Provisioning app: User has 2 approle assigned.

Tolga Urekli 5 Reputation points
2023-03-29T14:18:15.47+00:00

Hi All,

We have a problem related to send Approle assignment value when provision the user accounts

Current Provisioning app settings is:

  • 1 provisioning app and we assigned AzureAD Groups (12 groups) for this provisioning app
  • We created AppRoles and assign the each groups these different roles (Total 12 roles)
  • So each group has assigned Approle
  • Then we would like to send approleassignment value as Department in provisioning step for each users

Our issue here is , some users are member of more than 1 group. For example i am member of X and Y and now i have 2 approle assigned for my account in application.

We would like to define: if user member of more than 1 group and member of X , then provision X as his/her approle.

Is it possible to define this with expression?

Regards

Tolga

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,454 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Konstantinos Passadis 17,286 Reputation points
    2023-03-30T01:50:56.87+00:00

    Hello @Tolga Urekli

    As we can read :

    • Groups. With an Azure AD Premium license plan, you can use groups to assign access to a SaaS application. Then, when the provisioning scope is set to Sync only assigned users and groups, the Azure AD provisioning service provisions or de-provisions users based on whether they're members of a group that's assigned to the application. The group object itself isn't provisioned unless the application supports group objects. Ensure that groups assigned to your application have the property "SecurityEnabled" set to "True".
    • Dynamic groups. The Azure AD user provisioning service can read and provision users in dynamic groups. Keep these caveats and recommendations in mind:
      • Dynamic groups can impact the performance of end-to-end provisioning from Azure AD to SaaS applications.
      • How fast a user in a dynamic group is provisioned or de-provisioned in a SaaS application depends on how fast the dynamic group can evaluate membership changes. For information about how to check the processing status of a dynamic group, see Check processing status for a membership rule.
      • When a user loses membership in the dynamic group, it's considered a de-provisioning event. Consider this scenario when creating rules for dynamic groups.
    • Nested groups. The Azure AD user provisioning service can't read or provision users in nested groups. The service can only read and provision users that are immediate members of an explicitly assigned group. This limitation of "group-based assignments to applications" also affects single sign-on (see Using a group to manage access to SaaS applications). Instead, directly assign or otherwise scope in the groups that contain the users who need to be provisioned.

    But when we read the filtering :

    Important

    • The IsMemberOf filter is not supported currently.
    • The members attribute on a group is not supported currently.
    • Filtering is not supported for multi-valued attributes.
    • Scoping filters will return "false" if the value is null / empty.

    I hope you can find another way !

    In case this answer was helpful kindly mak it as Accepted!

    BR

  2. Sandeep G-MSFT 14,326 Reputation points Microsoft Employee
    2023-04-04T06:57:23.97+00:00

    @Tolga Urekli Thank you for posting the solution here in this platform. I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "[The question author cannot accept their own answer. They can only accept answers by others] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#why-only-one-accepted-answer)", I'll repost your solution in case you'd like to "[Accept] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#accepted-answer-in-a-question-thread)" the answer. To fix the issue you used below expression, IIF(Count(AppRoleAssignmentsComplex([appRoleAssignments]))="1", Item(Split(AppRoleAssignmentsComplex([appRoleAssignments]), """), 8), IIF(Instr([appRoleAssignments], "G-DE-ELG", , )>"0", "G-DE-ELG", IIF(Instr([appRoleAssignments], "G-EN-ELG", , )>"0", "G-EN-ELG", IIF(Instr([appRoleAssignments], "G-FR-ELG", , )>"0", "G-FR-ELG", IIF(Instr([appRoleAssignments], "G-NL-ELG", , )>"0", "G-NL-ELG", IIF(Instr([appRoleAssignments], "G-PL-ELG", , )>"0", "G-PL-ELG", IIF(Instr([appRoleAssignments], "G-GP-Group-Employees", , )>"0", "G-GP-Group-Employees", "UK-Duplicate"))))))) Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments