How to set up permissions to allow app to sync with Azure AD

Question

How to set up permissions to allow app to sync with Azure AD

Karl Parker 16

We are running an Enterprise App, Bob Provisioning, that syncs with our Azure AD, but the sync is failing for a few users. It seems to be all of the users that have the Billing Administrator role assigned. I have raised a ticket with the Software company that provide the app, and they said the following.

I can see in the sync report that the error you're getting is: "Make sure that all the required permissions are granted to the AzureAD account associated with this integration."
**
This means that you need to check in Azure whether these employees are admins in Azure.
If they are, you will need to add an additional permission to the Bob Enterprise app in Azure called "Directory.AccessAsUser.All" as per Azure docs.**
**
If they are Admins and these permissions were granted, and you still get the same errors, we would recommend escalating the matter to the Microsoft team as they will be able to advise on what additional permissions/steps should be performed on the Azure side.**

I have added the Directory. AccessAsUser.All permission, as suggested, but still getting the same problem when trying to Sync.

Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2023-03-10T00:05:21.7566667+00:00

Hi @Karl Parker ,

Could you clarify the exact error message you are receiving, which permissions you are trying to grant, and which documentation you are referencing? Depending on which permissions you are trying to add, the signed in user may need to be a Global Administrator, Security Administrator, Security Reader or User Administrator.

Depending on what you are trying to accomplish, you may also need to add User.Read and Directory.Read.All permissions to the app, and then grant admin consent on behalf of the users.
Kev Maitland 6 Reputation points

2023-06-09T07:52:37.22+00:00

We've had the same issue with HiBob, and their support had been underwhelming (Directory.AccessAsUser.All is a delegated permission, and the SCIM process uses Application permissions, so there's no possible this way that this could help). We removed AAD Roles from affected users (their user accounts that were being synced to Bob shouldn't have had any of these assigned anyway), which resolved the issue for most accounts. The last account had an admin role assigned in Exchange Online too, which doesn't show up in AAD. Removing all EXO Admin Roles seems to be a hidden prerequisite too.

2 answers

Your answer

Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2023-03-10T00:05:21.7566667+00:00

Hi @Karl Parker ,

Could you clarify the exact error message you are receiving, which permissions you are trying to grant, and which documentation you are referencing? Depending on which permissions you are trying to add, the signed in user may need to be a Global Administrator, Security Administrator, Security Reader or User Administrator.

Depending on what you are trying to accomplish, you may also need to add User.Read and Directory.Read.All permissions to the app, and then grant admin consent on behalf of the users.
Kev Maitland 6 Reputation points

2023-06-09T07:52:37.22+00:00

We've had the same issue with HiBob, and their support had been underwhelming (Directory.AccessAsUser.All is a delegated permission, and the SCIM process uses Application permissions, so there's no possible this way that this could help). We removed AAD Roles from affected users (their user accounts that were being synced to Bob shouldn't have had any of these assigned anyway), which resolved the issue for most accounts. The last account had an admin role assigned in Exchange Online too, which doesn't show up in AAD. Removing all EXO Admin Roles seems to be a hidden prerequisite too.

Answer 1

Did anyone find any solution to this? I have the exact same issue with HiBob - Azure AD provisioning, with the exception that a few users don't have any roles assigned and still fail.

For us this appeared late spring, before that all users with a admin role could be synced without problems. Also, assigning the app excessive API permissions does not help for me either.

What seem to work is this:

Removed admin role (billing admin) from one user
Manual sync in Bob (successful)
Added billing admin role back to the user
Sync continues to work

But this workaround is not applicable to the users without roles that fail to sync. No idea if this continues to work either.

Any advise is highly appreciated.

Answer 2

After a s**t load of troubleshooting I managed to solve this!

Test this first

Azure AD - Application Registrations - HiBob app - API Permissions. Add:

Directory.Read.All
Directory.ReadWrite.All
User.EnableDisableAccount.All
User.ManageIdentities.All
User.Read.All
User.ReadWrite.All

If you still cannot sync all users, continue with this:

Azure AD - Roles and administrators - add your application to the following roles:

User Administrator role
Global Administrator role

Some fields are classed as sensitive and might need extensive permissions.

https://learn.microsoft.com/en-gb/graph/api/resources/users?view=graph-rest-1.0#sensitive-actions-for-users

Share via

How to set up permissions to allow app to sync with Azure AD

2 answers

Your answer