Click HERE to see how Saviynt Intelligence is transforming the industry. |
08/22/2022 03:17 AM
Hi all,
do you know if it is possible to apply a filter on the OOTB AAD connector to exclude the guest accounts from the import?
Regards
Solved! Go to Solution.
08/22/2022 08:27 AM
You can add your condition in ACCOUNTS_FILTER under connection
Your requirement condition should be
NotIn(userPrincipalName,'azuretest') |
https://saviynt.freshdesk.com/support/solutions/articles/43000463699-azure-ad-connector-guide
ACCOUNTS_FILTER | Specify this parameter to filter accounts during full and incremental account import from Azure AD. Sample value: startswith(userPrincipalName,'azuretest') |
08/25/2022 07:17 AM
Great @rushikeshvartak ! it worked, but now what we observe is that the connector does not import the newly created "guest" accounts, but it doesn't suspend the accounts already present in Saviynt. Any idea?
Thank you very much for your help!
08/28/2022 11:08 PM
Azure often takes a few minutes to replicate objects across and be available in Graph API responses. Have you tried running the import later and seen them getting fetched?
08/31/2022 01:23 AM
Hi,
Yes, we tried to run the import after some time but the problem is not a data alignment one. Imported guests accounts that now are filtered out in the connector should be marked as "removed from import service" cause they should be filtered out from the import stream
08/31/2022 10:41 AM
what are distinct account status for that endpoint
09/01/2022 12:20 AM
In saviynt: active, inactive, suspended from import service, and then the "ones managed directly by saviynt", e.g. manually provisioned
In AAD we have the accountEnabled standard field so:
N.B. in STATUS_THRESHOLD_CONFIG "inactivateAccountsNotInFile" is set to false
09/01/2022 07:25 AM
can you share STATUS_THRESHOLD_CONFIG
09/01/2022 07:27 AM
here you go:
{
"statusAndThresholdConfig": {
"accountThresholdValue": 200,
"appAccountThresholdValue": 50,
"correlateInactiveAccounts": true,
"statusColumn": "customproperty14",
"activeStatus": [
"true"
],
"deleteLinks": true,
"inactivateAccountsNotInFile": false
}
}
09/01/2022 07:34 AM
Any error in logs does accountThresholdValue exceeding ?
09/01/2022 07:33 AM
@JustSalva ,
Its quite possible that your threshold value is being met once the filter is put. Could you look at the logs and confirm?
09/01/2022 07:37 AM
Hi all,
no, we didn't observe any issue related to the threshold, the import job is scheduled and executes correctly.
09/01/2022 07:40 AM
@JustSalva
The job is successful even when the threshold is met. Have you checked logs to confirm this behavior?
09/01/2022 07:45 AM
Hi,
Yes, I've double checked but there are no errors. The threshold is not even supposed to be met, in our test environment we have 6 AAD guest accounts.
09/01/2022 10:51 AM
Please try below statusAndThresholdConfig
{
"statusAndThresholdConfig": {
"accountThresholdValue": 1000,
"appAccountThresholdValue": 100,
"correlateInactiveAccounts":true,
"statusColumn": "customproperty14",
"activeStatus": [
"true"
],
"deleteLinks": true
}
}
09/01/2022 07:47 AM
@JustSalva ,
If all of this checks out, could you also share logs from a successful import run?
09/02/2022 05:39 AM
09/04/2022 11:16 PM
@JustSalva
I can see a few types of errors in the logs. Also with respect to decryption for the same thread as the import. I would request you to raise this with Saviynt Support to get the logs and the error validated :