Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

How to import only AAD groups in Azure AD connector

rashmirudrappa
New Contributor III
New Contributor III

Hi 

We have a requirement to import only AAD groups in Saviynt Azure AD connector.

There is a sync between AD and Azure AD in our environment. Azure AD has both AD groups and AAD group. How to import only AAD groups in Azure AD connector.

Can we use ENTITLEMENT_FILTER_JSON? Any samples available?

Thank you

Rashmi

7 REPLIES 7

rashmirudrappa
New Contributor III
New Contributor III

Hi,

In Saviynt EntitlementType for both AD and AAD group is same which is "AADGroup".

How to find out which entitlement is from AD and AAD in Saviynt?

Thank you

Rashmi

rushikeshvartak_0-1675191962906.png

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

There are certain attributes like onPremisesSecurityIdentifier which are populated only for groups synced from on-prem AD. Probably with that you can filter the groups that are native to Azure AD. Check if you are pulling the attribute from Azure AD in your ENTITLEMENT_ATTRIBUTE json mapping.

Refer this for ENTITLEMENT_FILTER_JSON samples. Refer the version as well in the doc if it's supported.

https://docs.saviyntcloud.com/bundle/Azure-AD-v2022x/page/Content/Configuring-the-Integration-for-Ac... 

 

{
"group_filter": "onPremisesSecurityIdentifier eq null"
}

 

-Siva

Hi Sivagami,

As per your suggestion we tried with same in ENTITLEMENT_FILTER_JSON. 

sandeepverma_0-1675252651301.png

 We had "onPremisesSecurityIdentifier" in Entitlement Attribute section.

sandeepverma_1-1675252986557.png

But while importing access we are getting same number of access(#106) that is already exist in system.
Filter is not working as expected.

sandeepverma_2-1675253182801.png

Thanks

Do you see filter applied in logs ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Refer https://forums.saviynt.com/t5/identity-governance/import-only-certain-groups-using-azure-ad-ootb-con...


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Sivagami
Valued Contributor
Valued Contributor

You can create a custom_access import trigger for Azure AD and put the import config as needed.

Sivagami_0-1675174750872.png

If you need only AADGroups to be pulled in, you can put something like below.

{
  "importEntTypes": {
    "AADGroup": {}
  },
  "excludeEntTypes": {
    "Team": {},
    "Channel": {},
    "MemberPermission": {},
    "GuestPermission": {},
    "ApplicationInstance": {},
    "InterAppOauthPermissions": {},
    "DirectoryRole": {},
    "Subscription": {},
    "Application": {},
    "DirectoryRoleMember": {},
    "SKU": {},
    "ServicePlans": {}
  }
}

Refer connector doc for more clarity - https://saviynt.freshdesk.com/support/solutions/articles/43000463699-azure-ad-connector-guide#AzureA... 

-Siva