Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

AzureAD Remove Access - NULL response

flegare
Regular Contributor III
Regular Contributor III

Brand new AzureAD connector, account retrieval works fine, Add Access is successful.

When running wsretry on a Remove Access task, however, the task stays there without being applied.

Logs indicate the following:

"ecm-worker","2023-06-02T14:35:41.150+00:00","2023-06-02T14:35:40.557220681Z stdout F 2023-06-02 14:35:40,557 [quartzScheduler_Worker-5] DEBUG rest.RestProvisioningService - Removing entitlement [Entitlement] to user [Identity]"
"ecm-worker","2023-06-02T14:35:41.150+00:00","2023-06-02T14:35:40.598938555Z stdout F 2023-06-02 14:35:40,598 [quartzScheduler_Worker-5] DEBUG rest.RestProvisioningService - params.memento.removeAccessJSON: [call:[[name:AADGroup, connection:AzureADProvisioning, url:https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/${account.accountI...$ref, httpMethod:DELETE, httpHeaders:[Authorization:${access_token}], httpContentType:application/json, successResponses:[statusCode:[200, 201, 204, 205]]]]]"
"ecm-worker","2023-06-02T14:35:41.150+00:00","2023-06-02T14:35:40.598967156Z stdout F 2023-06-02 14:35:40,598 [quartzScheduler_Worker-5] DEBUG rest.RestProvisioningService - Total Call: 1"
"ecm-worker","2023-06-02T14:35:41.150+00:00","2023-06-02T14:35:40.610149879Z stdout F 2023-06-02 14:35:40,609 [quartzScheduler_Worker-5] DEBUG rest.RestProvisioningService - connection: AzureADProvisioning"
"ecm-worker","2023-06-02T14:35:41.150+00:00","2023-06-02T14:35:40.614748852Z stdout F 2023-06-02 14:35:40,614 [quartzScheduler_Worker-5] DEBUG rest.RestProvisioningService - Task Response: null"
"ecm-worker","2023-06-02T14:35:41.150+00:00","2023-06-02T14:35:40.614770653Z stdout F 2023-06-02 14:35:40,614 [quartzScheduler_Worker-5] DEBUG rest.RestProvisioningService - Result: false"
"ecm-worker","2023-06-02T14:35:41.150+00:00","2023-06-02T14:35:40.615181968Z stdout F 2023-06-02 14:35:40,615 [quartzScheduler_Worker-5] DEBUG rest.RestProvisioningService - in reinitializeAddAndRemoveAccessJson"

 

 

14 REPLIES 14

flegare
Regular Contributor III
Regular Contributor III

No provisioning comment or any other information is available:

 

flegare_1-1685717521704.png

 

khalidakhter
Saviynt Employee
Saviynt Employee

Hi, Can you please share more logs around pullObjectsByRest - responseStatusCode and Call response: to identify the exact problem? Also, I will recommend populating the ConfigJSON parameter in the REST connection being used for provisioning with the below value.
{
    "showLogs": true
}

It will provide a detailed log for provisioning operations.

Thanks

flegare
Regular Contributor III
Regular Contributor III

Hi @khalidakhter ,

I regenerated logs and I do see pullAcctEntObjectsByRest operations yielding a 200 responseStatusCode.  However, I don't see this specific value anywhere: "Call response:"

"ecm-worker","2023-06-02T16:29:15.148+00:00","2023-06-02T16:29:14.372309088Z stdout F 2023-06-02 16:29:14,372 [quartzScheduler_Worker-7] DEBUG rest.RestUtilService - pullAcctEntObjectsByRest - responseStatusCode ::200"

ConfigJSON already contained the following:
{
"connectionTimeoutConfig": {
"connectionTimeout": 10,
"writeTimeout": 60
},
"showLogs": true
}

khalidakhter
Saviynt Employee
Saviynt Employee

Hi, 

Can you please confirm if the membership got removed in the Azure AD or not? Also, please provide details of the Group Type as graph API is only supported for Microsoft 365 and Security groups.

flegare
Regular Contributor III
Regular Contributor III

Membership was not removed in AzureAD.

