Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

AzureAD AddAccess Exception

flegare
Regular Contributor III
Regular Contributor III

AzureAD was integrated using Application Onboarding.  Accounts/accesses import works successfully through Azure connector.  Add Access is giving off a 401 exception when attempting to add a known access to an existing account:

"ecm-worker","2023-06-02T02:15:29.426+00:00","2023-06-02T02:15:28.544430287Z stdout F 2023-06-02 02:15:28,544 [quartzScheduler_Worker-4] DEBUG rest.RestProvisioningService - Got Webservice API Response: [headers:[Transfer-Encoding: chunked, Content-Type: application/json, Vary: Accept-Encoding, Strict-Transport-Security: max-age=31536000, request-id: 37d7adbb-d011-4a64-b866-09a4ae900247, client-request-id: 37d7adbb-d011-4a64-b866-09a4ae900247, x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"East US","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"BL02EPF0000ACBC"}}, WWW-Authenticate: Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", Date: Fri, 02 Jun 2023 02:15:27 GMT], responseText:{"error":{"code":"InvalidAuthenticationToken","message":"CompactToken parsing failed with error code: 80049217","innerError":{"date":"2023-06-02T02:15:28","request-id":"37d7adbb-d011-4a64-b866-09a4ae900247","client-request-id":"37d7adbb-d011-4a64-b866-09a4ae900247"}}}, cookies:[], statusCode:401]"

It appears the connector is not able to get a valid token back from the service.  Is this something that possibly has any other solution aside from rebuilding the connectionjson from scratch?

FWIW, I was able to add the account to a group through graph api call from Postman...

 

3 REPLIES 3

prashantChauhan
Saviynt Employee
Saviynt Employee

Hi @flegare 

I hope you are aware that AzureAD uses the REST Connector for the Provisioning operations and has configured the same for your security system.

Are you trying to add a Group Entitlement to your User Account?

Please share the ConnectionJson and the AddAccess Json that is being used.

Also, refer to below documentation for configuring the Integration for AzureAD Provisioning/Deprovisioning-

https://docs.saviyntcloud.com/bundle/AzureAD-v55x/page/Content/Configuring-the-Integration-for-Provi...

flegare
Regular Contributor III
Regular Contributor III

The client used AOB to integrate the application and as such, we have no visibility over the connectionjson that was used.

I tried replacing the connectionjson entirely but that was not terribly efficient as wsretry actions did not get registered at all.  I will attempt this later again today.

flegare
Regular Contributor III
Regular Contributor III

This part is resolved.  Rebuilding the connectionjson did the trick