Saviynt Forums

AMavurapu · ‎02/19/2024

Hi All,

Successfully passed manager attribute value for high Authority/Admin account into AzureAD of the requester during the create account JSON. Manager as a second call in the create account JSON? Requirement is as per the below.

Manager

Mapped: userPrincipalName of manager’s primary Azure Active Directory account

CreateAccountJSON:

{
"accountIdPath": "call1.message.id",
"dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",
"responseColsToPropsMap": {
"comments": "call1.message.displayName~#~char",
"displayName": "call1.message.displayName~#~char",
"accountID": "call1.message.id~#~char"
},
"call": [
{
"name": "call1",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/users",
"httpMethod": "POST",
"httpParams": "{\"accountEnabled\":\"true\",\"userPrincipalName\":\"adm-${user.systemUserName}@cpb-365.com\",\"displayName\":\"adm-${user.systemUserName}\",\"employeeType\":\"${user.employeeType}\",\"givenName\":\"${user.firstname}\",\"surname\":\"${user.lastname}\",\"mailNickname\":\"adm-${user.systemUserName}\",\"usageLocation\":\"${user.country}\",\"employeeId\":\"${user.employeeid}\",\"passwordProfile\":{\"forceChangePasswordNextSignIn\":\"true\",\"password\": \"*****"}}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"statusCode": [
400,
403,
401,
404,
409,
501,
500
],
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
},
{
"name": "call2",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/users/${response.call1.message.id}/manager/\\$ref",
"httpMethod": "PUT",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/users/${usersManagerObj?.customproperty64}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
204
]
},
"unsuccessResponses": {
"statusCode": [
400,
403,
401,
404,
409,
501,
500
],
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
}
]
}

But the issue is Importing/Reconciling Manager attribute from AzureAD into Saviynt and also Updating manager attribute in AzureAD using below updateAccountJson.

UpdateAccountJSON:

{
"call": [{
"name": "call1",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/users/${account.accountID}",
"httpMethod": "PATCH",
"httpParams": "{\"manager\": \"${usersManagerObj?.customproperty64}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [200, 201, 204, 205]
}
}]
}

Thanks

Anitha Mavurapu

rushikeshvartak · ‎02/19/2024

Its issue in Provisioning / Import ?

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

AMavurapu · ‎02/19/2024

Hi Rushikesh,

I am seeing two issues here, one is importing manager attribute value from AzureAD High Authority / Admin Account into Saviynt account/customproperty31. Other issue is update Account provisioning is failing with the above updateAccountJSON.

Thanks

Anitha Mavurapu

Darshanjain · ‎02/19/2024

Hi @AMavurapu

Can you please share the account import json for the 1st issue?

What is the value present in the Customproperty54

Also on the update account json- are you able to get it working from postman to update the manager value with the url you are using in update account.

Thanks

Darshan

AMavurapu · ‎02/19/2024

Hi Darshan,

Thanks for your response, please find the below AccountImportJSON and customproperty64 is holding Guid of manager's Primary AzureAD account.

AccountImportJSON:

{
"acctLabels":{
"customproperty1": "FirstName",
"customproperty2": "LastName",
"customproperty10": "AccountEnabled",
"customproperty21": "employeeId",
"customproperty22": "usageLocation",
"customproperty23": "displayName",
"customproperty24": "mailNickName",
"customproperty25": "employeeType",
"customproperty27": "onPremisesSyncEnabled",
"customproperty31": "manager"
},
"colsToPropsMap": {
"accountID": "id~#~char",
"name": "userPrincipalName~#~char",
"customproperty1": "givenName~#~char",
"customproperty2": "surname~#~char",
"customproperty10": "accountEnabled~#~char",
"customproperty21": "employeeId~#~char",
"customproperty22": "usageLocation~#~char",
"customproperty23": "displayName~#~char",
"customproperty24": "mailNickName~#~char",
"customproperty25": "employeeType~#~char",
"customproperty27": "onPremisesSyncEnabled~#~char",
"customproperty31": "manager~#~char"
}
}

Thanks

Anitha Mavurapu

rushikeshvartak · ‎02/19/2024

Please use the following in the ACCOUNT_IMPORT_FIELDS:

id,userPrincipalName,displayName,givenName,surname,businessPhones,mailNickname,streetAddress,city,state,postalCode,accountEnabled,country,companyName,employeeId,employeeHireDate,givenName,jobTitle,preferredLanguage,manager,employeeType,department&$expand=manager

& mapping

"customproperty18":"manager.userPrincipalName~#~char",

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

AMavurapu · ‎02/19/2024

AzureAD AccountImport Job failed with below error after updating Account_Import_Fields and mapping as you mentioned above. For your reference please find the changes below. Please let me know the corrections. Thanks in advance....

Account_Attributes:

{
"acctLabels":{
"customproperty1": "FirstName",
"customproperty2": "LastName",
"customproperty10": "AccountEnabled",
"customproperty21": "employeeId",
"customproperty22": "usageLocation",
"customproperty23": "displayName",
"customproperty24": "mailNickName",
"customproperty25": "employeeType",
"customproperty27": "onPremisesSyncEnabled",
"customproperty18": "manager"
},
"colsToPropsMap": {
"accountID": "id~#~char",
"name": "userPrincipalName~#~char",
"customproperty1": "givenName~#~char",
"customproperty2": "surname~#~char",
"customproperty10": "accountEnabled~#~char",
"customproperty21": "employeeId~#~char",
"customproperty22": "usageLocation~#~char",
"customproperty23": "displayName~#~char",
"customproperty24": "mailNickName~#~char",
"customproperty25": "employeeType~#~char",
"customproperty27": "onPremisesSyncEnabled~#~char",
"customproperty18": "manager.userPrincipalName~#~char"
}

Account_Import_Fields:

id,userPrincipalName,givenName,surname,accountEnabled,employeeId,usageLocation,displayName,mailNickName,employeeType,manager,onPremisesSyncEnabled,department&$expand=manager
}

Thanks

Anitha Mavurapu

rushikeshvartak · ‎02/19/2024

Its issue with your account filter

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

AMavurapu · ‎02/19/2024

Here is the Accounts_Filter:(startswith(userPrincipalName,'adm-')%20and%20onPremisesSyncEnabled%20ne%20true)

Thanks

Anitha Mavurapu

rushikeshvartak · ‎02/19/2024

try below

startswith(userPrincipalName,'adm-') and onPremisesSyncEnabled eq false

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

rushikeshvartak · ‎02/19/2024

Import --> https://forums.saviynt.com/t5/identity-governance/not-able-to-get-manager-upn-through-azuread-ootb-c...

Your update account JSON is wrong use below

{
  "call": [
    {
      "name": "call1",
      "connection": "userAuth",
      "url": "https://graph.microsoft.com/v1.0/users/${response.call1.message.id}/manager/\\$ref",
      "httpMethod": "PUT",
      "httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/users/${usersManagerObj?.customproperty64}\"}",
      "httpHeaders": {
        "Authorization": "${access_token}"
      },
      "httpContentType": "application/json",
      "successResponses": {
        "statusCode": [
          200,
          201,
          204,
          205
        ]
      }
    }
  ]
}

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

AMavurapu · ‎02/19/2024

Thanks for you response @rushikeshvartak, tried using above UpdateAccountJSON that you provided, but update Account task provisioning failed with below provisioning comments.

UpdateAccountJSON:

{
  "call": [
    {
      "name": "call1",
      "connection": "userAuth",
      "url": "https://graph.microsoft.com/v1.0/users/${response.call1.message.id}/manager/\\$ref",
      "httpMethod": "PUT",
      "httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/users/${usersManagerObj?.customproperty64}\"}",
      "httpHeaders": {
        "Authorization": "${access_token}"
      },
      "httpContentType": "application/json",
      "successResponses": {
        "statusCode": [
          200,
          201,
          204,
          205
        ]
      }
    }
  ]
}

Thanks

Anitha Mavurapu

rushikeshvartak · ‎02/19/2024

Updated url

 "url": "https://graph.microsoft.com/v1.0/users/${account.accountID}/manager/\\$ref",

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

AMavurapu · ‎02/26/2024

Hi @rushikeshvartak ,

Thank you for your response.....Updated above URL that you provided in UpdateAccountJSON and it worked successfully updating manager attribute in AAD target system.

Thanks

Anitha Mavurapu

rushikeshvartak · ‎02/19/2024

Are you able to map manager to Account- owner tab in saviynt ?

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

AMavurapu · ‎02/26/2024

Hi @rushikeshvartak,

Still seeing issue with importing manager attribute value from AAD target into Saviynt, could you please provide your suggestion to achieve this requirement. For your reference please find the below details . Please let me know if you need more details, thanks in advance.

Manager attribute is holding the GUID of the manager's primary Azure AD account.

Manager

Mapped: userPrincipalName of manager’s primary Azure Active Directory account

Account_Attributes:

{
"acctLabels":{
"customproperty1": "FirstName",
"customproperty2": "LastName",
"customproperty10": "AccountEnabled",
"customproperty21": "employeeId",
"customproperty22": "usageLocation",
"customproperty23": "displayName",
"customproperty24": "mailNickName",
"customproperty25": "employeeType",
"customproperty27": "onPremisesSyncEnabled",
"customproperty18": "manager"
},
"colsToPropsMap": {
"accountID": "id~#~char",
"name": "userPrincipalName~#~char",
"customproperty1": "givenName~#~char",
"customproperty2": "surname~#~char",
"customproperty10": "accountEnabled~#~char",
"customproperty21": "employeeId~#~char",
"customproperty22": "usageLocation~#~char",
"customproperty23": "displayName~#~char",
"customproperty24": "mailNickName~#~char",
"customproperty25": "employeeType~#~char",
"customproperty27": "onPremisesSyncEnabled~#~char",
"customproperty18": "manager.userPrincipalName~#~char"
}
}

Account_Import_Fields:

id,userPrincipalName,givenName,surname,accountEnabled,employeeId,usageLocation,displayName,mailNickName,employeeType,manager,onPremisesSyncEnabled

Accounts_Filter:

(startswith(userPrincipalName,'adm-')%20and%20onPremisesSyncEnabled%20ne%20true)

Postman Validation:

Available values for "onPremisesSyncEnabled" - null / false / true

Required:

Header: ConsistencyLevel = eventual

URL: https://graph.microsoft.com/v1.0/users?$filter=startsWith(userPrincipalName,%27adm-%27)%20and%20onPr...

Thanks,

Anitha Mavurapu

jsatish · ‎03/05/2024

You can update the below value in ACCOUNT_IMPORT_FIELDS

id,userPrincipalName,givenName,surname,accountEnabled,employeeId,usageLocation,displayName,mailNickName,employeeType,manager,onPremisesSyncEnabled&$expand=manager

Saviynt Forums

Issue Importing/Reconciling Manager attribute from AzureAD and Updating manager attribute in AzureAD