This is a AADGroup entitlement for which Add Access was successfully performed a few minutes prior

flegare
Regular Contributor III
Regular Contributor III

Same behavior can be observed for CreateAccount as well.  WSRetry runs and nothing seems even attempted at provisioning time.

flegare_1-1685749461509.png

 

flegare_0-1685749352289.png

Is it time for a Freshdesk ticket?

Share entitlement type page screenshot 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

khalidakhter
Saviynt Employee
Saviynt Employee

Please share the mode of request and attach the provisioning JSON as well along with a detailed log.

flegare
Regular Contributor III
Regular Contributor III

Hi @rushikeshvartak 

Here is the entitlement type screenshot.  I only included the first 3 as everything else is not requestable.  Only change that was made in there was to set the request-option of SKU and DirectoryRole to None.  AADGroup was "rebranded" to "Groupe d'accès AzureAD"

flegare_0-1685974928406.png

flegare
Regular Contributor III
Regular Contributor III

 Hi @khalidakhter ,

Access was requested through ARS, two approval levels (manager, resource owner).  Log has been sanitized and appended.  Also, here is the AddAccessJSON:
{"call":[{"name":"SKU","connection":"AzureADProvisioning","url":"https://graph.microsoft.com/v1.0/users/${account.accountID}/assignLicense","httpMethod":"POST","httpParams":"{\"addLicenses\": [{\"disabledPlans\": [],\"skuId\": \"${entitlementValue.entitlementID}\"}],\"removeLicenses\": []}","httpHeaders":{"Authorization":"${access_token}"},"httpContentType":"application/json","successResponses":{"statusCode":[200,201,204,205]}},{"name":"DirectoryRole","connection":"AzureADProvisioning","url":"https://graph.microsoft.com/v1.0/directoryRoles/${entitlementValue.entitlementID}/members/\\$ref","httpMethod":"POST","httpParams":"{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}","httpHeaders":{"Authorization":"${access_token}"},"httpContentType":"application/json","successResponses":{"statusCode":[200,201,204,205]},"unsuccessResponses":{"odata~dot#error.code":["Request_BadRequest","Authentication_MissingOrMalformed","Request_ResourceNotFound","Authorization_RequestDenied","Authentication_Unauthorized"]}},{"name":"AADGroup","connection":"AzureADProvisioning","url":"https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref","httpMethod":"POST","httpParams":"{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}","httpHeaders":{"Authorization":"${access_token}"},"httpContentType":"application/json","successResponses":{"statusCode":[200,201,204,205]}},{"name":"ApplicationInstance","connection":"AzureADProvisioning","url":"https://graph.microsoft.com/v1.0/servicePrincipals/${entitlementValue.entitlementID}/appRoleAssigned...","httpMethod":"POST","httpParams":"{\"principalId\": \"${account.accountID}\", \"appRoleId\": \"${}\", \"resourceId\": \"${entitlementValue.entitlementID}\"}","httpHeaders":{"Authorization":"${access_token}"},"httpContentType":"application/json","successResponses":{"statusCode":[200,201,204,205]}},{"name":"Team","connection":"AzureADProvisioning","url":"https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref","httpMethod":"POST","httpParams":"{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}","httpHeaders":{"Authorization":"${access_token}"},"httpContentType":"application/json","successResponses":{"statusCode":[200,201,204,205]}}]}

 

flegare
Regular Contributor III
Regular Contributor III

Rebuilt the provisioning connection from scratch and set that as provisioning connection in the security system but same result.

Freshdesk ticket opened: 1634579

khalidakhter
Saviynt Employee
Saviynt Employee

Hi

Thanks for providing all the details. It seems like connection name in the provisioning JSON is not matching with the authentication name in the connection JSON. Please make sure the connection JSON has the configuration for AzureADProvisioning authentication.

That is why the provisioning trigger is not able to call the graph API for any operation due to authorization mismatch.

khalidakhter_1-1686128441968.png

 

 

flegare
Regular Contributor III
Regular Contributor III

Thanks a lot @khalidakhter  for this observation.  Deployed in production, tested and confirmed working.

Much, much appreciated!!

flegare
Regular Contributor III
Regular Contributor III

Thanks a lot @khalidakhter for this observation.  Deployed on production, tested repeatedly and confirmed working.

Much, much appreciated!