Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AzureAD Connector: Filtering out guest account

Go to solution
pivitale
New Contributor III
New Contributor III

‎08/22/2022 03:17 AM

Hi all,

do you know if it is possible to apply a filter on the OOTB AAD connector to exclude the guest accounts from the import?

Regards

Labels:
0 Kudos
17 REPLIES 17

Go to solution
rushikeshvartak
All-Star
All-Star

‎08/22/2022 08:27 AM

You can add your condition in ACCOUNTS_FILTER under connection

Your requirement condition should be 

NotIn(userPrincipalName,'azuretest')

https://saviynt.freshdesk.com/support/solutions/articles/43000463699-azure-ad-connector-guide

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters...

 

ACCOUNTS_FILTER

Specify this parameter to filter accounts during full and incremental account import from Azure AD. Sample value:

startswith(userPrincipalName,'azuretest')

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Go to solution
pivitale
New Contributor III
New Contributor III

‎08/25/2022 07:17 AM

Great @rushikeshvartak ! it worked, but now what we observe is that the connector does not import the newly created "guest" accounts, but it doesn't suspend the accounts already present in Saviynt. Any idea?

Thank you very much for your help!

 

 

0 Kudos

Go to solution
sahajranajee
Saviynt Employee
Saviynt Employee

‎08/28/2022 11:08 PM

@pivitale ,

Azure often takes a few minutes to replicate objects across and be available in Graph API responses. Have you tried running the import later and seen them getting fetched?


Regards,
Sahaj Ranajee
Sr. Product Specialist
0 Kudos

Go to solution
JustSalva
Regular Contributor
Regular Contributor

‎08/31/2022 01:23 AM

Hi,

Yes, we tried to run the import after some time but the problem is not a data alignment one. Imported guests accounts that now are filtered out in the connector should be marked as "removed from import service" cause they should be filtered out from the import stream

 

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to JustSalva

‎08/31/2022 10:41 AM

what are distinct account status for that endpoint


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
JustSalva
Regular Contributor
Regular Contributor

‎09/01/2022 12:20 AM

In saviynt: active, inactive, suspended from import service, and then the "ones managed directly by saviynt", e.g. manually provisioned

In AAD we have the accountEnabled standard field so:

  • if true the account in savyint is enabled
  • if false disabled
  • for all accounts not in the import stream (either filtered out using the ACCOUNTS_FILTER "NotIn(userType,'Guest')" of not present anymore in the target system) I expect to obtain "SUSPENDED FROM IMPORT SERVICE"; this does not happen for accounts filtered out, they all remain active

N.B. in STATUS_THRESHOLD_CONFIG  "inactivateAccountsNotInFile" is set to false

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to JustSalva

‎09/01/2022 07:25 AM

can you share STATUS_THRESHOLD_CONFIG


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
JustSalva
Regular Contributor
Regular Contributor

‎09/01/2022 07:27 AM

here you go:

 

{
"statusAndThresholdConfig": {
"accountThresholdValue": 200,
"appAccountThresholdValue": 50,
"correlateInactiveAccounts": true,
"statusColumn": "customproperty14",
"activeStatus": [
"true"
],
"deleteLinks": true,
"inactivateAccountsNotInFile": false
}
}
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to JustSalva

‎09/01/2022 07:34 AM

Any error in logs does accountThresholdValue exceeding ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
sahajranajee
Saviynt Employee
Saviynt Employee

‎09/01/2022 07:33 AM

@JustSalva ,

Its quite possible that your threshold value is being met once the filter is put. Could you look at the logs and confirm? 


Regards,
Sahaj Ranajee
Sr. Product Specialist
0 Kudos

Go to solution
JustSalva
Regular Contributor
Regular Contributor

‎09/01/2022 07:37 AM

Hi all,

no, we didn't observe any issue related to the threshold, the import job is scheduled and executes correctly. 

0 Kudos

Go to solution
sahajranajee
Saviynt Employee
Saviynt Employee

‎09/01/2022 07:40 AM

@JustSalva 

The job is successful even when the threshold is met. Have you checked logs to confirm this behavior?


Regards,
Sahaj Ranajee
Sr. Product Specialist
0 Kudos

Go to solution
JustSalva
Regular Contributor
Regular Contributor

‎09/01/2022 07:45 AM

Hi,

Yes, I've double checked but there are no errors. The threshold is not even supposed to be met, in our test environment we have 6 AAD guest accounts.

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to JustSalva

‎09/01/2022 10:51 AM

Please try below statusAndThresholdConfig

{
  "statusAndThresholdConfig": {
    "accountThresholdValue": 1000,
    "appAccountThresholdValue": 100,
    "correlateInactiveAccounts":true,
    "statusColumn": "customproperty14",
    "activeStatus": [
      "true"
    ],
    "deleteLinks": true
     }
}

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
sahajranajee
Saviynt Employee
Saviynt Employee

‎09/01/2022 07:47 AM

@JustSalva ,

If all of this checks out, could you also share logs from a successful import run?


Regards,
Sahaj Ranajee
Sr. Product Specialist
0 Kudos

Go to solution
JustSalva
Regular Contributor
Regular Contributor

‎09/02/2022 05:39 AM

here you can find the requested logs(for ecm and ecm-worker services), obtained executing the job with the suggested configuration:

JustSalva_0-1662122151619.png

 

Preview file
333 KB
Preview file
188 KB
0 Kudos

Go to solution
sahajranajee
Saviynt Employee
Saviynt Employee

‎09/04/2022 11:16 PM

@JustSalva 

I can see a few types of errors in the logs. Also with respect to decryption for the same thread as the import. I would request you to raise this with Saviynt Support to get the logs and the error validated :

sahajranajee_0-1662358591922.png

 


Regards,
Sahaj Ranajee
Sr. Product Specialist
0 Kudos
Copyright © 2024 Khoros, LLC