When you have a large Azure AD tenant it is likely that you want to scope your SailPoint IdentityNow Source based on the different type of identities it contains. Using the Filtering and Scoping section of the Azure AD Source Configuration Guide from Compass I first started constructing queries as I normally would with Azure AD against the Microsoft Graph API.
However the queries/filters I was using against Microsoft Graph were not working for the Azure AD IdentityNow Source. On aggregation the Source Connector would throw errors such as;
….java.lang.RuntimeException – sailpoint.connector.ConnectorException: Exception occurred. Error message – Exception occurred in processReadRequest. Error – Response Code – 400 Error – Bad Request Property ‘msGraphAADAttribute’ does not exist as a declared property or extension property…..
Following some discussions with the IdentityNow Professional Services guys I learned that the IdentityNow Azure AD Source Connector uses the Azure AD v1 Graph API endpoint.
With this information I was then able to use the Azure Active Directory v1 Graph API Explorer to develop queries that would then work for ‘User Filters’. This is extremely quick and useful. For guidance on using Azure AD Filters this Microsoft document will get you started.
To configure Source Filters for the IdentityNow Azure AD Source I use PowerShell as per the many IdentityNow Configuration and Automation posts I’ve previous written.
The script snippets below just show the commands to create three different Azure AD Source Filters (if you need all three like me you will need to configure three separate Sources with a different filter on each). In order to utilise these you will need to be authenticated to the SailPoint IdentityNow API. This post details connecting to the SailPoint IdentityNow v3 API endpoint using PowerShell.
Below shows three snippets for scoping the Azure AD Source down to specific User Types;
To update a source you send a POST request to the Update Source API where yourOrg is your Tenant Org Name and SourceNumber is the number of the Source to update (e.g. 12345). The body is the connector_userFilters attribute with the value for the filter.
https://yourOrg.api.identitynow.com/cc/api/source/update/SOURCENumber
The following shows the tail of the output from the returned object after updating the Source for a filter for Azure AD Hybrid Accounts;
dirSyncEnabled eq true and userType eq 'member'
The following shows the tail of the output from the returned object after updating the Source for a filter for Azure AD Cloud Only Accounts;
dirSyncEnabled eq false and userType eq 'member'
The following shows the tail of the output from the returned object after updating the Source for a filter for Azure AD Cloud Only Accounts;
userType eq 'guest'
Knowing the API the IdentityNow Azure AD Source is using allows us to construct filters to scope the Azure AD Source to the specific users for an implementation.
A few weeks back the Microsoft AI Tour was in Sydney Australia. There was a…
If you're anything like me you always have PowerShell open, and often both PowerShell and…
Decentralised Identity is a technology I'm passionate about and have written many posts and tools…
Over two years ago I authored a PowerShell Module that enabled the automation of 1Password.…
Buried in my PowerShell Snippets Vol 4 post from 2021 is the PowerShell script and…
Short post on how to recovery from "The Windows Subsystem for Linux instance has terminated"…
This website uses cookies.
