Why does OIM provision assignements on AADGroup.OnPremisesSyncEnabled = true?

I've just seen the following behavior:

 

I have set a person to isInActive, so it looses all the assigned groups on AD and AAD Accounts.

 

On the AAD Account there are some cloud only groups and some hybrid groups (coming from on prem AD) assigned.

 

So, it makes sense, that the cloud only groups are removed from the AAD account.

 

But the hybrid Groups (AADGroup.OnPremisesSyncEnabled = true) are managed over on prem AD and AAD Connect. So there shouldn't be any provisioning directly to AAD.

 

Now I'm wondering how I should handle this situation.

- Should I prevent that AADUserInGroup could be deleted at all, if it is not the "Synchronization" User performing that action?

- Should I do some special SyncProject Configuration? (having a schema on OIM side, that excludes that hybrid groups, ...)

- Any other approach?

 

 

I consider this problem as a quite common one, and I'm wondering that OIM is trying to maintain members for hybrid groups at all, since this would be never successful .

Parents
  • I also have this issue and I solved it by adding this to the generating condition on the process AAD_Group_Insert/Update/Delete:

    $OnPremisesSyncEnabled:Bool$.Equals(False)

  • Exactly that was an option I was considering as well.
    But isn't there a problem, that the entries in DPRMembershipAction are generated and these entries are preventing the sync from doing updates on the memberships on the corresponding groups? (I thing it will generate an error in the sync protocol mentioning that it couldn't be update to to outstanding membership actions)

    Or does it work perfect?

  • I don't have any frozen processes, there are no errors in the AAD Connect-sync, but I have 28 objects in DPRMembershipAction.

    What is the purpose of DPRMembershipAction anyway?

    To me it looks like it works perfectly..

  • As far as I understand the DPRMembershipAction collects all the Actions (assign/remove) to be executed for a group.
    So if a Membership is removed there will be a corresponding entry in that table.

    AAD_Group_Insert/Update/Delete will process exactly these entries when executed. So preventing the execution, will not remove the entries.

    I've just done a test with adding $OnPremisesSyncEnabled:Bool$.Equals(False) to gen generating condition.
    Setting the person to inactive has finally created some entries im DPRMemberShip Action für AADUserInGroup.
    The process AAD_Group_Insert/Update/Delete didn't start.

    But in the sync protocol I can see the following:

    Synchronization log messages

     

    Message context: Locked objects

     

     

    Type

    Message

     

    Information

    The object (xxx) of type (AADGroup) was ignored during synchronization.

     

    Reason: The object has pending M:N provisioning tasks.

     

     

    Information

    The object (yyyy) of type (AADGroup) was ignored during synchronization.

     

    Reason: The object has pending M:N provisioning tasks.

     

     

    Information

    The object (zzz) of type (AADGroup) was ignored during synchronization.

     

    Reason: The object has pending M:N provisioning tasks.

    So, the memberships for hybrid groups aren't updated in the identity manager DB.

    Therefore I think, I have to prevent creating entries in DPRMembershipAction, or before doing the provisioning in the process AAD_Group_Insert/Update/Delete delete the unwanted entries.

    Or just prevent deleting AADUserInGroup entries for hybrid groups at all, except for the Synchronization User.

  • Hi,

    So assuming you have 'merge mode' enabled ..... in Manager ..... in the Data Synchronization section .... expand Basic configuration data and select Target system types ...... then from the result set choose Azure Active Directory.  Under Tasks click Configure tables for publishing.  In the right hand pane you can edit the Condition to exclude the objects that are causing your issue.

    By doing this, the entries won't appear in DPRMemberShipAction.

    HTH, Barry.

  • Where do I find Merge Mode?

    EDIT: Found it..

  • Cool, that helps.


    I didn't know that feature at all.

  • Hi Barry,

    Doing what you described will also not insert/remove a record in AADUserInGroup?

  • Hi Rodney,

    The insert/remove to those tables will still happen.  What I have described simply inhibits the provisioning.

    Cheers, B.

  • Okay in that case we still need VPR#34448 (I have no access to see what it entails) which I hope will make sure that:

    • Block these actions in the UI.
    • Process wise block editing of objects that are synced from the on premise AD.
    • Block editing actions on Azure AD objects that are solely managed by Azure AD like dynamic membership groups etc.
    • Make sure that the relevant tables (AADUser, AADGroup, AADUSerInGroup) are consistent and do not need a target system synchronization to get to a consistent state.

    This issue exists already for years without publicly visible progress, I will keep on playing DJ and click end with error in the job queue info tool.

Reply
  • Okay in that case we still need VPR#34448 (I have no access to see what it entails) which I hope will make sure that:

    • Block these actions in the UI.
    • Process wise block editing of objects that are synced from the on premise AD.
    • Block editing actions on Azure AD objects that are solely managed by Azure AD like dynamic membership groups etc.
    • Make sure that the relevant tables (AADUser, AADGroup, AADUSerInGroup) are consistent and do not need a target system synchronization to get to a consistent state.

    This issue exists already for years without publicly visible progress, I will keep on playing DJ and click end with error in the job queue info tool.

Children
No Data