.

Thanks,

Kunal

kunal_saxena · ‎12/20/2023

The issue got resolved by adding DirectoryRoleMember in the Entitlement Import job > Import Config section:

{
"importEntTypes": {
"DirectoryRole": {},
"DirectoryRoleMember": {},
"SKU": {}
},
"excludeEntTypes": {
"AADGroup": {},
"Team": {},
"Channel": {},
"MemberPermission": {},
"GuestPermission": {},
"ApplicationInstance": {},
"Subscription": {},
"Application": {},
"ServicePlans": {}
}
}

JohnLawson · ‎01/23/2024

Did you have to make any changes to your connection config? Or was the job import config enough?

Does it show if the role is eligible or permanent?

Saviynt Forums

Azure AD - Unable to import membership for DirectoryRole entitlements