Click HERE to see how Saviynt Intelligence is transforming the industry. |
06/02/2023 07:48 AM - edited 06/02/2023 07:50 AM
Brand new AzureAD connector, account retrieval works fine, Add Access is successful.
When running wsretry on a Remove Access task, however, the task stays there without being applied.
Logs indicate the following:
"ecm-worker","2023-06-02T14:35:41.150+00:00","2023-06-02T14:35:40.557220681Z stdout F 2023-06-02 14:35:40,557 [quartzScheduler_Worker-5] DEBUG rest.RestProvisioningService - Removing entitlement [Entitlement] to user [Identity]"
"ecm-worker","2023-06-02T14:35:41.150+00:00","2023-06-02T14:35:40.598938555Z stdout F 2023-06-02 14:35:40,598 [quartzScheduler_Worker-5] DEBUG rest.RestProvisioningService - params.memento.removeAccessJSON: [call:[[name:AADGroup, connection:AzureADProvisioning, url:https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/${account.accountI...$ref, httpMethod:DELETE, httpHeaders:[Authorization:${access_token}], httpContentType:application/json, successResponses:[statusCode:[200, 201, 204, 205]]]]]"
"ecm-worker","2023-06-02T14:35:41.150+00:00","2023-06-02T14:35:40.598967156Z stdout F 2023-06-02 14:35:40,598 [quartzScheduler_Worker-5] DEBUG rest.RestProvisioningService - Total Call: 1"
"ecm-worker","2023-06-02T14:35:41.150+00:00","2023-06-02T14:35:40.610149879Z stdout F 2023-06-02 14:35:40,609 [quartzScheduler_Worker-5] DEBUG rest.RestProvisioningService - connection: AzureADProvisioning"
"ecm-worker","2023-06-02T14:35:41.150+00:00","2023-06-02T14:35:40.614748852Z stdout F 2023-06-02 14:35:40,614 [quartzScheduler_Worker-5] DEBUG rest.RestProvisioningService - Task Response: null"
"ecm-worker","2023-06-02T14:35:41.150+00:00","2023-06-02T14:35:40.614770653Z stdout F 2023-06-02 14:35:40,614 [quartzScheduler_Worker-5] DEBUG rest.RestProvisioningService - Result: false"
"ecm-worker","2023-06-02T14:35:41.150+00:00","2023-06-02T14:35:40.615181968Z stdout F 2023-06-02 14:35:40,615 [quartzScheduler_Worker-5] DEBUG rest.RestProvisioningService - in reinitializeAddAndRemoveAccessJson"
Solved! Go to Solution.
06/02/2023 07:52 AM
No provisioning comment or any other information is available:
06/02/2023 08:19 AM
Hi, Can you please share more logs around pullObjectsByRest - responseStatusCode and Call response: to identify the exact problem? Also, I will recommend populating the ConfigJSON parameter in the REST connection being used for provisioning with the below value.
{
"showLogs": true
}
It will provide a detailed log for provisioning operations.
Thanks
06/02/2023 09:34 AM
Hi @khalidakhter ,
I regenerated logs and I do see pullAcctEntObjectsByRest operations yielding a 200 responseStatusCode. However, I don't see this specific value anywhere: "Call response:"
"ecm-worker","2023-06-02T16:29:15.148+00:00","2023-06-02T16:29:14.372309088Z stdout F 2023-06-02 16:29:14,372 [quartzScheduler_Worker-7] DEBUG rest.RestUtilService - pullAcctEntObjectsByRest - responseStatusCode ::200"
ConfigJSON already contained the following:
{
"connectionTimeoutConfig": {
"connectionTimeout": 10,
"writeTimeout": 60
},
"showLogs": true
}
06/02/2023 10:02 AM
Hi,
Can you please confirm if the membership got removed in the Azure AD or not? Also, please provide details of the Group Type as graph API is only supported for Microsoft 365 and Security groups.
06/02/2023 10:08 AM
Membership was not removed in AzureAD.
