User provisioning NotEffectivelyEntitled

Michal Ziemba 261 Reputation points
2022-09-26T15:00:42.403+00:00

Hi,
When using SAP SuccessFactors to Active Directory User Provisioning service, the default SkipOutOfScopeDeletions is set FALSE.
Because we had some problems with getting the most recent employment information, encouraged by Microsoft Support, we changed three things:

  1. Set the SkipOutOfScopeDeletions to "true"
  2. Change the schema to fetch the latest active employment record based on this section "Retrieving current active employment record"
  3. Set a scheduled task to restart the service every night with a Full parameter based on this article "Restart synchronizationJob" It was done to sync terminated users, but it doesn't work as expected as they are not updated (issue described below)

Since that time some users are not synced (it applies to terminated users in SuccessFactors).
When I try to sync them I got it skipped with the message:
SkipReason: NotEffectivelyEntitled

The User '14523' will be skipped due to the following reasons: 1) This object is not assigned to the application. If you did not expect the object to be skipped, assign the object to the application or change your scoping filter to allow all users and groups to be in scope for provisioning. 2) This object does not have required entitlement for provisioning. If you did not expect the object to be skipped, update the provisioning scope to 'Sync all users and groups' or assign the object to the application with entitlement of provisioning category 3) This object did not pass a scoping filter. If you did not expect the object to be skipped, please review your scoping filters and ensure that the object passes your specified scoping criteria.

I scope users using userId as sometimes PersonIdExternal for terminated users in SuccessFactors is empty.
What I noticed is that I don't get userId from SuccessFactors from those users and this might be the reason they fall out of the scope.

As I read here the user provisioning service doesn't require user assignments, but just to be on the safe side I set "Assignment required?" to NO in the application properties. In my opinion, this should automatically entitle all users. But correct me if I am wrong. (at least for new hires and 98% of other users it works)

Can you explain the mechanism and help me to get it solved and have all users in scope synced, please?

PS.
When checking the configuration using Graph API GET https://graph.microsoft.com/beta/servicePrincipals/[object_id]/synchronization/secrets
I can see

        {  
            "key": "SyncAll",  
            "value": "false"  
        },  

Maybe it should be set to "true"?

/Mike

Microsoft Entra
{count} votes

Accepted answer
  1. Chetan Desai 981 Reputation points Microsoft Employee
    2022-09-29T18:38:17.62+00:00

    The error message shown above is misleading as app assignment is not relevant for HR-driven provisioning scenarios. I'll create a work item for engineering to fix this error message.

    Coming back to issue, here is the logic to process terminations during SuccessFactors to AD provisioning initial sync & incremental sync cycles:

    • During the first initial sync (or whenever restart is initiated with the Full parameter), when we get "past termination records" where Active=0 (emplStatus!=[AUP] or activeEmploymentsCount=0), by design we skip these records as they are not active in the source HR system.
    • During incremental sync, when we detect a termination, when Active flag switches from 1 to 0 (e.g. when emplStatus changes from A to T), we process it and disable the record in AD/Azure AD.

    Reason for skip logic: Consider a company that has been in business since 1990. This organization has an HR system with details of all ex-employees. Let's say this company decides to implement HR-driven provisioning on 1-Jan-2022. When we do the first initial sync on 1-Jan-2022, we don't want to process all ex-employees since 1990, as most of their accounts may not even be in IT systems like Active Directory. Including them in the scope of the first initial sync, could lead to creation of several inactive accounts in your on-premises AD. So, by design, we ignore past employees, and we start with a clean state of active employees as-of 1-Jan-2022. In future incremental cycles we process termination transactions disabling accounts as configured in the attribute mappings.

    If you are doing a "full restart" every night, this in-effect will trigger an initial sync. As mentioned earlier, by design, the provisioning service skips "inactive users/terminated users" during initial sync, because during that time we are establishing a baseline of all "active" users that we need to manage going forward. Instead of using "full restart" to process terminated users, our recommendation is to simply allow the "incremental sync" to process the terminations.

    If there is an issue with "incremental sync" not processing terminations as expected, you can open support case and we will take a look.


1 additional answer

Sort by: Most helpful
  1. Danny Zollner 10,481 Reputation points Microsoft Employee
    2022-09-28T15:00:28.827+00:00

    This sentence that you provided in the comments answers the problem:

    For me, it might be related to the fact that the user is terminated in SuccessFactors (it still exists there but is inactive).

    Only active(non-terminated) workers can be provisioned from HR -> AD/AAD. As the worker is terminated, they are considered ineligible for provisioning to create a new AD/AAD user object.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.