New Salesforce custom profile not available in user provisioning via Azure AD

Question

We use Azure AD user provisioning, to create and manage users in Salesforce. In itself this is working correctly. But... we have created a new (custom) profile in Salesforce (which Azure AD refers to as role) and this new profile is not being loaded into Azure AD. When creating a new user, we see our old custom profiles, but not the new one.

We started looking in the provisioning logs and saw a lot of "failed" entries. The first part of these logs reads like this:

The name, id, and claim properties of an app role in Azure AD must be unique. We are unable to update an app role as one or more properties are not unique. This is most commonly caused by having non-unique role names in the directory from which roles are being imported.

And then a bunch of non-unique profiles/roles are listed. These are all standard profiles, such as Standard User and System Administrator. They appear twice in the list.

Going back to the screen where we add users, sure enough, these double entries are there as well. Each duplicate being an inactive choice. And: some old custom profiles are shown, also inactive. But not the new one.

This has worked before, as we see the old custom profiles listed. But somewhere/somehow double entries have been added and now we are stuck.

What is the solution? I have no idea on how to remove those duplicate entries from Azure AD. In Salesforce, there are no duplicate profiles. And even if I could remove the duplicate entries from Azure AD, maybe they would be added again on the first provisioning run.

Answer 1

@Sander de Jong
Thank you for your post and I apologize for the delayed response on this!

Error Message:
The name, id, and claim properties of an app role in Azure AD must be unique. We are unable to update an app role as one or more properties are not unique. This is most commonly caused by having non-unique role names in the directory from which roles are being imported.

Issue:
From your issue, I understand that you created a new Custom Profile within Salesforce, and this new Profile isn't being updated within Azure AD. Additionally, when creating new users, you see the old customer profile but not the new one. Within the Provisioning logs, you see the above error message along with a list of non-unique profiles/roles (Standard User, System Admin, etc.) that appear twice.

From your error message and issue description, I found an internal issue and spoke with our Provisioning team, which shared the below action plan.

Troubleshooting:
Note: If you aren't comfortable performing these steps, it's recommended to open a support request so our support engineers can work closer with you on this.

1. Pause provisioning
2. Remove duplicate roles from the manifest (this can be either from your App's Manifest or App roles blade)
3. Restart the Synchronization Job
   3a. Within Azure Active Directory, navigate to your Salesforce Enterprise App, Copy the ObjectID
   3b. Using Graph Explorer
   3c. List the synchronization jobs to get the Provisioning ID - GET https://graph.microsoft.com/beta/servicePrincipals/{id}/synchronization/jobs/
   3c. Restart the synchronization job - POST /servicePrincipals/{id}/synchronization/jobs/{jobId}/restart
4. Ensure provisioning is enabled.

I hope this helps!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.