Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

AzureAD ENTITLEMENT_FILTER_JSON Documentation

ShaneHSCor
New Contributor II
New Contributor II

Hi All,

 

We are experiencing a large issue where the full incremental import is taking over 16 hours.

Looking to the community for solutions that have been used regarding the ENTITLEMENT_FILTER_JSON

Believe we could reduce the time by filtering out some of the objects - do not want to do it in the custom job. Please share what strategies you all have been using. Has anyone use multi threaded successfully?

 

9 REPLIES 9

rushikeshvartak
All-Star
All-Star

Below are samples

{ "group_filter":"startswith('Azure-Security-PIM-',displayName ) or startswith('xx-MS-Team-Test-Group-',displayName) or displayName eq 'azure-group-awstest_production_851619321778_securityreader_global' or displayName eq 'TestApp' &$count=true"}	

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

ShaneHSCor
New Contributor II
New Contributor II

Thank you rushikeshvartak - from your example it looks like it's a comma delimited list of filters surrounded by curly brackets. That is helpful 🙂

In our situation, instead of a string match filter, we are looking to create a filter that would restrict the entitlement types at the graph query level before it is parsed via the JSON. The  data we are returning from graph is taking an immense amount of time.

Also - has anyone run this as a multi-threaded job?

NM
Esteemed Contributor
Esteemed Contributor

Hi @ShaneHSCor as per saviynt doc suggestions it should be single threaded only(5.5 version) so we went ahead with that only ..

But for rest we are using multi threaded


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

We add using multi threaded job with thread as 17 counf


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Multithreaded with a low thread count is attractive - I do the same when running powershell against the graph.

Has anyone created a filter that would restrict the entitlement types at the graph query level before it is parsed via the JSON?

Yes we have used below job level custom access filters to just pull aadgroups

{
"importEntTypes": {
"AADGroup": {}
},
"excludeEntTypes": {
"ApplicationInstance": {},
"DirectoryRole": {},
"Subscription": {},
"Application": {},
"DirectoryRoleMember": {},
"SKU": {},
"ServicePlans": {},

"Team": {},
"Channel": {},
"MemberPermission": {},
"GuestPermission": {}
}
}

 

refer https://docs.saviyntcloud.com/bundle/AzureAD-v24x/page/Content/Customizing-Entitlement-Import.htm


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

ShaneHSCor
New Contributor II
New Contributor II

Hi @rushikeshvartak - have you confirmed this hits the root graph query and not just select what is parsed as entitlement values?

  • Yes we are using for 3 Azure AD connection for client

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

ShaneHSCor
New Contributor II
New Contributor II

Thank you- we will try the following filter that has a few more:

Custom Import Config Job Filter

{
"importEntTypes": {
"AADGroup": {},
"Team": {}
},

"excludeEntTypes": {
"ApplicationInstance": {},
"DirectoryRole": {},
"Oauth2Permission": {},
"AppRole": {},
"Application": {},
"SKU": {},
"ServicePlans": {},
"Channel": {},
"MemberPermission": {},
"GuestPermission": {}
}
}