Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AzureAD provisioning issue

Go to solution
AdrianMarchis
New Contributor III
New Contributor III

‎06/13/2024 08:50 AM

Hello!

We have an AzureAD connection set up and during the provisioning flow where we add/remove access (entitlements) to users we encounter the following error:

The connection JSON used is the one from the configuration guide: Configuring the Integration for Provisioning and Deprovisioning (saviyntcloud.com)

Any idea what can be done to fix this? Account creation JSON is working, however, Add Access and Remove Access do not.

Thank you!

Labels:
0 Kudos
6 REPLIES 6

Go to solution
rushikeshvartak
All-Star
All-Star

‎06/13/2024 09:47 PM - edited ‎06/13/2024 09:48 PM

Please share json used. and also confirm if same working from postman ?

Refer https://forums.saviynt.com/t5/identity-governance/how-to-access-the-user-roles-information-when-prov...


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
AdrianMarchis
New Contributor III
New Contributor III

‎06/17/2024 08:11 AM - edited ‎06/17/2024 08:12 AM

Hi @rushikeshvartak 

{
    "call": [
        {
            "name": "SKU",
            "connection": "${connectionName}",
            "url": "https://graph.microsoft.com/v1.0/users/${account.accountID}/assignLicense",
            "httpMethod": "POST",
            "httpParams": "{\"addLicenses\": [{\"disabledPlans\": [],\"skuId\": \"${entitlementValue.entitlementID}\"}],\"removeLicenses\": []}",
            "httpHeaders": {
                "Authorization": "${access_token}"
            },
            "httpContentType": "application/json",
            "successResponses": {
                "statusCode": [
                    200,
                    201,
                    204,
                    205
                ]
            }
        },
        {
            "name": "DirectoryRole",
            "connection": "${connectionName}",
            "url": "https://graph.microsoft.com/v1.0/directoryRoles/${entitlementValue.entitlementID}/members/\\$ref",
            "httpMethod": "POST",
            "httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
            "httpHeaders": {
                "Authorization": "${access_token}"
            },
            "httpContentType": "application/json",
            "successResponses": {
                "statusCode": [
                    200,
                    201,
                    204,
                    205
                ]
            },
            "unsuccessResponses": {
                "odata~dot#error.code": [
                    "Request_BadRequest",
                    "Authentication_MissingOrMalformed",
                    "Request_ResourceNotFound",
                    "Authorization_RequestDenied",
                    "Authentication_Unauthorized"
                ]
            }
        },
        {
            "name": "AADGroup",
            "connection": "${connectionName}",
            "url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref",
            "httpMethod": "POST",
            "httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
            "httpHeaders": {
                "Authorization": "${access_token}"
            },
            "httpContentType": "application/json",
            "successResponses": {
                "statusCode": [
                    200,
                    201,
                    204,
                    205
                ]
            }
        },
        {
            "name": "ApplicationInstance",
            "connection": "${connectionName}",
            "url": "https://graph.microsoft.com/v1.0/users/${account.accountID}/appRoleAssignments",
            "httpMethod": "POST",
            "httpParams": "{\"principalId\": \"${account.accountID}\", \"id\": \"${}\", \"resourceId\": \"${entitlementValue.entitlementID}\"}",
            "httpHeaders": {
                "Authorization": "${access_token}"
            },
            "httpContentType": "application/json",
            "successResponses": {
                "statusCode": [
                    200,
                    201,
                    204,
                    205
                ]
            }
        },
        {
            "name": "Team",
            "connection": "${connectionName}",
            "url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref",
            "httpMethod": "POST",
            "httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
            "httpHeaders": {
                "Authorization": "${access_token}"
            },
            "httpContentType": "application/json",
            "successResponses": {
                "statusCode": [
                    200,
                    201,
                    204,
                    205
                ]
            }
        }
    ]
}

I tested the calls in Postman and could get it working for almost all. The SKU call is failing for us in Saviynt with the following error: 

  • Call response: {"error":{"code":"Request_BadRequest","message":"License assignment cannot be done for user with invalid usage location."

The usage location was correctly entered under customProperty19 as stated in the configuration guide.

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to AdrianMarchis

‎06/17/2024 08:18 PM

The error message "License assignment cannot be done for user with invalid usage location" typically indicates an issue with the usage location of the user. Here are a few steps you can take to troubleshoot and potentially resolve this issue:

  1. Verify the Usage Location: Ensure that the usageLocation attribute is correctly set for the user in Azure AD. This should be set to a valid ISO 3166-1 alpha-2 country code (like "US", "CA", "GB", etc.).

  2. Check Custom Property Mapping: Verify that the custom property customProperty19 in Saviynt is correctly mapped to usageLocation in Azure AD. Ensure that it's correctly populated with a valid ISO country code.

  3. Check for Updates: Confirm that any changes made in Azure AD (like setting the usageLocation for the user) have been synchronized with Saviynt.

  4. Double-check Configuration: Review the configuration guide and ensure that all steps have been followed correctly. Sometimes, there might be additional steps or configurations required that are specific to Saviynt's implementation.

  5. Test in Postman: Since you mentioned that it works in Postman, verify the exact request and response from Postman to ensure that all necessary headers, parameters, and payload are correctly set.

  6. Review Error Details: Check if there are any additional details in the error response that might give more insight into the issue.

  7. Check Saviynt Logs: Look into the logs in Saviynt to see if there are more specific details or errors related to the license assignment.

  8. Azure AD Portal: Consider checking directly in the Azure AD portal to verify the user's usageLocation and ensure it's set correctly.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
AdrianMarchis
New Contributor III
New Contributor III

‎06/18/2024 12:51 PM

Thank you @rushikeshvartak We were able to fix it.

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to AdrianMarchis

‎06/18/2024 02:19 PM

Please share working JSON


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
AdrianMarchis
New Contributor III
New Contributor III

‎06/20/2024 05:59 AM 

{
    "accountIdPath": "call1.message.id",
    "dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",
    "responseColsToPropsMap": {
        "displayName": "call1.message.displayName~#~char",
        "name": "call1.message.userPrincipalName~#~char"
    },
    "call": [
        {
            "name": "call1",
            "connection": "${connectionName}",
            "url": "https://graph.microsoft.com/v1.0/users",
            "httpMethod": "POST",
            "httpParams": "{\"accountEnabled\":true,\"mailNickname\":\"${user.firstname}\",\"userPrincipalName\":\"${user.username}@email.com\",\"givenName\":\"${user.firstname}\",\"surname\":\"${user.lastname}\",\"displayName\":\"${user.firstname} ${user.lastname}\",\"usageLocation\":\"US\",\"passwordProfile\":{\"forceChangePasswordNextSignIn\":false,\"password\":\"${password}\"}}",
            "httpHeaders": {
                "Authorization": "${access_token}"
            },
            "httpContentType": "application/json",
            "successResponses": {
                "statusCode": [
                    200,
                    201,
                    204,
                    205
                ]
            }
        }
    ]
}

We added the usage location attribute in the CreateAccount JSON and set it to a static value.

This fixed the invalid usage location error.

0 Kudos
Copyright © 2024 Khoros, LLC