How to fix role assignment when enabling user provisioning using AssertiveAppRoleAssignmentsComplex

Jochen François 6 Reputation points
2024-08-14T14:43:57.7833333+00:00

Issue Summary: I am attempting to customize user provisioning attribute mapping for my SAAS platform within Microsoft Entra ID. Specifically, I am working with the attribute named "roles."

Details: To ensure that roles are accurately removed from the target system when they are not assigned to a user in Entra ID, I have utilized AssertiveAppRoleAssignmentsComplex. However, I am encountering an issue where Patch "add" requests are being generated, which result in roles being added rather than replacing the existing ones.

Assumed Cause: It seems that during the user provisioning process, something goes wrong when fetching the user data. This might prevent the system from correctly deriving the "role" attribute, which then causes the system to add a new role instead of updating the existing one. However, I checked the response of my scim server and it return the roles property (also available on the screenshot).

Observed Behavior: When I initiate provisioning, the system produces inconsistent results regarding the "role" value. In the screenshots you can see that the target value is defined, and at the end its no longer defined.

SCIM GET Response Body for the provisioned user

{
  "meta": {
    "created": "2024-08-14T14:00:26.634Z",
    "resourceType": "User",
    "lastModified": "2024-08-14T14:00:26.634Z"
  },
  "userName": "user@example.com",
  "addresses": [
  ],
  "phoneNumbers": [
  ],
  "name": {
    "formatted": "FirstName LastName",
    "familyName": "LastName",
    "givenName": "FirstName"
  },
  "displayName": "FirstName LastName - Company",
  "active": true,
  "roles": [
    {
      "value": "RoleName",
      "displayName": "RoleName",
      "id": "role-id"
    },
    {
      "value": "{\"id\":\"role-id\",\"value\":\"RoleName\",\"displayName\":\"RoleName\"}"
    }
  ],
  "externalId": "user-id",
  "emails": [
    {
      "type": "work",
      "value": "user@example.com",
      "primary": true
    }
  ],
  "preferredLanguage": "en-US",
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
  ],
  "id": "anonymized-id",
  "title": "Job Title"
}

Scherm­afbeelding 2024-08-14 om 16.49.29

Scherm­afbeelding 2024-08-14 om 16.49.06

Scherm­afbeelding 2024-08-14 om 16.35.56

Scherm­afbeelding 2024-08-14 om 16.37.14

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,801 questions
{count} vote

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.