Why does OIM provision assignements on AADGroup.OnPremisesSyncEnabled = true?

I've just seen the following behavior:

I have set a person to isInActive, so it looses all the assigned groups on AD and AAD Accounts.

On the AAD Account there are some cloud only groups and some hybrid groups (coming from on prem AD) assigned.

So, it makes sense, that the cloud only groups are removed from the AAD account.

But the hybrid Groups (AADGroup.OnPremisesSyncEnabled = true) are managed over on prem AD and AAD Connect. So there shouldn't be any provisioning directly to AAD.

Now I'm wondering how I should handle this situation.

- Should I prevent that AADUserInGroup could be deleted at all, if it is not the "Synchronization" User performing that action?

- Should I do some special SyncProject Configuration? (having a schema on OIM side, that excludes that hybrid groups, ...)

- Any other approach?

I consider this problem as a quite common one, and I'm wondering that OIM is trying to maintain members for hybrid groups at all, since this would be never successful .

Top Replies

+1 Markus Weiss-Ehlers over 2 years ago

We have created backlog entry VPR#34448 for this issue. But I am unable to tell how long a fix or improvement is taking.
Cancel
Up +1 Down

Reply

Verify Answer

Reject Answer

Cancel
0 henrik a johansson over 2 years ago
I also have this issue and I solved it by adding this to the generating condition on the process AAD_Group_Insert/Update/Delete:

$OnPremisesSyncEnabled:Bool$.Equals(False)
Cancel
Up +1 Down

Reply

Verify Answer

Reject Answer

Cancel
0 prueegg over 2 years ago in reply to Markus Weiss-Ehlers

Thanks.
So I wasn't totally wrong with my assumption that there should be an improvement on the product side.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 prueegg over 2 years ago in reply to henrik a johansson

Exactly that was an option I was considering as well.
But isn't there a problem, that the entries in DPRMembershipAction are generated and these entries are preventing the sync from doing updates on the memberships on the corresponding groups? (I thing it will generate an error in the sync protocol mentioning that it couldn't be update to to outstanding membership actions)

Or does it work perfect?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 henrik a johansson over 2 years ago in reply to prueegg

I don't have any frozen processes, there are no errors in the AAD Connect-sync, but I have 28 objects in DPRMembershipAction.

What is the purpose of DPRMembershipAction anyway?

To me it looks like it works perfectly..
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

0 prueegg over 2 years ago in reply to henrik a johansson

As far as I understand the DPRMembershipAction collects all the Actions (assign/remove) to be executed for a group.
So if a Membership is removed there will be a corresponding entry in that table.

AAD_Group_Insert/Update/Delete will process exactly these entries when executed. So preventing the execution, will not remove the entries.

I've just done a test with adding $OnPremisesSyncEnabled:Bool$.Equals(False) to gen generating condition.
Setting the person to inactive has finally created some entries im DPRMemberShip Action für AADUserInGroup.
The process AAD_Group_Insert/Update/Delete didn't start.

But in the sync protocol I can see the following:

Synchronization log messages

Message context: Locked objects

	Type	Message
	Information	The object (xxx) of type (AADGroup) was ignored during synchronization. Reason: The object has pending M:N provisioning tasks.

	Information	The object (yyyy) of type (AADGroup) was ignored during synchronization. Reason: The object has pending M:N provisioning tasks.

	Information	The object (zzz) of type (AADGroup) was ignored during synchronization. Reason: The object has pending M:N provisioning tasks.

So, the memberships for hybrid groups aren't updated in the identity manager DB.

Therefore I think, I have to prevent creating entries in DPRMembershipAction, or before doing the provisioning in the process AAD_Group_Insert/Update/Delete delete the unwanted entries.

Or just prevent deleting AADUserInGroup entries for hybrid groups at all, except for the Synchronization User.

+1 Barry Jackson over 2 years ago in reply to prueegg

Hi,

So assuming you have 'merge mode' enabled ..... in Manager ..... in the Data Synchronization section .... expand Basic configuration data and select Target system types ...... then from the result set choose Azure Active Directory. Under Tasks click Configure tables for publishing. In the right hand pane you can edit the Condition to exclude the objects that are causing your issue.

By doing this, the entries won't appear in DPRMemberShipAction.

HTH, Barry.
Cancel
Up +1 Down

Reply

Verify Answer

Reject Answer

Cancel
0 henrik a johansson over 2 years ago in reply to Barry Jackson

Where do I find Merge Mode?

EDIT: Found it..
Cancel
Up +1 Down

Reply

Verify Answer

Cancel
0 prueegg over 2 years ago in reply to Barry Jackson

Cool, that helps.

I didn't know that feature at all.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 rodney rosenda_85972 over 2 years ago in reply to Barry Jackson

Hi Barry,

Doing what you described will also not insert/remove a record in AADUserInGroup?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Endpoint Privilege Management

Why does OIM provision assignements on AADGroup.OnPremisesSyncEnabled = true?

Top Replies