This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 89%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
I just completed refreshing a Salesforce Sandbox and set up SSO with a new certificate, etc.
I wanted to test provisioning to ensure SSO appears correctly with just one user so I used Provision On Demand.
I received the error code:
Error code
MultipleGrantsNotSupported
Error message
An error occurred while evaluating this function: 'ProfileName = SingleAppRoleAssignment(source: appRoleAssignments).'
But also received the following success messages:
Import user
Successfully imported user
View details
Determine if user is in scope
User is in scope
View details
Match user between source and target system
Successfully matched user
View details
I reviewed the provision on demand documentation but I am not sure if I am missing something that is obvious.
Thanks for any help
A cloud-based identity and access management service for securing user authentication and resource access
Update, I was able to start the provisioning and all were successfully provisioned except for 14 that are in an admin group. Any ideas? The error is still the same. Thanks.
Answer accepted by question author
Do these users have more than one role assigned? The SingleAppRoleAssignment function can only pass one role (or Profile, in Salesforce's case) from AAD -> app. I believe the error you're seeing about multiple grants not supported means that more than one AAD appRole is assigned to each user generating that error.