Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Application Scoping Filter Evaluated Incorrectly by Incremental Provisioning Cycle
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 60%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Anil Mawji
0
Reputation points
I am using a scoping filter on top of users/groups to control provisioning to an enterprise application called Keeper Password Manager - following this tutorial.
To apply the scoping filter, I deployed a function app which ties a custom extension attribute on each user to membership in a specific security group. The function executes every 5 minutes, and essentially updates the extension attribute on users who are in the group to TRUE, and updates the extension attribute on users who are NOT in the group to NULL.
Intended sequence of steps when a user is added to the security group:
- Function executes: extension attribute is set to TRUE for user
- Application provisioning cycle runs: scoping filter evaluates to TRUE for user since extension attribute is TRUE for the user
- User is granted access to the app
Intended sequence of steps when a user is removed from the security group:
- Function executes: extension attribute is set to NULL for user
- Application provisioning cycle runs: scoping filter evaluates to FALSE for user since extension attribute is NULL for the user
- User is deprovisioned from the app
All steps except steps 2 and 3 of removing a user from the group behave as intended. When I remove a user from the security group, the function sets the extension attribute to NULL as intended, but the scoping filter still passes and thus the user is never actually deprovisioned from the app.
Scoping filter for the app:
Provisioning details of the app:
Code for the function app:
Import-Module -Name Microsoft.Graph.Authentication
Import-Module -Name Microsoft.Graph.Users
Import-Module -Name Microsoft.Graph.Groups
Import-Module -Name Microsoft.Graph.Applications
Connect-MgGraph -Identity -NoWelcome
# Name of the extension attribute
$extensionPropertyName = "extension_d21b98d1dac8483bad5684b1cc44ceb8_KeeperLicense"
# Security group object id
$keeperPasswordManagerUsersGroupId = "8e2ace19-422a-4d02-a5d8-1faf01a65777"
$tobelicensedUsers = Get-MgGroupMember -GroupId $keeperPasswordManagerUsersGroupId -All | Foreach-Object { ,$_.Id }
$keeperEnabledUsers = Get-MgUser -Filter "extension_d21b98d1dac8483bad5684b1cc44ceb8_KeeperLicense eq true" -All | Foreach-Object { ,$_.Id }
if ($keeperEnabledUsers -eq $null) { $keeperEnabledUsers = @() }
# Ids of users that need to be provisioned
$add = Compare-Object $tobelicensedUsers $keeperEnabledUsers | Where-Object { $_.SideIndicator -eq '<=' } | Foreach-Object { $_.InputObject }
# Ids of users that need to be deprovisioned
$remove = Compare-Object $tobelicensedUsers $keeperEnabledUsers | Where-Object { $_.SideIndicator -eq '=>' } | Foreach-Object { $_.InputObject }
# Update attribute to true for users that need provisioning
$add | Foreach-Object `
{
$json = '{ "extension_d21b98d1dac8483bad5684b1cc44ceb8_KeeperLicense": true }'
Invoke-MgGraphRequest -Method PATCH "https://graph.microsoft.com/v1.0/users/$_" -Body $json -Debug
}
# Update attribute to null for users that need deprovisioning
$remove | Foreach-Object `
{
$json = '{ "extension_d21b98d1dac8483bad5684b1cc44ceb8_KeeperLicense": null }'
Invoke-MgGraphRequest -Method PATCH "https://graph.microsoft.com/v1.0/users/$_" -Body $json
}
$groups = Get-MgGroup -All
# Groups that have been assigned to the application
$keeperUsers = $groups | Where-Object { $_.DisplayName -like "Keeper Password Manager Users" }
$projectGroups = $groups | Where-Object { $_.DisplayName -like "PG*" }
$filteredGroups = $keeperUsers + $projectGroups
$applicationObjectId = "ba0bd903-e02c-4bee-b2d8-1ae81c3d0a6c"
$userRoleId = "63a9859a-24d2-4d35-a412-b97549968424"
$existingAssignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $applicationObjectId -All | Where-Object { $_.PrincipalType -eq 'Group' } | Foreach-Object { ,$_.PrincipalId }
$toAssign = $filteredGroups | Where { -not $existingAssignments -contains $_.Id }
# Provision users with the user role
$toAssign | ForEach-Object { New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $applicationObjectId -ResourceId $applicationObjectId -PrincipalId $_.Id -AppRoleId $userRoleId }
My user account is not in the security group:
Function app executes successfully without errors:
Extension attribute is updated as intended by the function, as tested with the following command:
Get-MgUser -Filter "extension_d21b98d1dac8483bad5684b1cc44ceb8_KeeperLicense eq true" -All | Foreach-Object { ,$_.UserPrincipalName }
- My user account "******@company.com" is not present in the list as expected
Provisioning logs reveals my user is "Skipped" when I should actually be deprovisioned, because Azure incorrectly thinks that the attribute is still set to TRUE even though it is NOT.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 35,686 Reputation points Microsoft Employee Moderator2023-12-19T08:21:20.92+00:00 @Anil Mawji Thank you for reaching out to us, Reviewed your above ask, what is the data type of your extension attribute (mentioned above) ?
Assuming this attribute as boolean as you are using operator value as Is TRUE. However in the Code for the function app, I see you are changing the value from true to null, if that is the case, null value is not considered as false here, either value should be true or false.
Would recommend to update the code from null to false and test the provisioning of the user ?
Let me know the results, if you need any help feel free to post back.
-
Anil Mawji 0 Reputation points
2023-12-20T04:54:34.64+00:00 @Givary-MSFT thank you for your response.
The data type of the extension attribute is indeed a boolean.
It seems setting the value to false instead of null did not have an affect on the deprovisioning behaviour (scoping filter still passes). My understanding was that scoping filters are supposed to return false when the value is null / empty (see the "important" note in this page.)
I also tried maintaining the true/null scheme while changing the scoping filter condition to IS NOT NULL instead. Unfortunately this did not see results either, as the scoping filter was still passing after the provisioning interval.
Upon further investigation, it seems there is a known issue where users are not always provisioned after coming back into scope via a group (see "Member of group not provisioned"). Is it possible that the inverse is also true (users are not always deprovisioned when leaving scope of the group)? This theory is consistent with what happens when I restart the provisioning of the app, as my user account is eventually deprovisioned.
I am hoping there is a more practical solution to this, as assuming I am correct, I do not want to have to restart provisioning every time one of my users is removed from the group.
-
Givary-MSFT 35,686 Reputation points Microsoft Employee Moderator
2023-12-20T05:07:24.0866667+00:00 @Anil Mawji Restart provisioning helps to fix this issue ? Forgot to ask that in my above comment.
-
Anil Mawji 0 Reputation points
2023-12-20T05:09:56.4033333+00:00 It is a "fix".... but not a very practical one. Do you have any other ideas before I throw in the towel?
-
Givary-MSFT 35,686 Reputation points Microsoft Employee Moderator
2023-12-20T05:14:16.21+00:00 @Anil Mawji I mean to say workaround. apologies to term it as fix. let me check with my team on this.
-
Anil Mawji 0 Reputation points
2023-12-20T05:25:07.68+00:00 Thank you.
I have even considered using Graph in my script to automatically invoke a restart of the app when users are removed from the group, however restarting provisioning like this creates additional issues with my users on the app-side, unrelated to Azure. Every time the provisioning is restarted, users in my app are forced to re-register their devices which requires manual approval from an admin (apparently this helps maintain zero-trust). Unfortunately it is not a feature that can be disabled.
Sign in to comment
Sign in to answer