Hi Experts,
We have 2 technical rules to assign “M365-E5” group for Microsoft 365 Endpoint with different conditions.
- Birthright_Payroll_E5
If Users.Status = 1 and Users.Employee Type in ('Payroll') and Users.Manager is not null and Users.Title not like ('%MPD%')
Then
Create Account on Microsoft 365
AND Assign Select Microsoft License Type::CN=M365-E5,OU=O365 License Group,OU=SystemUsers,DC=stjudetest,DC=sjcrh,DC=local
“Remove Birthright Access if condition fails” is selected.
- Birthright_NonPayroll_Students
If Users.Status = 1 and Users.Employee Type in ('Contractor') and Users.Title = 'Student' and Users.Manager is not null
Then
Create Account on Microsoft 365
AND Assign Select Microsoft License Type::CN=M365-E5,OU=O365 License Group,OU=SystemUsers,DC=stjudetest,DC=sjcrh,DC=local
As per the requirement we selected “Remove Birthright Access if condition fails” option for Birthright_Payroll_E5 rule only.
When a user with 'Contractor' employeetype gets onboarded or conditions satisfies for the user with Birthright_NonPayroll_Students rule, it is assigning the configured group.
But whenever the “Re-run all provisioning rule” triggers for such user, it is removing the assigned group and Remove Access Task shows as “Birthright Rule Fail”.
The group was assigned via ‘Birthright_NonPayroll_Students’ rule and ‘Remove Birthright Access if condition fails’ is not selected for this rule and still it removes the group.
This is not the expected behavior and we are looking for a fix for this.
Please add your inputs/thoughts here to understand the issue better.
PS: we already created a ticket with saviynt operation team and they were mentioned this would be future enhancement.
Thank You,
Chandan Gowda