Azure AD user provisioning to SalesForce

Milosz Engel 1 Reputation point
2020-06-16T09:17:26.59+00:00

hey all,
I'm struggling with the following error in AzureAD user provisioning to Salesforce. All was working ok but suddenly my sync falls under quarantine due to below error:

This Azure Active Directory service principal has app roles with duplicate attribute values: 8d002630-e7ea-47e0-8118-a23670f76bcf: "Salesforce". The attribute with the duplicate values is displayName. The duplicated value is { Add:"Standard Platform User" (Source) }. The synchronization job cannot proceed until the duplication is remedied. One way of remedying the duplication would be to edit the service principal using the Azure Active Directory Graph or the Microsoft Graph. Both of those Web application programming interfaces are documented on the World Wide Web. If the documentation is insufficient, please file a request for support using the Microsoft Azure Active Directory Graph or the Microsoft Graph via Azure support.

The thing is i have no idea how I could remove this duplicate in order to fix this issue?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,359 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,545 questions
{count} votes

4 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,506 Reputation points
    2020-06-16T14:50:11.763+00:00

    Hello @miloszengel

    Could you please confirm if you go to Salesforce Application > Users and Groups > +Add User > Select a role, do you see any two roles with "Standard Platform User" name?

    If yes, you need to remove one role by using steps mentioned here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management#delete-an-existing-role


    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.


  2. Miłosz Engel 1 Reputation point
    2020-12-31T08:59:20.487+00:00

    hello it's been a while because I was able to fix the issue by editing app manifest and manually removing duplicates. It was working ok but it started appearing again.
    I can see below roles when editing the user:

    The problem is with Salesforce Profiles translation. I can see these profiles:

    • "Standard Platform User" - disabled
    • "Standardowy użytkownik plaftormy" - Polish translation (active)

    I do not use these profiles but since it's one of salesforce default ones- I can't remove it.

    Now, the problem is when I go to app Manifest at App Registrations/Salesforce/Manifest - there are no SF roles at all. There is just msiam_access Azure default one.
    Yet, all SF profiles are available to be selected(well, only active ones but all are displayed) when adding or editing user in Azure.

    0 comments No comments

  3. Manibharathy, Rajkumar 1 Reputation point
    2021-05-27T13:52:58.527+00:00

    This helped me fix the issue, high level steps below.

    1. using graph connected to the Service principal of the app.
    2. Collected all the existing roles for this app in Azure end.
    3. Assigned test user to the new profile and pushed through provisioning on demand.
    4. Find the profile id from the Azure provisioning logs and validate the profile ID in salesforce or the any app using SCIM.
    5. From the Graph API remove the nonexistent role.
    6. Restart the Sync Services.
    7. Issue fixed.
    0 comments No comments

  4. Charlie 0 Reputation points
    2024-03-12T19:42:17.9966667+00:00

    I realize this wakes up an old thread, but I am a fan of if you see something say something in case someone else comes along. There is also the bug, W-7656564, referred to in this article: TrailBlazer site

    Have a great day.

    Charlie

    0 comments No comments