This is a AADGroup entitlement for which Add Access was successfully performed a few minutes prior
06/02/2023 04:44 PM
Same behavior can be observed for CreateAccount as well. WSRetry runs and nothing seems even attempted at provisioning time.
Is it time for a Freshdesk ticket?
06/04/2023 08:16 PM
Share entitlement type page screenshot
06/04/2023 11:54 PM
Please share the mode of request and attach the provisioning JSON as well along with a detailed log.
06/05/2023 07:23 AM
Here is the entitlement type screenshot. I only included the first 3 as everything else is not requestable. Only change that was made in there was to set the request-option of SKU and DirectoryRole to None. AADGroup was "rebranded" to "Groupe d'accès AzureAD"
06/05/2023 07:27 AM
Hi @khalidakhter ,
Access was requested through ARS, two approval levels (manager, resource owner). Log has been sanitized and appended. Also, here is the AddAccessJSON:
{"call":[{"name":"SKU","connection":"AzureADProvisioning","url":"https://graph.microsoft.com/v1.0/users/${account.accountID}/assignLicense","httpMethod":"POST","httpParams":"{\"addLicenses\": [{\"disabledPlans\": [],\"skuId\": \"${entitlementValue.entitlementID}\"}],\"removeLicenses\": []}","httpHeaders":{"Authorization":"${access_token}"},"httpContentType":"application/json","successResponses":{"statusCode":[200,201,204,205]}},{"name":"DirectoryRole","connection":"AzureADProvisioning","url":"https://graph.microsoft.com/v1.0/directoryRoles/${entitlementValue.entitlementID}/members/\\$ref","httpMethod":"POST","httpParams":"{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}","httpHeaders":{"Authorization":"${access_token}"},"httpContentType":"application/json","successResponses":{"statusCode":[200,201,204,205]},"unsuccessResponses":{"odata~dot#error.code":["Request_BadRequest","Authentication_MissingOrMalformed","Request_ResourceNotFound","Authorization_RequestDenied","Authentication_Unauthorized"]}},{"name":"AADGroup","connection":"AzureADProvisioning","url":"https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref","httpMethod":"POST","httpParams":"{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}","httpHeaders":{"Authorization":"${access_token}"},"httpContentType":"application/json","successResponses":{"statusCode":[200,201,204,205]}},{"name":"ApplicationInstance","connection":"AzureADProvisioning","url":"https://graph.microsoft.com/v1.0/servicePrincipals/${entitlementValue.entitlementID}/appRoleAssigned...","httpMethod":"POST","httpParams":"{\"principalId\": \"${account.accountID}\", \"appRoleId\": \"${}\", \"resourceId\": \"${entitlementValue.entitlementID}\"}","httpHeaders":{"Authorization":"${access_token}"},"httpContentType":"application/json","successResponses":{"statusCode":[200,201,204,205]}},{"name":"Team","connection":"AzureADProvisioning","url":"https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref","httpMethod":"POST","httpParams":"{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}","httpHeaders":{"Authorization":"${access_token}"},"httpContentType":"application/json","successResponses":{"statusCode":[200,201,204,205]}}]}
06/05/2023 01:32 PM
Rebuilt the provisioning connection from scratch and set that as provisioning connection in the security system but same result.
Freshdesk ticket opened: 1634579
06/07/2023 01:48 AM - edited 06/07/2023 02:00 AM
Hi
Thanks for providing all the details. It seems like connection name in the provisioning JSON is not matching with the authentication name in the connection JSON. Please make sure the connection JSON has the configuration for AzureADProvisioning authentication.
That is why the provisioning trigger is not able to call the graph API for any operation due to authorization mismatch.
06/07/2023 05:17 AM
Thanks a lot @khalidakhter for this observation. Deployed in production, tested and confirmed working.
Much, much appreciated!!
06/07/2023 05:17 AM
Thanks a lot @khalidakhter for this observation. Deployed on production, tested repeatedly and confirmed working.
Much, much appreciated!